board configs: disable unprivileged BPF

[neheb]

Fixes wrong CPU vulnerability output:

/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation:Vulnerable: Unprivileged eBPF enabled

It's enabled but CONFIG_BPF_UNPRIV_DEFAULT_OFF being unset causes the warning.

This warning happens on ARM32 and ARM64 devices.

Edited with:
find -name "*.config" -exec sed -i 's/# CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set/CONFIG_BPF_UNPRIV_DEFAULT_OFF=y/g' '{}' ;

Summary by CodeRabbit

• Chores
  • Enabled the unprivileged-BPF default-off setting across supported platforms and kernel tracks for a more restrictive, consistent default.
  • Updated build/configuration logic to include the unprivileged-BPF default-off flag when enabling related eBPF/BTF features.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[neheb]

No idea what

mode change 120000 => 100644 config/kernel/linux-rockchip-rk3588-current.config

is about.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (4)

config/kernel/linux-sunxi64-edge.config (1)

7-9: CONFIG_BPF_UNPRIV_DEFAULT_OFF=y here cleanly enforces unprivileged BPF default‑off

With CONFIG_BPF_JIT=y already set, adding CONFIG_BPF_UNPRIV_DEFAULT_OFF=y is exactly what’s needed to keep BPF available for privileged users while disabling unprivileged eBPF and matching the PR’s vulnerability‑mitigation goal. Note that this defconfig is auto‑generated, so if future tooling regenerates configs, the corresponding automation should also ensure this option stays enabled. Based on learnings, …

config/kernel/linux-sunxi64-current.config (1)

7-10: CONFIG_BPF_UNPRIV_DEFAULT_OFF addition looks correct

Enabling CONFIG_BPF_UNPRIV_DEFAULT_OFF=y alongside CONFIG_BPF_SYSCALL/CONFIG_BPF_JIT matches the PR goal of disabling unprivileged BPF by default and should clear the spectre_v2 vulnerability message. Just ensure this config came from the normal Armbian kernel-config generation flow so it won’t be lost on the next automated regen.

config/kernel/linux-meson64-edge.config (1)

7-11: Meson64 edge: BPF unprivileged default-off is consistently enabled

Adding CONFIG_BPF_UNPRIV_DEFAULT_OFF=y here is consistent with the rest of the BPF settings and aligns this defconfig with the other families in the PR. As with the other configs, just confirm this was produced via the usual kernel-config tooling so it persists across future automated regenerations.

config/kernel/linux-mvebu64-current.config (1)

9-13: mvebu64 current: unprivileged BPF default-off flag is correctly enabled

Setting CONFIG_BPF_UNPRIV_DEFAULT_OFF=y here cleanly implements the intended security posture for this family, in line with the other defconfigs touched by the PR. Again, worth double-checking that this change is captured by the standard Armbian kernel config generation process so it survives future regen of these files.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between f2dd38e and ab0191d.

📒 Files selected for processing (33)

• config/kernel/linux-bcm2711-current.config (1 hunks)
• config/kernel/linux-bcm2711-edge.config (1 hunks)
• config/kernel/linux-bcm2711-legacy.config (1 hunks)
• config/kernel/linux-imx6-current.config (1 hunks)
• config/kernel/linux-imx6-edge.config (1 hunks)
• config/kernel/linux-imx6-legacy.config (1 hunks)
• config/kernel/linux-meson64-current.config (1 hunks)
• config/kernel/linux-meson64-edge.config (1 hunks)
• config/kernel/linux-mvebu-current.config (1 hunks)
• config/kernel/linux-mvebu-edge.config (1 hunks)
• config/kernel/linux-mvebu-legacy.config (1 hunks)
• config/kernel/linux-mvebu64-current.config (1 hunks)
• config/kernel/linux-mvebu64-edge.config (1 hunks)
• config/kernel/linux-mvebu64-legacy.config (1 hunks)
• config/kernel/linux-odroidxu4-current.config (1 hunks)
• config/kernel/linux-odroidxu4-edge.config (1 hunks)
• config/kernel/linux-rk322x-current.config (1 hunks)
• config/kernel/linux-rk322x-edge.config (1 hunks)
• config/kernel/linux-rk35xx-vendor.config (1 hunks)
• config/kernel/linux-rockchip-current.config (1 hunks)
• config/kernel/linux-rockchip-edge.config (1 hunks)
• config/kernel/linux-rockchip-rk3588-current.config (0 hunks)
• config/kernel/linux-rockchip-rk3588-edge.config (1 hunks)
• config/kernel/linux-rockchip64-current.config (1 hunks)
• config/kernel/linux-rockchip64-edge.config (1 hunks)
• config/kernel/linux-sunxi-current.config (1 hunks)
• config/kernel/linux-sunxi-edge.config (1 hunks)
• config/kernel/linux-sunxi-legacy.config (1 hunks)
• config/kernel/linux-sunxi64-current.config (1 hunks)
• config/kernel/linux-sunxi64-edge.config (1 hunks)
• config/kernel/linux-sunxi64-legacy.config (1 hunks)
• config/kernel/linux-thead-legacy.config (1 hunks)
• config/kernel/linux-virtual-current.config (1 hunks)

💤 Files with no reviewable changes (1)

• config/kernel/linux-rockchip-rk3588-current.config

🧰 Additional context used

🧠 Learnings (24)

📓 Common learnings

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-199
Timestamp: 2025-09-25T18:37:00.330Z
Learning: In PR armbian/build#8661, line 235 of lib/functions/compilation/armbian-kernel.sh already contains the corrected comment "BPF link support for netfilter hooks" for NETFILTER_BPF_LINK, not the misleading "BPF_SYSCALL" comment that was flagged during review.

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-199
Timestamp: 2025-09-25T18:37:00.330Z
Learning: In PR armbian/build#8661, line 235 of lib/functions/compilation/armbian-kernel.sh already contains the corrected comment "BPF link support for netfilter hooks" for NETFILTER_BPF_LINK, not the misleading "BPF_SYSCALL" comment that was flagged during review.

Learnt from: EvilOlaf
Repo: armbian/build PR: 8428
File: config/boards/lckfb-taishanpi.csc:5-9
Timestamp: 2025-07-25T03:51:50.830Z
Learning: When reviewing PRs in the Armbian build system, U-Boot defconfig files and patches may be added as part of the PR changes but might not be visible in the current repository clone state during review. It's important to check the actual PR file changes directly via GitHub or the PR API to get the complete picture of what files are being added or modified.

Learnt from: EvilOlaf
Repo: armbian/build PR: 8428
File: config/boards/lckfb-taishanpi.csc:5-9
Timestamp: 2025-07-25T03:51:50.830Z
Learning: When reviewing PRs in the Armbian build system, U-Boot defconfig files and patches may be added as part of the PR changes but might not be visible in the current repository clone state during review. It's important to check the actual PR file changes directly via GitHub API (https://api.github.com/repos/armbian/build/pulls/{pr_number}/files) to get the complete picture of what files are being added or modified, especially for U-Boot patches that will be applied during the build process.

Learnt from: rpardini
Repo: armbian/build PR: 8879
File: config/sources/families/uefi-x86.conf:0-0
Timestamp: 2025-11-06T15:36:04.682Z
Learning: As of PR #8879, the uefi-x86 family in the Armbian build system now includes kernel patches for the first time. The current and edge branches for uefi-x86 are specifically configured for Apple T2-based x86 machines, including T2-specific patches from the linux-t2 project and custom kernel configuration options for Apple hardware drivers.

Learnt from: EvilOlaf
Repo: armbian/build PR: 8968
File: patch/u-boot/u-boot-sunxi/arm64-dts-sun50i-h6-orangepi.dtsi-Rollback-r_rsb-to-r_i2c.patch:36-36
Timestamp: 2025-11-20T18:20:11.985Z
Learning: The rewrite-patches tool (REWRITE_PATCHES=yes) in the Armbian build system can inadvertently introduce semantic changes when the u-boot/kernel git base revision differs from expected state. The tool applies patches, commits them, and re-exports them using git format-patch, which can cause the re-exported patch to reflect the base revision's state rather than preserving the original patch intent. This is particularly problematic for device tree changes like interrupt specifications. The tool currently lacks validation mechanisms to detect such semantic drift, and affected patches must be manually corrected after rewriting.

Learnt from: igorpecovnik
Repo: armbian/build PR: 8849
File: config/boards/radxa-e54c.csc:14-28
Timestamp: 2025-11-02T20:49:56.719Z
Learning: In Armbian board configuration files (config/boards/*.conf, *.csc, etc.), do not use kernel_config_set, kernel_config_set_m, kernel_config_set_y, or custom_kernel_config__* functions to modify kernel configuration. Kernel configuration is associated with LINUXFAMILY/BOARDFAMILY, not individual BOARD. Board-specific kernel modifications cause inconsistency in kernel packages published to the apt repository because boards within a family share the same kernel packages. Kernel configuration changes must be made in the appropriate kernel config file (e.g., config/kernel/linux-*-*.config) or in family configuration files (config/sources/families/*.conf, *.inc) instead.

Learnt from: EvilOlaf
Repo: armbian/build PR: 8328
File: lib/functions/compilation/patch/drivers_network.sh:542-545
Timestamp: 2025-06-24T10:08:40.313Z
Learning: In the Armbian build system, when a PR removes build support for a specific kernel version, version check issues for that removed version become practically irrelevant even if they appear incorrect in isolation. Context about which kernel versions are being deprecated/removed is important for understanding the impact of version-related code changes.

Learnt from: glneo
Repo: armbian/build PR: 8913
File: config/sources/families/include/k3_common.inc:57-60
Timestamp: 2025-11-11T20:56:20.303Z
Learning: In config/sources/families/include/k3_common.inc, the OP-TEE build command at line 59 should be updated in a future PR to explicitly set CROSS_COMPILE64=aarch64-linux-gnu- and CROSS_COMPILE32=arm-linux-gnueabihf- instead of relying on OP-TEE's internal defaults, for better clarity and maintainability. User glneo agreed to address this in a separate PR.

Learnt from: libiunc
Repo: armbian/build PR: 8033
File: config/kernel/linux-starfive2-vendor.config:43-43
Timestamp: 2025-03-31T12:57:13.880Z
Learning: For StarFive2 platform kernel configurations, maintain alignment with vendor-provided configurations rather than modifying security settings like SECCOMP. This ensures hardware compatibility as intended by the manufacturer.

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T06:56:33.372Z
Learning: In Armbian kernel configuration, the BTRFS configuration logic preserves existing settings (whether built-in 'y' or module 'm') and only sets BTRFS_FS to module when it was previously disabled or not set, achieving "allow but not require" flexibility while maintaining backward compatibility.

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T04:13:16.457Z
Learning: Armbian kernel configuration files like linux-filogic-current.config are autogenerated overlays on top of arch defconfig. Comments added manually will be lost during future updates by maintainers, and explicit "CONFIG_OPTION is not set" statements aren't needed for mutually exclusive options since these are overlay configs that only specify changes from the base configuration.

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: The kernel_config_set_m function in lib/functions/compilation/armbian-kernel.sh preserves existing 'y' (built-in) settings and only sets options to 'm' (module) when they are not already built-in, achieving "prefer modules but allow built-ins" behavior.

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: The kernel_config_set_m function in lib/functions/compilation/armbian-kernel.sh preserves existing 'y' (built-in) settings and only sets options to 'm' (module) when they are not already built-in, achieving "prefer modules but allow built-ins" behavior.

Learnt from: HackingGate
Repo: armbian/build PR: 8665
File: config/boards/photonicat2.csc:4-4
Timestamp: 2025-10-26T10:41:35.118Z
Learning: In the Armbian build system, rk3576 boards consistently use BOARDFAMILY="rk35xx" for both vendor and edge kernel targets. The rk35xx family configuration sources rockchip64_common.inc, which provides edge and current kernel branch definitions, making these branches available even though they're not defined directly in rk35xx.conf.

Learnt from: rpardini
Repo: armbian/build PR: 8820
File: config/sources/families/include/meson64_common.inc:51-53
Timestamp: 2025-10-26T12:56:29.185Z
Learning: In the Armbian build framework, scripts/config correctly handles kernel configuration option names both with and without the CONFIG_ prefix, so opts_m+=("CONFIG_RTL8822CS") and opts_m+=("RTL8822CS") are both valid and will work correctly.

Learnt from: EvilOlaf
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-02T05:46:10.664Z
Learning: In the Armbian build system, the KERNEL_CONFIGURE=yes switch is deprecated. The recommended approach for kernel configuration is now to use the `kernel-config` build command, which provides a more structured way to configure kernel options.

Learnt from: amazingfate
Repo: armbian/build PR: 8619
File: config/sources/families/rockchip.conf:222-230
Timestamp: 2025-09-14T06:32:29.806Z
Learning: In the Armbian build system, the write_uboot_platform() function implementations follow different patterns across Rockchip family files. The newer standard (used in rockchip64_common.inc and rk3506) includes 'status=none' parameter in dd commands, while older implementations (rk3288, rk322x) use an older pattern without this parameter. The rk3506 implementation correctly follows the current Rockchip family standard.

📚 Learning: 2025-03-31T12:57:13.880Z

Learnt from: libiunc
Repo: armbian/build PR: 8033
File: config/kernel/linux-starfive2-vendor.config:43-43
Timestamp: 2025-03-31T12:57:13.880Z
Learning: For StarFive2 platform kernel configurations, maintain alignment with vendor-provided configurations rather than modifying security settings like SECCOMP. This ensures hardware compatibility as intended by the manufacturer.

Applied to files:

• config/kernel/linux-imx6-edge.config
• config/kernel/linux-thead-legacy.config
• config/kernel/linux-sunxi-edge.config
• config/kernel/linux-mvebu64-edge.config
• config/kernel/linux-rk35xx-vendor.config
• config/kernel/linux-rk322x-edge.config
• config/kernel/linux-odroidxu4-current.config
• config/kernel/linux-rockchip64-current.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-rockchip64-edge.config
• config/kernel/linux-rockchip-edge.config
• config/kernel/linux-virtual-current.config
• config/kernel/linux-rockchip-current.config
• config/kernel/linux-odroidxu4-edge.config
• config/kernel/linux-rockchip-rk3588-edge.config

📚 Learning: 2025-11-02T20:49:56.719Z

Learnt from: igorpecovnik
Repo: armbian/build PR: 8849
File: config/boards/radxa-e54c.csc:14-28
Timestamp: 2025-11-02T20:49:56.719Z
Learning: In Armbian board configuration files (config/boards/*.conf, *.csc, etc.), do not use kernel_config_set, kernel_config_set_m, kernel_config_set_y, or custom_kernel_config__* functions to modify kernel configuration. Kernel configuration is associated with LINUXFAMILY/BOARDFAMILY, not individual BOARD. Board-specific kernel modifications cause inconsistency in kernel packages published to the apt repository because boards within a family share the same kernel packages. Kernel configuration changes must be made in the appropriate kernel config file (e.g., config/kernel/linux-*-*.config) or in family configuration files (config/sources/families/*.conf, *.inc) instead.

Applied to files:

• config/kernel/linux-imx6-edge.config
• config/kernel/linux-meson64-edge.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-meson64-current.config
• config/kernel/linux-thead-legacy.config
• config/kernel/linux-sunxi-edge.config
• config/kernel/linux-mvebu64-edge.config
• config/kernel/linux-bcm2711-current.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-mvebu-legacy.config
• config/kernel/linux-imx6-current.config
• config/kernel/linux-rk35xx-vendor.config
• config/kernel/linux-rk322x-edge.config
• config/kernel/linux-mvebu-current.config
• config/kernel/linux-odroidxu4-current.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-rockchip64-current.config
• config/kernel/linux-bcm2711-edge.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-imx6-legacy.config
• config/kernel/linux-rockchip64-edge.config
• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-rockchip-edge.config
• config/kernel/linux-virtual-current.config
• config/kernel/linux-rockchip-current.config
• config/kernel/linux-odroidxu4-edge.config
• config/kernel/linux-sunxi64-legacy.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-rockchip-rk3588-edge.config

📚 Learning: 2025-08-30T04:13:16.457Z

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T04:13:16.457Z
Learning: Armbian kernel configuration files like linux-filogic-current.config are autogenerated overlays on top of arch defconfig. Comments added manually will be lost during future updates by maintainers, and explicit "CONFIG_OPTION is not set" statements aren't needed for mutually exclusive options since these are overlay configs that only specify changes from the base configuration.

Applied to files:

• config/kernel/linux-imx6-edge.config
• config/kernel/linux-meson64-edge.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-meson64-current.config
• config/kernel/linux-thead-legacy.config
• config/kernel/linux-sunxi-edge.config
• config/kernel/linux-mvebu64-edge.config
• config/kernel/linux-bcm2711-current.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-mvebu-legacy.config
• config/kernel/linux-imx6-current.config
• config/kernel/linux-rk35xx-vendor.config
• config/kernel/linux-rk322x-edge.config
• config/kernel/linux-mvebu-current.config
• config/kernel/linux-odroidxu4-current.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-rockchip64-current.config
• config/kernel/linux-bcm2711-edge.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-imx6-legacy.config
• config/kernel/linux-rockchip64-edge.config
• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-rockchip-edge.config
• config/kernel/linux-virtual-current.config
• config/kernel/linux-rockchip-current.config
• config/kernel/linux-odroidxu4-edge.config
• config/kernel/linux-sunxi64-legacy.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-rockchip-rk3588-edge.config

📚 Learning: 2025-09-27T21:47:58.020Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-bcm2711-edge.config:859-861
Timestamp: 2025-09-27T21:47:58.020Z
Learning: In the Armbian build system, kernel configuration files in config/kernel/ are generated through an automated process: taking previous config → applying scripted changes from armbian-kernel.sh → running kernel's `make oldconfig` → processing by Armbian machinery back into config files. This automated process properly handles kernel configuration dependencies and reduces the likelihood of manual configuration errors.

Applied to files:

• config/kernel/linux-imx6-edge.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-meson64-current.config
• config/kernel/linux-mvebu64-edge.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-mvebu-legacy.config
• config/kernel/linux-imx6-current.config
• config/kernel/linux-rk35xx-vendor.config
• config/kernel/linux-rk322x-edge.config
• config/kernel/linux-mvebu-current.config
• config/kernel/linux-odroidxu4-current.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-rockchip64-current.config
• config/kernel/linux-bcm2711-edge.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-rockchip64-edge.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-rockchip-edge.config
• config/kernel/linux-virtual-current.config
• config/kernel/linux-rockchip-current.config
• config/kernel/linux-sunxi64-legacy.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-sunxi-legacy.config

📚 Learning: 2025-09-27T21:49:55.796Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-sm8250-current.config:78-80
Timestamp: 2025-09-27T21:49:55.796Z
Learning: In the Armbian build system, kernel configuration files are generated through an automated process: taking previous config → applying scripted changes from armbian-kernel.sh → running kernel's `make oldconfig` → processing by Armbian machinery back into config files. This automated process properly handles kernel configuration dependencies and reduces the likelihood of manual configuration errors.

Applied to files:

• config/kernel/linux-imx6-edge.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-meson64-current.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-mvebu-legacy.config
• config/kernel/linux-rk35xx-vendor.config
• config/kernel/linux-rk322x-edge.config
• config/kernel/linux-bcm2711-edge.config
• config/kernel/linux-rockchip64-edge.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-rockchip-edge.config
• config/kernel/linux-rockchip-current.config
• config/kernel/linux-sunxi64-legacy.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-sunxi-legacy.config

📚 Learning: 2025-09-27T21:50:04.845Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-sm8250-edge.config:80-82
Timestamp: 2025-09-27T21:50:04.845Z
Learning: In the Armbian build system, kernel configuration files are generated through this automated process: taking previous config → applying scripted changes from armbian-kernel.sh → running kernel's `make oldconfig` → processing by Armbian machinery back into config files. This automated process properly handles kernel configuration dependencies and reduces the likelihood of manual configuration errors.

Applied to files:

• config/kernel/linux-imx6-edge.config
• config/kernel/linux-meson64-current.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-imx6-current.config
• config/kernel/linux-rk322x-edge.config
• config/kernel/linux-bcm2711-edge.config
• config/kernel/linux-rockchip64-edge.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-rockchip-edge.config
• config/kernel/linux-virtual-current.config
• config/kernel/linux-rockchip-current.config
• config/kernel/linux-sunxi64-edge.config

📚 Learning: 2025-08-02T05:46:10.664Z

Learnt from: EvilOlaf
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-02T05:46:10.664Z
Learning: In the Armbian build system, the KERNEL_CONFIGURE=yes switch is deprecated. The recommended approach for kernel configuration is now to use the `kernel-config` build command, which provides a more structured way to configure kernel options.

Applied to files:

• config/kernel/linux-imx6-edge.config
• config/kernel/linux-odroidxu4-edge.config

📚 Learning: 2025-09-25T18:37:00.330Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-199
Timestamp: 2025-09-25T18:37:00.330Z
Learning: In PR armbian/build#8661, line 235 of lib/functions/compilation/armbian-kernel.sh already contains the corrected comment "BPF link support for netfilter hooks" for NETFILTER_BPF_LINK, not the misleading "BPF_SYSCALL" comment that was flagged during review.

Applied to files:

• config/kernel/linux-imx6-edge.config
• config/kernel/linux-meson64-edge.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-meson64-current.config
• config/kernel/linux-thead-legacy.config
• config/kernel/linux-sunxi-edge.config
• config/kernel/linux-mvebu64-edge.config
• config/kernel/linux-bcm2711-current.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-mvebu-legacy.config
• config/kernel/linux-imx6-current.config
• config/kernel/linux-rk35xx-vendor.config
• config/kernel/linux-rk322x-edge.config
• config/kernel/linux-mvebu-current.config
• config/kernel/linux-odroidxu4-current.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-rockchip64-current.config
• config/kernel/linux-bcm2711-edge.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-imx6-legacy.config
• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-rockchip-edge.config
• config/kernel/linux-virtual-current.config
• config/kernel/linux-rockchip-current.config
• config/kernel/linux-odroidxu4-edge.config
• config/kernel/linux-sunxi64-legacy.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-rockchip-rk3588-edge.config

📚 Learning: 2025-09-27T21:50:15.915Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-sunxi64-current.config:94-94
Timestamp: 2025-09-27T21:50:15.915Z
Learning: When kernel config files are generated through Armbian's automated process (previous config → armbian-kernel.sh changes → make oldconfig → Armbian machinery processing), manual config file edits are not appropriate since they would be overwritten. Deprecated option handling should be implemented in the automated tooling instead.

Applied to files:

• config/kernel/linux-imx6-edge.config
• config/kernel/linux-meson64-edge.config
• config/kernel/linux-meson64-current.config
• config/kernel/linux-sunxi-edge.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-rk35xx-vendor.config
• config/kernel/linux-rk322x-edge.config
• config/kernel/linux-mvebu-current.config
• config/kernel/linux-odroidxu4-current.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-bcm2711-edge.config
• config/kernel/linux-rockchip64-edge.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-rockchip-edge.config
• config/kernel/linux-rockchip-current.config
• config/kernel/linux-odroidxu4-edge.config
• config/kernel/linux-sunxi64-legacy.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-sunxi-legacy.config

📚 Learning: 2025-10-22T07:56:19.424Z

Learnt from: igorpecovnik
Repo: armbian/build PR: 8789
File: config/kernel/linux-sunxi64-edge.config:839-839
Timestamp: 2025-10-22T07:56:19.424Z
Learning: In Linux kernel configuration, some `=y` (builtin) options are infrastructure or feature flags that enable subsystems or features for modular drivers, rather than directly compiling code into the kernel. For example, in Armbian wireless configs, options like CONFIG_SPARD_WLAN_SUPPORT=y, CONFIG_SC23XX=y, CONFIG_WCN_BSP_DRIVER_BUILDIN=y, CONFIG_UNISOC_WIFI_PS=y are module infrastructure/feature enablers, while the actual drivers (CONFIG_WLAN_UWE5621=m, CONFIG_WLAN_UWE5622=m) remain as loadable modules. These infrastructure options don't cause kernel bloat.

Applied to files:

• config/kernel/linux-imx6-edge.config
• config/kernel/linux-meson64-edge.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-thead-legacy.config
• config/kernel/linux-sunxi-edge.config
• config/kernel/linux-mvebu64-edge.config
• config/kernel/linux-bcm2711-current.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-mvebu-legacy.config
• config/kernel/linux-imx6-current.config
• config/kernel/linux-rk35xx-vendor.config
• config/kernel/linux-rk322x-edge.config
• config/kernel/linux-mvebu-current.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-rockchip64-current.config
• config/kernel/linux-bcm2711-edge.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-imx6-legacy.config
• config/kernel/linux-rockchip64-edge.config
• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-rockchip-edge.config
• config/kernel/linux-rockchip-current.config
• config/kernel/linux-sunxi64-legacy.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-sunxi-legacy.config

📚 Learning: 2025-08-30T06:56:33.372Z

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T06:56:33.372Z
Learning: In Armbian kernel configuration, the BTRFS configuration logic preserves existing settings (whether built-in 'y' or module 'm') and only sets BTRFS_FS to module when it was previously disabled or not set, achieving "allow but not require" flexibility while maintaining backward compatibility.

Applied to files:

• config/kernel/linux-imx6-edge.config
• config/kernel/linux-meson64-edge.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-meson64-current.config
• config/kernel/linux-thead-legacy.config
• config/kernel/linux-sunxi-edge.config
• config/kernel/linux-mvebu64-edge.config
• config/kernel/linux-bcm2711-current.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-mvebu-legacy.config
• config/kernel/linux-imx6-current.config
• config/kernel/linux-rk35xx-vendor.config
• config/kernel/linux-rk322x-edge.config
• config/kernel/linux-mvebu-current.config
• config/kernel/linux-odroidxu4-current.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-rockchip64-current.config
• config/kernel/linux-bcm2711-edge.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-imx6-legacy.config
• config/kernel/linux-rockchip64-edge.config
• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-virtual-current.config
• config/kernel/linux-rockchip-current.config
• config/kernel/linux-odroidxu4-edge.config
• config/kernel/linux-sunxi64-legacy.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-rockchip-rk3588-edge.config

📚 Learning: 2025-09-22T21:52:01.225Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: The kernel_config_set_m function in lib/functions/compilation/armbian-kernel.sh preserves existing 'y' (built-in) settings and only sets options to 'm' (module) when they are not already built-in, achieving "prefer modules but allow built-ins" behavior.

Applied to files:

• config/kernel/linux-meson64-edge.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-meson64-current.config
• config/kernel/linux-thead-legacy.config
• config/kernel/linux-sunxi-edge.config
• config/kernel/linux-mvebu64-edge.config
• config/kernel/linux-bcm2711-current.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-mvebu-legacy.config
• config/kernel/linux-imx6-current.config
• config/kernel/linux-mvebu-current.config
• config/kernel/linux-odroidxu4-current.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-imx6-legacy.config
• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-odroidxu4-edge.config
• config/kernel/linux-sunxi64-legacy.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-sunxi-legacy.config

📚 Learning: 2025-07-27T15:56:34.414Z

Learnt from: pyavitz
Repo: armbian/build PR: 8421
File: config/kernel/linux-sunxi64-edge.config:438-439
Timestamp: 2025-07-27T15:56:34.414Z
Learning: CONFIG_NET_SCH_DEFAULT is a boolean kernel configuration option (=y or =n) that enables/disables the ability to override the default network queueing discipline at runtime. When set to 'y', it allows setting the actual qdisc name via /proc/sys/net/core/default_qdisc at runtime, not in the kernel config file itself.

Applied to files:

• config/kernel/linux-meson64-edge.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-thead-legacy.config
• config/kernel/linux-sunxi-edge.config
• config/kernel/linux-mvebu64-edge.config
• config/kernel/linux-bcm2711-current.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-rk35xx-vendor.config
• config/kernel/linux-rk322x-edge.config
• config/kernel/linux-mvebu-current.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-rockchip64-current.config
• config/kernel/linux-bcm2711-edge.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-rockchip64-edge.config
• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-sunxi64-legacy.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-sunxi-legacy.config

📚 Learning: 2025-07-19T00:03:42.995Z

Learnt from: lanefu
Repo: armbian/build PR: 8377
File: config/kernel/linux-uefi-arm64-cloud.config:165-170
Timestamp: 2025-07-19T00:03:42.995Z
Learning: CONFIG_NETKIT was introduced in Linux kernel 4.14.330 (November 2023) and enables BPF-programmable network devices that can operate in Layer 3 or Layer 2 mode. It's a valid configuration option in modern kernels including 6.12.

Applied to files:

• config/kernel/linux-meson64-edge.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-thead-legacy.config
• config/kernel/linux-sunxi-edge.config
• config/kernel/linux-mvebu64-edge.config
• config/kernel/linux-bcm2711-current.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-mvebu-legacy.config
• config/kernel/linux-rk322x-edge.config
• config/kernel/linux-mvebu-current.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-rockchip64-current.config
• config/kernel/linux-bcm2711-edge.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-imx6-legacy.config
• config/kernel/linux-rockchip64-edge.config
• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-virtual-current.config
• config/kernel/linux-sunxi64-legacy.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-rockchip-rk3588-edge.config

📚 Learning: 2025-07-15T21:09:23.252Z

Learnt from: pyavitz
Repo: armbian/build PR: 8383
File: config/kernel/linux-sunxi64-edge.config:57-64
Timestamp: 2025-07-15T21:09:23.252Z
Learning: In Linux kernel configuration, when CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND=y is set, the ondemand governor is implicitly enabled by default, making the explicit CONFIG_CPU_FREQ_GOV_ONDEMAND=y line redundant. The make menuconfig tool automatically removes such redundant lines. This behavior applies to CPU frequency governor configurations in general - setting a default governor automatically enables that governor.

Applied to files:

• config/kernel/linux-sunxi-edge.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-sunxi-legacy.config

📚 Learning: 2025-08-11T22:00:13.411Z

Learnt from: rafayahmed317
Repo: armbian/build PR: 8484
File: config/kernel/linux-rk35xx-vendor.config:904-906
Timestamp: 2025-08-11T22:00:13.411Z
Learning: In the linux-rk35xx-vendor kernel, the LTE driver options (CONFIG_LTE, CONFIG_LTE_RM310, CONFIG_LTE_EM05) are defined as boolean in drivers/net/lte/Kconfig and cannot be built as modules - they must be either built-in (=y) or disabled.

Applied to files:

• config/kernel/linux-rk35xx-vendor.config

📚 Learning: 2025-11-08T06:39:24.527Z

Learnt from: EvilOlaf
Repo: armbian/build PR: 8886
File: patch/kernel/rk35xx-vendor-6.1/dt/rk3528-nanopi-rev01.dts:9-9
Timestamp: 2025-11-08T06:39:24.527Z
Learning: In Armbian's Rockchip vendor kernel branches (rk35xx-vendor), device tree files may not require the same headers as mainline Linux. For example, input key definitions like KEY_BACK and KEY_VOLUMEUP may be handled differently in BSP kernels and don't necessarily need explicit includes like <dt-bindings/input/input.h> that would be required in mainline kernel device trees.

Applied to files:

• config/kernel/linux-rk35xx-vendor.config

📚 Learning: 2025-10-11T19:52:54.648Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8746
File: config/kernel/linux-filogic-edge.config:344-470
Timestamp: 2025-10-11T19:52:54.648Z
Learning: The chainsx/linux-filogic kernel (legacy branch) for BPI-R4 uses out-of-tree proprietary drivers (CONFIG_NET_DSA_AN8855, CONFIG_AIROHA_EN8801SC_PHY, CONFIG_AIR_AN8855_PHY, CONFIG_MDIO_AN8855, CONFIG_MFD_AIROHA_AN8855). The frank-w/BPI-Router-Linux kernel (current and edge branches) uses mainline kernel drivers instead: CONFIG_NET_DSA_MT7530 for the DSA switch and CONFIG_MEDIATEK_2P5GE_PHY for PHY support. These provide equivalent functionality for BPI-R4 networking.

Applied to files:

• config/kernel/linux-rk322x-edge.config
• config/kernel/linux-rk322x-current.config

📚 Learning: 2025-09-14T06:32:29.806Z

Learnt from: amazingfate
Repo: armbian/build PR: 8619
File: config/sources/families/rockchip.conf:222-230
Timestamp: 2025-09-14T06:32:29.806Z
Learning: In the Armbian build system, the write_uboot_platform() function implementations follow different patterns across Rockchip family files. The newer standard (used in rockchip64_common.inc and rk3506) includes 'status=none' parameter in dd commands, while older implementations (rk3288, rk322x) use an older pattern without this parameter. The rk3506 implementation correctly follows the current Rockchip family standard.

Applied to files:

• config/kernel/linux-rockchip64-current.config

📚 Learning: 2025-10-26T12:56:29.185Z

Learnt from: rpardini
Repo: armbian/build PR: 8820
File: config/sources/families/include/meson64_common.inc:51-53
Timestamp: 2025-10-26T12:56:29.185Z
Learning: In the Armbian build framework, scripts/config correctly handles kernel configuration option names both with and without the CONFIG_ prefix, so opts_m+=("CONFIG_RTL8822CS") and opts_m+=("RTL8822CS") are both valid and will work correctly.

Applied to files:

• config/kernel/linux-rk322x-current.config

📚 Learning: 2025-10-26T10:41:35.118Z

Learnt from: HackingGate
Repo: armbian/build PR: 8665
File: config/boards/photonicat2.csc:4-4
Timestamp: 2025-10-26T10:41:35.118Z
Learning: In the Armbian build system, rk3576 boards consistently use BOARDFAMILY="rk35xx" for both vendor and edge kernel targets. The rk35xx family configuration sources rockchip64_common.inc, which provides edge and current kernel branch definitions, making these branches available even though they're not defined directly in rk35xx.conf.

Applied to files:

• config/kernel/linux-rockchip64-edge.config
• config/kernel/linux-rockchip-edge.config

📚 Learning: 2025-10-23T19:48:42.980Z

Learnt from: igorpecovnik
Repo: armbian/build PR: 8812
File: config/kernel/linux-sm8250-edge.config:498-501
Timestamp: 2025-10-23T19:48:42.980Z
Learning: For Armbian EDGE kernel configs, CONFIG_ATH12K=m alone is sufficient for PCI-based Wi-Fi 7 devices (e.g., WCN785x/QCN9274). A separate CONFIG_ATH12K_PCI option is not required, as confirmed by maintainer testing.

Applied to files:

• config/kernel/linux-rockchip64-edge.config

📚 Learning: 2025-09-22T21:52:01.225Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: In lib/functions/compilation/armbian-kernel.sh, the kernel_config_modifying_hashes array is not universally required for all kernel configuration functions - some functions like armbian_kernel_config__netkit() operate without it, and adding entries with '=m' would be incorrect when the actual result might be '=y' for options already built-in.

Applied to files:

• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-mvebu-edge.config

🔇 Additional comments (28)

config/kernel/linux-mvebu64-legacy.config (1)

10-10: LGTM! Security configuration correctly applied.

Enabling CONFIG_BPF_UNPRIV_DEFAULT_OFF=y properly restricts unprivileged BPF access by default, addressing the vulnerability warning described in the PR objectives. The placement after CONFIG_BPF_SYSCALL and CONFIG_BPF_JIT is correct, and the change aligns with the uniform security hardening being applied across all affected board configurations.

config/kernel/linux-rk35xx-vendor.config (1)

10-10: LGTM! Security configuration correctly applied.

Enabling CONFIG_BPF_UNPRIV_DEFAULT_OFF=y properly restricts unprivileged BPF access by default. The change is consistent with the security hardening being applied uniformly across all board configurations in this PR and correctly addresses the Spectre v2 vulnerability warning mentioned in the PR description.

config/kernel/linux-mvebu-legacy.config (1)

103-103: LGTM! Security hardening applied correctly.

The change to enable CONFIG_BPF_UNPRIV_DEFAULT_OFF is correct and addresses the security concern described in the PR. This prevents unprivileged users from using eBPF by default, which resolves the "Vulnerable: Unprivileged eBPF enabled" warning in the CPU vulnerability output.

config/kernel/linux-rk322x-current.config (1)

104-104: Security improvement approved.

Enabling CONFIG_BPF_UNPRIV_DEFAULT_OFF=y restricts unprivileged users from loading BPF programs by default, which addresses the Spectre v2 vulnerability warning mentioned in the PR description. This is a sound security hardening measure for ARM board configurations.

Note that applications requiring unprivileged BPF access (e.g., certain performance monitoring tools) will now require CAP_BPF or CAP_SYS_ADMIN capabilities. Ensure this aligns with the expected use cases for rk322x platforms.

config/kernel/linux-rockchip64-edge.config (1)

11-11: LGTM! Security improvement.

Enabling CONFIG_BPF_UNPRIV_DEFAULT_OFF hardens the system by disabling unprivileged BPF access by default, which addresses the Spectre v2 vulnerability warning mentioned in the PR description and reduces the attack surface.

config/kernel/linux-rk322x-edge.config (1)

95-107: Enabling CONFIG_BPF_UNPRIV_DEFAULT_OFF here is correct and aligns with the PR’s security goal.

This defconfig already has CONFIG_BPF/CONFIG_BPF_SYSCALL/CONFIG_BPF_JIT enabled; adding CONFIG_BPF_UNPRIV_DEFAULT_OFF=y is the right way to default unprivileged_bpf_disabled to 2, disabling unprivileged bpf() while keeping privileged BPF and admin opt‑in via sysctl available. Behavior change is intentional and consistent with fixing the Spectre v2 vulnerability status output.

You may want to quickly boot a test image from this kernel and confirm that:

• /sys/devices/system/cpu/vulnerabilities/spectre_v2 no longer reports “Vulnerable: Unprivileged eBPF enabled”, and
• sysctl kernel.unprivileged_bpf_disabled defaults to 2 and can be set to 0 on demand.

config/kernel/linux-sunxi-legacy.config (1)

8-10: Consistent unprivileged BPF default‑off behavior for sunxi-legacy as well.

Setting CONFIG_BPF_UNPRIV_DEFAULT_OFF=y next to CONFIG_BPF_JIT=y gives this kernel the same “unprivileged BPF disabled by default” behavior as the other defconfigs, which matches the PR objective and should likewise clear the misleading Spectre v2 message. No conflicts with existing BPF options.

Please verify on at least one sunxi-legacy board that:

• kernel.unprivileged_bpf_disabled defaults to 2, and
• any workloads relying on unprivileged BPF (e.g., non‑root BPF tooling) are either updated to run with the necessary capabilities or explicitly re‑enable it via sysctl.

config/kernel/linux-sunxi64-legacy.config (1)

9-9: LGTM! Security hardening applied correctly.

Enabling CONFIG_BPF_UNPRIV_DEFAULT_OFF restricts unprivileged BPF access by default, addressing the CPU vulnerability warning mentioned in the PR objectives. This change is consistent with the existing BPF configuration options and improves the security posture.

config/kernel/linux-imx6-edge.config (1)

12-12: LGTM! Security hardening applied correctly.

Enabling CONFIG_BPF_UNPRIV_DEFAULT_OFF restricts unprivileged BPF access by default, mitigating the security concern described in the PR. This change is properly aligned with the existing BPF configuration and enhances system security.

config/kernel/linux-rockchip64-current.config (1)

11-11: LGTM – Security enhancement addressing vulnerability reporting.

Enabling CONFIG_BPF_UNPRIV_DEFAULT_OFF=y correctly restricts unprivileged BPF access by default, which addresses the misleading vulnerability warning and aligns with security hardening best practices. BPF functionality remains available for privileged operations since CONFIG_BPF_SYSCALL and CONFIG_BPF_JIT are still enabled.

Note: This change may affect any existing unprivileged BPF programs on affected systems, though such use cases are uncommon in embedded ARM environments.

config/kernel/linux-rockchip-edge.config (1)

10-10: LGTM – Consistent security enhancement for edge kernel.

The change correctly enables CONFIG_BPF_UNPRIV_DEFAULT_OFF=y for the edge kernel (6.17), maintaining consistency with the current kernel configuration. This restricts unprivileged BPF access while preserving privileged BPF functionality, addressing the vulnerability reporting issue uniformly across kernel versions.

config/kernel/linux-virtual-current.config (1)

90-103: BPF_UNPRIV_DEFAULT_OFF=y correctly hardens unpriv BPF for this virtual kernel

Enabling CONFIG_BPF_UNPRIV_DEFAULT_OFF=y here cleanly aligns the virtual arm64 kernel with the PR goal: unprivileged bpf() is disabled by default, which in turn removes the Vulnerable: Unprivileged eBPF enabled Spectre v2 status while keeping privileged BPF/JIT functionality intact.

Given that config/kernel/* files are auto-generated overlays, please just ensure this option is preserved in your kernel-config generation workflow (e.g., when bumping or regenerating configs), rather than being accidentally dropped on the next auto-regeneration. Based on learnings, this is where such options are expected to live.

config/kernel/linux-mvebu-edge.config (1)

10-10: CONFIG_BPF_UNPRIV_DEFAULT_OFF=y here correctly enforces unprivileged BPF default‑off

This is consistent with the surrounding BPF settings (JIT and cgroup/netfilter BPF remain enabled) and with the PR’s goal of disabling unprivileged eBPF by default on mvebu edge; no further changes needed in this file.

Please verify a test kernel for an mvebu edge board to confirm /sys/devices/system/cpu/vulnerabilities/spectre_v2 no longer reports “Unprivileged eBPF enabled” and that root-initiated BPF usage still works as expected.

config/kernel/linux-meson64-current.config (1)

10-10: Meson64: unprivileged BPF default‑off is enabled as intended

With CONFIG_BPF_SYSCALL=y and CONFIG_BPF_JIT=y already set, adding CONFIG_BPF_UNPRIV_DEFAULT_OFF=y cleanly disables unprivileged BPF by default while preserving BPF functionality for privileged callers; this matches the PR’s stated mitigation goal.

Recommend building and booting a meson64 current kernel to confirm both the Spectre V2 vulnerability string and basic privileged BPF workflows behave as expected.

config/kernel/linux-sunxi-current.config (1)

9-9: Sunxi: CONFIG_BPF_UNPRIV_DEFAULT_OFF=y aligns with the cross‑family policy

Setting CONFIG_BPF_UNPRIV_DEFAULT_OFF=y next to the existing CONFIG_BPF_JIT=y brings sunxi current in line with the rest of the defconfigs that disable unprivileged BPF by default while keeping BPF available to privileged code.

Please confirm on a sunxi current image that the Spectre V2 vulnerability output no longer reports “Unprivileged eBPF enabled” and that root‑driven BPF use (tc/xdp, cgroup BPF, etc.) continues to function.

config/kernel/linux-mvebu64-edge.config (1)

8-11: BPF unprivileged default‑off is correctly enabled for mvebu64 edge

Here CONFIG_BPF_SYSCALL=y, CONFIG_BPF_JIT=y, and CONFIG_BPF_UNPRIV_DEFAULT_OFF=y form a consistent set: privileged BPF remains available, while unprivileged BPF is disabled by default, which is exactly what this PR targets.

config/kernel/linux-sunxi-edge.config (1)

7-9: 32‑bit sunxi edge now matches unprivileged BPF policy of other families

Adding CONFIG_BPF_UNPRIV_DEFAULT_OFF=y next to CONFIG_BPF_JIT=y brings this 32‑bit sunxi defconfig in line with the rest of the PR’s kernels by disabling unprivileged BPF while preserving JIT and privileged use.

config/kernel/linux-odroidxu4-current.config (1)

7-10: Odroid XU4 current defconfig correctly disables unprivileged BPF by default

With CONFIG_BPF_SYSCALL=y and CONFIG_BPF_JIT=y already enabled, setting CONFIG_BPF_UNPRIV_DEFAULT_OFF=y is the correct way to turn off unprivileged eBPF by default on this kernel and should address the misleading Spectre v2 “Unprivileged eBPF enabled” vulnerability message.

config/kernel/linux-rockchip-rk3588-edge.config (1)

92-106: Enabling CONFIG_BPF_UNPRIV_DEFAULT_OFF matches the PR’s security goal

Setting CONFIG_BPF_UNPRIV_DEFAULT_OFF=y here is consistent with CONFIG_BPF_SYSCALL=y and correctly makes unprivileged BPF disabled by default on rk3588 edge kernels, which should clear the “Vulnerable: Unprivileged eBPF enabled” spectre_v2 message while still allowing admins to re-enable it via the sysctl if they explicitly choose to.

If not already done in this PR, ensure the same option is set for the corresponding *-current/other rk3588 kernel configs so behavior is consistent across branches for this family.

config/kernel/linux-bcm2711-edge.config (1)

10-10: LGTM - Security hardening applied correctly.

Enabling CONFIG_BPF_UNPRIV_DEFAULT_OFF restricts unprivileged users from using BPF by default, which addresses the Spectre v2 mitigation warning mentioned in the PR description. This change is consistent across all board configurations in this PR and is an appropriate security hardening measure.

config/kernel/linux-rockchip-current.config (1)

11-11: LGTM - Consistent security hardening.

The change correctly enables CONFIG_BPF_UNPRIV_DEFAULT_OFF to restrict unprivileged BPF access, addressing the security concern outlined in the PR. This is consistent with the changes across all 29 board configuration files.

config/kernel/linux-bcm2711-legacy.config (1)

10-10: LGTM - Security hardening applied to legacy kernel.

The change appropriately enables CONFIG_BPF_UNPRIV_DEFAULT_OFF in the legacy kernel configuration, ensuring consistent security posture across all kernel variants. This addresses the vulnerability warning mentioned in the PR description.

config/kernel/linux-imx6-current.config (1)

10-13: Enabling CONFIG_BPF_UNPRIV_DEFAULT_OFF here is correct and consistent with the PR goal

With BPF and JIT already enabled, setting CONFIG_BPF_UNPRIV_DEFAULT_OFF=y is the right way to default‑disable unprivileged eBPF while preserving privileged BPF usage and should address the misleading spectre_v2 vulnerability status. No config dependency issues are apparent in this context.

config/kernel/linux-thead-legacy.config (1)

181-183: CONFIG_BPF_UNPRIV_DEFAULT_OFF=y is a safe, aligned hardening change here

Given CONFIG_BPF=y and CONFIG_BPF_SYSCALL=y, turning on CONFIG_BPF_UNPRIV_DEFAULT_OFF correctly defaults unprivileged eBPF off on this thead legacy kernel as well, matching the rest of the platforms in the PR and improving the reported vulnerability status without impacting privileged BPF use.

config/kernel/linux-imx6-legacy.config (1)

101-111: CONFIG_BPF_UNPRIV_DEFAULT_OFF=y correctly enforces unprivileged eBPF default‑off

Setting CONFIG_BPF_UNPRIV_DEFAULT_OFF=y here resolves the incorrect Spectre v2 vulnerability report showing "Unprivileged eBPF enabled" on ARM32 and ARM64 devices. While eBPF remains available to privileged users (root/CAP_BPF), unprivileged access is now default‑disabled, which eliminates the false vulnerability warning.

config/kernel/linux-odroidxu4-edge.config (1)

9-9: Security improvement: unprivileged BPF disabled by default.

This change appropriately restricts unprivileged BPF access while maintaining privileged BPF functionality (CONFIG_BPF_SYSCALL remains enabled). This addresses the misleading Spectre v2 vulnerability warning and aligns with security best practices.

config/kernel/linux-bcm2711-current.config (1)

10-10: Security improvement: unprivileged BPF disabled by default.

Enabling CONFIG_BPF_UNPRIV_DEFAULT_OFF enhances security by restricting unprivileged BPF access while preserving privileged BPF functionality. This change is consistent with the security posture improvements across all affected configurations.

config/kernel/linux-mvebu-current.config (1)

10-10: Security improvement: unprivileged BPF disabled by default.

This change correctly restricts unprivileged BPF access by default, addressing the security concern outlined in the PR objectives. The configuration maintains privileged BPF functionality for administrative use while mitigating potential security risks from unprivileged access.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

config/kernel/linux-rockchip-current.config (1)

9-11: CONFIG_BPF_UNPRIV_DEFAULT_OFF here looks correct and matches the PR goal

With CONFIG_BPF_SYSCALL=y and CONFIG_BPF_JIT=y already enabled, setting CONFIG_BPF_UNPRIV_DEFAULT_OFF=y is the right way to keep BPF available for privileged users while disabling unprivileged eBPF by default, which aligns with the spectre_v2 mitigation/output fix. Also, doing this in config/kernel/* (family-level config) matches prior guidance to avoid board-level kernel tweaks. Based on learnings, this is the appropriate place and shape for the change.

If you want this to survive future automated config regenerations, you could also wire this into the kernel-config generation tooling (e.g., armbian-kernel.sh) so subsequent rewrites keep CONFIG_BPF_UNPRIV_DEFAULT_OFF=y.

config/kernel/linux-mvebu-edge.config (1)

9-10: Change cleanly enforces unprivileged eBPF default‑off on mvebu

Adding CONFIG_BPF_UNPRIV_DEFAULT_OFF=y next to CONFIG_BPF_JIT=y achieves the intended “unprivileged BPF off by default” behavior here as well, staying consistent with the rest of the PR and leaving privileged BPF use intact.

If you plan more kernel‑wide security policy tweaks later, consider wiring this into the kernel‑config generation tooling (rather than only editing the overlay configs) so future automated rewrites can’t accidentally revert it, but this specific change looks fine as‑is.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between ab0191d and 6e96db7.

📒 Files selected for processing (32)

• config/kernel/linux-bcm2711-current.config (1 hunks)
• config/kernel/linux-bcm2711-edge.config (1 hunks)
• config/kernel/linux-bcm2711-legacy.config (1 hunks)
• config/kernel/linux-imx6-current.config (1 hunks)
• config/kernel/linux-imx6-edge.config (1 hunks)
• config/kernel/linux-imx6-legacy.config (1 hunks)
• config/kernel/linux-meson64-current.config (1 hunks)
• config/kernel/linux-meson64-edge.config (1 hunks)
• config/kernel/linux-mvebu-current.config (1 hunks)
• config/kernel/linux-mvebu-edge.config (1 hunks)
• config/kernel/linux-mvebu-legacy.config (1 hunks)
• config/kernel/linux-mvebu64-current.config (1 hunks)
• config/kernel/linux-mvebu64-edge.config (1 hunks)
• config/kernel/linux-mvebu64-legacy.config (1 hunks)
• config/kernel/linux-odroidxu4-current.config (1 hunks)
• config/kernel/linux-odroidxu4-edge.config (1 hunks)
• config/kernel/linux-rk322x-current.config (1 hunks)
• config/kernel/linux-rk322x-edge.config (1 hunks)
• config/kernel/linux-rk35xx-vendor.config (1 hunks)
• config/kernel/linux-rockchip-current.config (1 hunks)
• config/kernel/linux-rockchip-edge.config (1 hunks)
• config/kernel/linux-rockchip-rk3588-edge.config (1 hunks)
• config/kernel/linux-rockchip64-current.config (1 hunks)
• config/kernel/linux-rockchip64-edge.config (1 hunks)
• config/kernel/linux-sunxi-current.config (1 hunks)
• config/kernel/linux-sunxi-edge.config (1 hunks)
• config/kernel/linux-sunxi-legacy.config (1 hunks)
• config/kernel/linux-sunxi64-current.config (1 hunks)
• config/kernel/linux-sunxi64-edge.config (1 hunks)
• config/kernel/linux-sunxi64-legacy.config (1 hunks)
• config/kernel/linux-thead-legacy.config (1 hunks)
• config/kernel/linux-virtual-current.config (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (22)

• config/kernel/linux-mvebu64-edge.config
• config/kernel/linux-sunxi-edge.config
• config/kernel/linux-rockchip64-current.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-bcm2711-current.config
• config/kernel/linux-meson64-edge.config
• config/kernel/linux-bcm2711-edge.config
• config/kernel/linux-virtual-current.config
• config/kernel/linux-rk35xx-vendor.config
• config/kernel/linux-odroidxu4-current.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-thead-legacy.config
• config/kernel/linux-mvebu-current.config
• config/kernel/linux-sunxi64-legacy.config
• config/kernel/linux-rockchip-edge.config
• config/kernel/linux-imx6-edge.config
• config/kernel/linux-odroidxu4-edge.config
• config/kernel/linux-rockchip-rk3588-edge.config
• config/kernel/linux-mvebu-legacy.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-imx6-legacy.config

🧰 Additional context used

🧠 Learnings (18)

📓 Common learnings

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-199
Timestamp: 2025-09-25T18:37:00.330Z
Learning: In PR armbian/build#8661, line 235 of lib/functions/compilation/armbian-kernel.sh already contains the corrected comment "BPF link support for netfilter hooks" for NETFILTER_BPF_LINK, not the misleading "BPF_SYSCALL" comment that was flagged during review.

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-199
Timestamp: 2025-09-25T18:37:00.330Z
Learning: In PR armbian/build#8661, line 235 of lib/functions/compilation/armbian-kernel.sh already contains the corrected comment "BPF link support for netfilter hooks" for NETFILTER_BPF_LINK, not the misleading "BPF_SYSCALL" comment that was flagged during review.

Learnt from: EvilOlaf
Repo: armbian/build PR: 8428
File: config/boards/lckfb-taishanpi.csc:5-9
Timestamp: 2025-07-25T03:51:50.830Z
Learning: When reviewing PRs in the Armbian build system, U-Boot defconfig files and patches may be added as part of the PR changes but might not be visible in the current repository clone state during review. It's important to check the actual PR file changes directly via GitHub or the PR API to get the complete picture of what files are being added or modified.

Learnt from: EvilOlaf
Repo: armbian/build PR: 8428
File: config/boards/lckfb-taishanpi.csc:5-9
Timestamp: 2025-07-25T03:51:50.830Z
Learning: When reviewing PRs in the Armbian build system, U-Boot defconfig files and patches may be added as part of the PR changes but might not be visible in the current repository clone state during review. It's important to check the actual PR file changes directly via GitHub API (https://api.github.com/repos/armbian/build/pulls/{pr_number}/files) to get the complete picture of what files are being added or modified, especially for U-Boot patches that will be applied during the build process.

Learnt from: EvilOlaf
Repo: armbian/build PR: 8328
File: lib/functions/compilation/patch/drivers_network.sh:542-545
Timestamp: 2025-06-24T10:08:40.313Z
Learning: In the Armbian build system, when a PR removes build support for a specific kernel version, version check issues for that removed version become practically irrelevant even if they appear incorrect in isolation. Context about which kernel versions are being deprecated/removed is important for understanding the impact of version-related code changes.

Learnt from: EvilOlaf
Repo: armbian/build PR: 8968
File: patch/u-boot/u-boot-sunxi/arm64-dts-sun50i-h6-orangepi.dtsi-Rollback-r_rsb-to-r_i2c.patch:36-36
Timestamp: 2025-11-20T18:20:11.985Z
Learning: The rewrite-patches tool (REWRITE_PATCHES=yes) in the Armbian build system can inadvertently introduce semantic changes when the u-boot/kernel git base revision differs from expected state. The tool applies patches, commits them, and re-exports them using git format-patch, which can cause the re-exported patch to reflect the base revision's state rather than preserving the original patch intent. This is particularly problematic for device tree changes like interrupt specifications. The tool currently lacks validation mechanisms to detect such semantic drift, and affected patches must be manually corrected after rewriting.

Learnt from: igorpecovnik
Repo: armbian/build PR: 8849
File: config/boards/radxa-e54c.csc:14-28
Timestamp: 2025-11-02T20:49:56.719Z
Learning: In Armbian board configuration files (config/boards/*.conf, *.csc, etc.), do not use kernel_config_set, kernel_config_set_m, kernel_config_set_y, or custom_kernel_config__* functions to modify kernel configuration. Kernel configuration is associated with LINUXFAMILY/BOARDFAMILY, not individual BOARD. Board-specific kernel modifications cause inconsistency in kernel packages published to the apt repository because boards within a family share the same kernel packages. Kernel configuration changes must be made in the appropriate kernel config file (e.g., config/kernel/linux-*-*.config) or in family configuration files (config/sources/families/*.conf, *.inc) instead.

Learnt from: glneo
Repo: armbian/build PR: 8913
File: config/sources/families/include/k3_common.inc:57-60
Timestamp: 2025-11-11T20:56:20.303Z
Learning: In config/sources/families/include/k3_common.inc, the OP-TEE build command at line 59 should be updated in a future PR to explicitly set CROSS_COMPILE64=aarch64-linux-gnu- and CROSS_COMPILE32=arm-linux-gnueabihf- instead of relying on OP-TEE's internal defaults, for better clarity and maintainability. User glneo agreed to address this in a separate PR.

Learnt from: igorpecovnik
Repo: armbian/build PR: 8705
File: .github/workflows/rewrite-kernel-configs.yml:96-169
Timestamp: 2025-10-03T11:42:46.660Z
Learning: In the Armbian build repository's kernel config rewrite workflow (.github/workflows/rewrite-kernel-configs.yml), deletion of kernel config files does not need to be handled. The workflow intentionally only captures ACMR (added/copied/modified/renamed) changes and does not need to propagate deletions to the aggregator.

Learnt from: igorpecovnik
Repo: armbian/build PR: 8705
File: .github/workflows/rewrite-kernel-configs.yml:217-220
Timestamp: 2025-10-04T17:59:19.369Z
Learning: In the Armbian build repository's kernel config rewrite workflow (.github/workflows/rewrite-kernel-configs.yml), the workflow is designed to rewrite existing kernel configs only. New/untracked files can be safely ignored, so using `git diff --quiet` (which ignores untracked files) is the correct approach for detecting changes rather than `git status --porcelain`.

Learnt from: libiunc
Repo: armbian/build PR: 8033
File: config/kernel/linux-starfive2-vendor.config:43-43
Timestamp: 2025-03-31T12:57:13.880Z
Learning: For StarFive2 platform kernel configurations, maintain alignment with vendor-provided configurations rather than modifying security settings like SECCOMP. This ensures hardware compatibility as intended by the manufacturer.

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T06:56:33.372Z
Learning: In Armbian kernel configuration, the BTRFS configuration logic preserves existing settings (whether built-in 'y' or module 'm') and only sets BTRFS_FS to module when it was previously disabled or not set, achieving "allow but not require" flexibility while maintaining backward compatibility.

📚 Learning: 2025-08-30T04:13:16.457Z

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T04:13:16.457Z
Learning: Armbian kernel configuration files like linux-filogic-current.config are autogenerated overlays on top of arch defconfig. Comments added manually will be lost during future updates by maintainers, and explicit "CONFIG_OPTION is not set" statements aren't needed for mutually exclusive options since these are overlay configs that only specify changes from the base configuration.

Applied to files:

• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-rockchip64-edge.config
• config/kernel/linux-rockchip-current.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-rk322x-edge.config
• config/kernel/linux-meson64-current.config
• config/kernel/linux-imx6-current.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-mvebu-edge.config

📚 Learning: 2025-11-02T20:49:56.719Z

Learnt from: igorpecovnik
Repo: armbian/build PR: 8849
File: config/boards/radxa-e54c.csc:14-28
Timestamp: 2025-11-02T20:49:56.719Z
Learning: In Armbian board configuration files (config/boards/*.conf, *.csc, etc.), do not use kernel_config_set, kernel_config_set_m, kernel_config_set_y, or custom_kernel_config__* functions to modify kernel configuration. Kernel configuration is associated with LINUXFAMILY/BOARDFAMILY, not individual BOARD. Board-specific kernel modifications cause inconsistency in kernel packages published to the apt repository because boards within a family share the same kernel packages. Kernel configuration changes must be made in the appropriate kernel config file (e.g., config/kernel/linux-*-*.config) or in family configuration files (config/sources/families/*.conf, *.inc) instead.

Applied to files:

• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-rockchip64-edge.config
• config/kernel/linux-rockchip-current.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-rk322x-edge.config
• config/kernel/linux-meson64-current.config
• config/kernel/linux-imx6-current.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-mvebu-edge.config

📚 Learning: 2025-09-27T21:47:58.020Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-bcm2711-edge.config:859-861
Timestamp: 2025-09-27T21:47:58.020Z
Learning: In the Armbian build system, kernel configuration files in config/kernel/ are generated through an automated process: taking previous config → applying scripted changes from armbian-kernel.sh → running kernel's `make oldconfig` → processing by Armbian machinery back into config files. This automated process properly handles kernel configuration dependencies and reduces the likelihood of manual configuration errors.

Applied to files:

• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-rockchip64-edge.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-rk322x-edge.config
• config/kernel/linux-meson64-current.config
• config/kernel/linux-imx6-current.config
• config/kernel/linux-sunxi-current.config

📚 Learning: 2025-09-22T21:52:01.225Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: The kernel_config_set_m function in lib/functions/compilation/armbian-kernel.sh preserves existing 'y' (built-in) settings and only sets options to 'm' (module) when they are not already built-in, achieving "prefer modules but allow built-ins" behavior.

Applied to files:

• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-rockchip-current.config
• config/kernel/linux-meson64-current.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-mvebu-edge.config

📚 Learning: 2025-09-27T21:49:55.796Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-sm8250-current.config:78-80
Timestamp: 2025-09-27T21:49:55.796Z
Learning: In the Armbian build system, kernel configuration files are generated through an automated process: taking previous config → applying scripted changes from armbian-kernel.sh → running kernel's `make oldconfig` → processing by Armbian machinery back into config files. This automated process properly handles kernel configuration dependencies and reduces the likelihood of manual configuration errors.

Applied to files:

• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-rockchip64-edge.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-meson64-current.config
• config/kernel/linux-sunxi-current.config

📚 Learning: 2025-09-27T21:50:04.845Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-sm8250-edge.config:80-82
Timestamp: 2025-09-27T21:50:04.845Z
Learning: In the Armbian build system, kernel configuration files are generated through this automated process: taking previous config → applying scripted changes from armbian-kernel.sh → running kernel's `make oldconfig` → processing by Armbian machinery back into config files. This automated process properly handles kernel configuration dependencies and reduces the likelihood of manual configuration errors.

Applied to files:

• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-rockchip64-edge.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-rk322x-edge.config
• config/kernel/linux-meson64-current.config
• config/kernel/linux-sunxi-current.config

📚 Learning: 2025-08-30T06:56:33.372Z

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T06:56:33.372Z
Learning: In Armbian kernel configuration, the BTRFS configuration logic preserves existing settings (whether built-in 'y' or module 'm') and only sets BTRFS_FS to module when it was previously disabled or not set, achieving "allow but not require" flexibility while maintaining backward compatibility.

Applied to files:

• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-rockchip64-edge.config
• config/kernel/linux-rockchip-current.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-rk322x-edge.config
• config/kernel/linux-meson64-current.config
• config/kernel/linux-imx6-current.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-mvebu-edge.config

📚 Learning: 2025-09-27T21:50:15.915Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-sunxi64-current.config:94-94
Timestamp: 2025-09-27T21:50:15.915Z
Learning: When kernel config files are generated through Armbian's automated process (previous config → armbian-kernel.sh changes → make oldconfig → Armbian machinery processing), manual config file edits are not appropriate since they would be overwritten. Deprecated option handling should be implemented in the automated tooling instead.

Applied to files:

• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-rockchip64-edge.config
• config/kernel/linux-rockchip-current.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-rk322x-edge.config
• config/kernel/linux-meson64-current.config

📚 Learning: 2025-09-22T21:52:01.225Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: In lib/functions/compilation/armbian-kernel.sh, the kernel_config_modifying_hashes array is not universally required for all kernel configuration functions - some functions like armbian_kernel_config__netkit() operate without it, and adding entries with '=m' would be incorrect when the actual result might be '=y' for options already built-in.

Applied to files:

• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-mvebu-edge.config

📚 Learning: 2025-07-27T15:56:34.414Z

Learnt from: pyavitz
Repo: armbian/build PR: 8421
File: config/kernel/linux-sunxi64-edge.config:438-439
Timestamp: 2025-07-27T15:56:34.414Z
Learning: CONFIG_NET_SCH_DEFAULT is a boolean kernel configuration option (=y or =n) that enables/disables the ability to override the default network queueing discipline at runtime. When set to 'y', it allows setting the actual qdisc name via /proc/sys/net/core/default_qdisc at runtime, not in the kernel config file itself.

Applied to files:

• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-rockchip64-edge.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-rk322x-edge.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-mvebu-edge.config

📚 Learning: 2025-10-22T07:56:19.424Z

Learnt from: igorpecovnik
Repo: armbian/build PR: 8789
File: config/kernel/linux-sunxi64-edge.config:839-839
Timestamp: 2025-10-22T07:56:19.424Z
Learning: In Linux kernel configuration, some `=y` (builtin) options are infrastructure or feature flags that enable subsystems or features for modular drivers, rather than directly compiling code into the kernel. For example, in Armbian wireless configs, options like CONFIG_SPARD_WLAN_SUPPORT=y, CONFIG_SC23XX=y, CONFIG_WCN_BSP_DRIVER_BUILDIN=y, CONFIG_UNISOC_WIFI_PS=y are module infrastructure/feature enablers, while the actual drivers (CONFIG_WLAN_UWE5621=m, CONFIG_WLAN_UWE5622=m) remain as loadable modules. These infrastructure options don't cause kernel bloat.

Applied to files:

• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-rockchip64-edge.config
• config/kernel/linux-rockchip-current.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-rk322x-edge.config
• config/kernel/linux-imx6-current.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-mvebu-edge.config

📚 Learning: 2025-07-19T00:03:42.995Z

Learnt from: lanefu
Repo: armbian/build PR: 8377
File: config/kernel/linux-uefi-arm64-cloud.config:165-170
Timestamp: 2025-07-19T00:03:42.995Z
Learning: CONFIG_NETKIT was introduced in Linux kernel 4.14.330 (November 2023) and enables BPF-programmable network devices that can operate in Layer 3 or Layer 2 mode. It's a valid configuration option in modern kernels including 6.12.

Applied to files:

• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-rockchip64-edge.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-rk322x-edge.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-mvebu-edge.config

📚 Learning: 2025-09-25T18:37:00.330Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-199
Timestamp: 2025-09-25T18:37:00.330Z
Learning: In PR armbian/build#8661, line 235 of lib/functions/compilation/armbian-kernel.sh already contains the corrected comment "BPF link support for netfilter hooks" for NETFILTER_BPF_LINK, not the misleading "BPF_SYSCALL" comment that was flagged during review.

Applied to files:

• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-rockchip64-edge.config
• config/kernel/linux-rockchip-current.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-rk322x-edge.config
• config/kernel/linux-imx6-current.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-mvebu-edge.config

📚 Learning: 2025-03-31T12:57:13.880Z

Learnt from: libiunc
Repo: armbian/build PR: 8033
File: config/kernel/linux-starfive2-vendor.config:43-43
Timestamp: 2025-03-31T12:57:13.880Z
Learning: For StarFive2 platform kernel configurations, maintain alignment with vendor-provided configurations rather than modifying security settings like SECCOMP. This ensures hardware compatibility as intended by the manufacturer.

Applied to files:

• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-rockchip64-edge.config
• config/kernel/linux-rockchip-current.config
• config/kernel/linux-rk322x-edge.config
• config/kernel/linux-meson64-current.config

📚 Learning: 2025-07-15T21:09:23.252Z

Learnt from: pyavitz
Repo: armbian/build PR: 8383
File: config/kernel/linux-sunxi64-edge.config:57-64
Timestamp: 2025-07-15T21:09:23.252Z
Learning: In Linux kernel configuration, when CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND=y is set, the ondemand governor is implicitly enabled by default, making the explicit CONFIG_CPU_FREQ_GOV_ONDEMAND=y line redundant. The make menuconfig tool automatically removes such redundant lines. This behavior applies to CPU frequency governor configurations in general - setting a default governor automatically enables that governor.

Applied to files:

• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-sunxi-current.config

📚 Learning: 2025-07-25T03:51:50.830Z

Learnt from: EvilOlaf
Repo: armbian/build PR: 8428
File: config/boards/lckfb-taishanpi.csc:5-9
Timestamp: 2025-07-25T03:51:50.830Z
Learning: When reviewing PRs in the Armbian build system, U-Boot defconfig files and patches may be added as part of the PR changes but might not be visible in the current repository clone state during review. It's important to check the actual PR file changes directly via GitHub or the PR API to get the complete picture of what files are being added or modified.

Applied to files:

• config/kernel/linux-rockchip64-edge.config
• config/kernel/linux-sunxi-legacy.config

📚 Learning: 2025-10-11T19:52:54.648Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8746
File: config/kernel/linux-filogic-edge.config:344-470
Timestamp: 2025-10-11T19:52:54.648Z
Learning: The chainsx/linux-filogic kernel (legacy branch) for BPI-R4 uses out-of-tree proprietary drivers (CONFIG_NET_DSA_AN8855, CONFIG_AIROHA_EN8801SC_PHY, CONFIG_AIR_AN8855_PHY, CONFIG_MDIO_AN8855, CONFIG_MFD_AIROHA_AN8855). The frank-w/BPI-Router-Linux kernel (current and edge branches) uses mainline kernel drivers instead: CONFIG_NET_DSA_MT7530 for the DSA switch and CONFIG_MEDIATEK_2P5GE_PHY for PHY support. These provide equivalent functionality for BPI-R4 networking.

Applied to files:

• config/kernel/linux-rk322x-edge.config

🔇 Additional comments (8)

config/kernel/linux-mvebu64-current.config (1)

9-11: Consistent BPF hardening for mvebu64 (LGTM)

Enabling CONFIG_BPF_UNPRIV_DEFAULT_OFF=y alongside CONFIG_BPF_SYSCALL=y / CONFIG_BPF_JIT=y gives the expected “unprivileged BPF disabled by default” behaviour while keeping privileged BPF support. This is consistent with the other families in the PR and with the stated objective of silencing the incorrect “Unprivileged eBPF enabled” vulnerability message.

config/kernel/linux-sunxi-current.config (1)

8-9: Sunxi current: unprivileged BPF default‑off is appropriate

Adding CONFIG_BPF_UNPRIV_DEFAULT_OFF=y on top of existing BPF support is in line with the rest of the families and should give the intended “unprivileged BPF disabled by default” behaviour without impacting privileged BPF users.

config/kernel/linux-sunxi64-edge.config (1)

7-8: Sunxi64 edge: BPF_UNPRIV_DEFAULT_OFF=y is consistent and safe

Setting CONFIG_BPF_UNPRIV_DEFAULT_OFF=y here aligns the 6.16 sunxi64 edge kernel with the rest of the configs in this PR, disabling unprivileged eBPF by default while keeping BPF functionality for privileged callers. No conflicting options are visible in this defconfig.

config/kernel/linux-meson64-current.config (1)

10-10: LGTM - Security improvement.

Enabling CONFIG_BPF_UNPRIV_DEFAULT_OFF=y correctly disables unprivileged eBPF access by default, resolving the misleading CPU vulnerability warning. This change improves the security posture while maintaining eBPF functionality for privileged operations.

config/kernel/linux-rk322x-edge.config (1)

95-107: BPF unprivileged default‑off here is consistent and low‑risk

Setting CONFIG_BPF_UNPRIV_DEFAULT_OFF=y alongside CONFIG_BPF=y and CONFIG_BPF_JIT=y correctly makes unprivileged eBPF default‑off while preserving all privileged BPF functionality, which aligns with the PR’s Spectre v2 mitigation intent and the rest of this config. No conflicts visible in the surrounding BPF/netfilter options.

config/kernel/linux-rockchip64-edge.config (1)

11-11: LGTM - Security hardening improvement.

Enabling CONFIG_BPF_UNPRIV_DEFAULT_OFF=y is a security improvement that addresses the misleading Spectre v2 vulnerability warning. This setting ensures unprivileged BPF is disabled by default as intended.

config/kernel/linux-imx6-current.config (1)

12-12: LGTM - Consistent security improvement across platforms.

The change matches the fix applied to other kernel configs in this PR. Enabling CONFIG_BPF_UNPRIV_DEFAULT_OFF=y properly addresses the unprivileged BPF security concern for the imx6 platform.

config/kernel/linux-sunxi-legacy.config (1)

9-9: LGTM! Security improvement properly disables unprivileged BPF by default.

Enabling CONFIG_BPF_UNPRIV_DEFAULT_OFF correctly disables unprivileged BPF by default, which fixes the misleading vulnerability warning and improves security posture by reducing the kernel attack surface. Users can still enable unprivileged BPF at runtime via sysctl if needed.

[tabrisnet]

If this is so important, wouldn't it make more sense to just modify lib/functions/compilation/armbian-kernel.sh armbian_kernel_config__600_enable_ebpf_and_btf_info ?
Fewer files to to modify [albeit it'll happen later on a subsequent run of rewrite-kernel-config], it will affect newly created configs...

Second, did you try running rewrite-kernel-config to see whether/how this change sticks?
@coderabbitai

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Fetch the armbian-kernel.sh file to examine the armbian_kernel_config__600_enable_ebpf_and_btf_info function
cat lib/functions/compilation/armbian-kernel.sh | grep -A 50 "armbian_kernel_config__600_enable_ebpf_and_btf_info"

Length of output: 3489

---

🏁 Script executed:

#!/bin/bash
# Check if CONFIG_BPF_UNPRIV_DEFAULT_OFF is mentioned anywhere in armbian-kernel.sh
rg -n "BPF_UNPRIV_DEFAULT_OFF" lib/functions/compilation/armbian-kernel.sh

Length of output: 0

---

🏁 Script executed:

#!/bin/bash
# Check the file type of linux-rockchip-rk3588-current.config to understand the mode change
ls -la config/kernel/linux-rockchip-rk3588-current.config
file config/kernel/linux-rockchip-rk3588-current.config

Length of output: 177

---

🏁 Script executed:

#!/bin/bash
# Check if there are any symlinks in the kernel config directory
find config/kernel -type l -name "*.config" | head -20

Length of output: 50

---

@tabrisnet: You're absolutely correct! Based on the Armbian build system architecture, modifying lib/functions/compilation/armbian-kernel.sh is the proper approach here.

I examined the armbian_kernel_config__600_enable_ebpf_and_btf_info function and confirmed that CONFIG_BPF_UNPRIV_DEFAULT_OFF is not currently set there. According to the learnings from this codebase, kernel config files are auto-generated through the process: previous config → armbian-kernel.sh changes → make oldconfig → Armbian processing. Manual edits to config files will be overwritten when rewrite-kernel-config runs.

Recommended approach:

Add CONFIG_BPF_UNPRIV_DEFAULT_OFF to the existing function:

function armbian_kernel_config__600_enable_ebpf_and_btf_info() {
	if [[ "${KERNEL_BTF}" == "no" ]]; then
		display_alert "Disabling eBPF and BTF info for kernel" "as requested by KERNEL_BTF=no" "info"
		opts_y+=("DEBUG_INFO_NONE")
		opts_n+=("DEBUG_INFO" "DEBUG_INFO_DWARF5" "DEBUG_INFO_BTF" "DEBUG_INFO_BTF_MODULES")
	else
		# ... existing memory check logic ...
		
		display_alert "Enabling eBPF and BTF info" "for fully BTF & CO-RE enabled kernel" "info"
		opts_n+=("DEBUG_INFO_NONE")
		opts_y+=(
			"BPF_JIT" "BPF_JIT_DEFAULT_ON" "FTRACE_SYSCALLS" "PROBE_EVENTS_BTF_ARGS" "BPF_KPROBE_OVERRIDE"
			"DEBUG_INFO" "DEBUG_INFO_DWARF5" "DEBUG_INFO_BTF" "DEBUG_INFO_BTF_MODULES"
			"BPF_UNPRIV_DEFAULT_OFF"  # Add this line - disable unprivileged BPF by default
		)
	fi
}

Benefits:

• Fewer files to modify (just one)
• Changes automatically apply to all existing and newly created configs after running rewrite-kernel-config
• Follows the established Armbian pattern for kernel configuration
• Solves the symlink issue (linux-rockchip-rk3588-current.config is a symlink → linux-rockchip-rk3588-edge.config, which explains the mode change 120000 → 100644)

@neheb: The mode change you noticed is because linux-rockchip-rk3588-current.config is currently a symlink (mode 120000) to linux-rockchip-rk3588-edge.config. The sed -i command followed the symlink and created a regular file (mode 100644) in its place.

---

🧠 Learnings used

Learnt from: igorpecovnik
Repo: armbian/build PR: 8849
File: config/boards/radxa-e54c.csc:14-28
Timestamp: 2025-11-02T20:49:56.719Z
Learning: In Armbian board configuration files (config/boards/*.conf, *.csc, etc.), do not use kernel_config_set, kernel_config_set_m, kernel_config_set_y, or custom_kernel_config__* functions to modify kernel configuration. Kernel configuration is associated with LINUXFAMILY/BOARDFAMILY, not individual BOARD. Board-specific kernel modifications cause inconsistency in kernel packages published to the apt repository because boards within a family share the same kernel packages. Kernel configuration changes must be made in the appropriate kernel config file (e.g., config/kernel/linux-*-*.config) or in family configuration files (config/sources/families/*.conf, *.inc) instead.

---

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-sm8250-edge.config:80-82
Timestamp: 2025-09-27T21:50:04.845Z
Learning: In the Armbian build system, kernel configuration files are generated through this automated process: taking previous config → applying scripted changes from armbian-kernel.sh → running kernel's `make oldconfig` → processing by Armbian machinery back into config files. This automated process properly handles kernel configuration dependencies and reduces the likelihood of manual configuration errors.

---

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-bcm2711-edge.config:859-861
Timestamp: 2025-09-27T21:47:58.020Z
Learning: In the Armbian build system, kernel configuration files in config/kernel/ are generated through an automated process: taking previous config → applying scripted changes from armbian-kernel.sh → running kernel's `make oldconfig` → processing by Armbian machinery back into config files. This automated process properly handles kernel configuration dependencies and reduces the likelihood of manual configuration errors.

---

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: In lib/functions/compilation/armbian-kernel.sh, the kernel_config_modifying_hashes array is not universally required for all kernel configuration functions - some functions like armbian_kernel_config__netkit() operate without it, and adding entries with '=m' would be incorrect when the actual result might be '=y' for options already built-in.

---

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-sm8250-current.config:78-80
Timestamp: 2025-09-27T21:49:55.796Z
Learning: In the Armbian build system, kernel configuration files are generated through an automated process: taking previous config → applying scripted changes from armbian-kernel.sh → running kernel's `make oldconfig` → processing by Armbian machinery back into config files. This automated process properly handles kernel configuration dependencies and reduces the likelihood of manual configuration errors.

---

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: In lib/functions/compilation/armbian-kernel.sh, the kernel_config_modifying_hashes array is not universally required for all kernel configuration functions - some functions like armbian_kernel_config__netkit() operate without it, and adding entries with '=m' would be incorrect when the actual result might be '=y' for options already built-in.

---

Learnt from: igorpecovnik
Repo: armbian/build PR: 8705
File: .github/workflows/rewrite-kernel-configs.yml:96-169
Timestamp: 2025-10-03T11:42:46.660Z
Learning: In the Armbian build repository's kernel config rewrite workflow (.github/workflows/rewrite-kernel-configs.yml), deletion of kernel config files does not need to be handled. The workflow intentionally only captures ACMR (added/copied/modified/renamed) changes and does not need to propagate deletions to the aggregator.

---

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-sunxi64-current.config:94-94
Timestamp: 2025-09-27T21:50:15.915Z
Learning: When kernel config files are generated through Armbian's automated process (previous config → armbian-kernel.sh changes → make oldconfig → Armbian machinery processing), manual config file edits are not appropriate since they would be overwritten. Deprecated option handling should be implemented in the automated tooling instead.

---

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T04:13:16.457Z
Learning: Armbian kernel configuration files like linux-filogic-current.config are autogenerated overlays on top of arch defconfig. Comments added manually will be lost during future updates by maintainers, and explicit "CONFIG_OPTION is not set" statements aren't needed for mutually exclusive options since these are overlay configs that only specify changes from the base configuration.

---

Learnt from: EvilOlaf
Repo: armbian/build PR: 8968
File: patch/u-boot/u-boot-sunxi/arm64-dts-sun50i-h6-orangepi.dtsi-Rollback-r_rsb-to-r_i2c.patch:36-36
Timestamp: 2025-11-20T18:20:11.985Z
Learning: The rewrite-patches tool (REWRITE_PATCHES=yes) in the Armbian build system can inadvertently introduce semantic changes when the u-boot/kernel git base revision differs from expected state. The tool applies patches, commits them, and re-exports them using git format-patch, which can cause the re-exported patch to reflect the base revision's state rather than preserving the original patch intent. This is particularly problematic for device tree changes like interrupt specifications. The tool currently lacks validation mechanisms to detect such semantic drift, and affected patches must be manually corrected after rewriting.

---

Learnt from: EvilOlaf
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-02T05:46:10.664Z
Learning: In the Armbian build system, the modern recommended approach for kernel configuration is to use the kernel-config command via "./compile.sh BOARD=boardname BRANCH=branchname kernel-config" instead of the deprecated KERNEL_CONFIGURE=yes flag. This provides a two-step workflow: configure using menuconfig, then build, with better transparency and control over configuration changes.

---

Learnt from: igorpecovnik
Repo: armbian/build PR: 8705
File: .github/workflows/rewrite-kernel-configs.yml:217-220
Timestamp: 2025-10-04T17:59:19.369Z
Learning: In the Armbian build repository's kernel config rewrite workflow (.github/workflows/rewrite-kernel-configs.yml), the workflow is designed to rewrite existing kernel configs only. New/untracked files can be safely ignored, so using `git diff --quiet` (which ignores untracked files) is the correct approach for detecting changes rather than `git status --porcelain`.

---

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-199
Timestamp: 2025-09-25T18:37:00.330Z
Learning: In PR armbian/build#8661, line 235 of lib/functions/compilation/armbian-kernel.sh already contains the corrected comment "BPF link support for netfilter hooks" for NETFILTER_BPF_LINK, not the misleading "BPF_SYSCALL" comment that was flagged during review.

---

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-199
Timestamp: 2025-09-25T18:37:00.330Z
Learning: In PR armbian/build#8661, line 235 of lib/functions/compilation/armbian-kernel.sh already contains the corrected comment "BPF link support for netfilter hooks" for NETFILTER_BPF_LINK, not the misleading "BPF_SYSCALL" comment that was flagged during review.

---

Learnt from: EvilOlaf
Repo: armbian/build PR: 8428
File: config/boards/lckfb-taishanpi.csc:5-9
Timestamp: 2025-07-25T03:51:50.830Z
Learning: When reviewing PRs in the Armbian build system, U-Boot defconfig files and patches may be added as part of the PR changes but might not be visible in the current repository clone state during review. It's important to check the actual PR file changes directly via GitHub or the PR API to get the complete picture of what files are being added or modified.

---

Learnt from: EvilOlaf
Repo: armbian/build PR: 8428
File: config/boards/lckfb-taishanpi.csc:5-9
Timestamp: 2025-07-25T03:51:50.830Z
Learning: When reviewing PRs in the Armbian build system, U-Boot defconfig files and patches may be added as part of the PR changes but might not be visible in the current repository clone state during review. It's important to check the actual PR file changes directly via GitHub API (https://api.github.com/repos/armbian/build/pulls/{pr_number}/files) to get the complete picture of what files are being added or modified, especially for U-Boot patches that will be applied during the build process.

---

Learnt from: EvilOlaf
Repo: armbian/build PR: 8328
File: lib/functions/compilation/patch/drivers_network.sh:542-545
Timestamp: 2025-06-24T10:08:40.313Z
Learning: In the Armbian build system, when a PR removes build support for a specific kernel version, version check issues for that removed version become practically irrelevant even if they appear incorrect in isolation. Context about which kernel versions are being deprecated/removed is important for understanding the impact of version-related code changes.

---

Learnt from: glneo
Repo: armbian/build PR: 8913
File: config/sources/families/include/k3_common.inc:57-60
Timestamp: 2025-11-11T20:56:20.303Z
Learning: In config/sources/families/include/k3_common.inc, the OP-TEE build command at line 59 should be updated in a future PR to explicitly set CROSS_COMPILE64=aarch64-linux-gnu- and CROSS_COMPILE32=arm-linux-gnueabihf- instead of relying on OP-TEE's internal defaults, for better clarity and maintainability. User glneo agreed to address this in a separate PR.

[neheb]

@tabrisnet I think this is what you meant.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (4)

config/kernel/linux-sunxi-current.config (1)

8-11: Sunxi: BPF_UNPRIV_DEFAULT_OFF addition matches the cross‑family policy

Enabling CONFIG_BPF_UNPRIV_DEFAULT_OFF=y next to CONFIG_BPF_JIT=y is consistent with the other defconfigs in this PR and with the stated objective to have unprivileged eBPF off by default on ARM32 as well.

Process/automation considerations for these config changes are already covered in the comment on linux-mvebu64-current.config.

config/kernel/linux-odroidxu4-current.config (1)

7-11: Odroid XU4: consistent BPF_UNPRIV_DEFAULT_OFF enablement

This mirrors the other families by pairing CONFIG_BPF_SYSCALL=y / CONFIG_BPF_JIT=y with CONFIG_BPF_UNPRIV_DEFAULT_OFF=y, so the unprivileged eBPF default is uniform on this SoC too.

Automation vs manual‑edit guidance for kernel configs is already noted in the first file’s comment.

config/kernel/linux-mvebu-edge.config (1)

8-12: mvebu edge: align edge/current with BPF_UNPRIV_DEFAULT_OFF=y

Setting CONFIG_BPF_UNPRIV_DEFAULT_OFF=y here keeps the edge mvebu kernel in sync with the current variant and with the repository‑wide policy established in this PR.

The note about generating these config deltas via the standard rewrite tooling instead of manual edits is already given on linux-mvebu64-current.config.

config/kernel/linux-rockchip-current.config (1)

11-11: Manual config edit is redundant (same issue as other config files).

This manual addition follows the same pattern as the other config files in this PR. As explained in the PR comments, the proper approach is to rely on the armbian-kernel.sh change and regenerate configs automatically via rewrite-kernel-config, rather than manually editing config files with sed.

Based on learnings about Armbian's automated kernel config generation process.

🧹 Nitpick comments (1)

config/kernel/linux-virtual-current.config (1)

90-103: CONFIG_BPF_UNPRIV_DEFAULT_OFF=y matches the PR goal; just ensure it’s driven via the central config machinery

Enabling CONFIG_BPF_UNPRIV_DEFAULT_OFF=y here is consistent with the intent to have unprivileged eBPF disabled by default while keeping BPF/JIT available for privileged users, and should help avoid the misleading Spectre v2 “Unprivileged eBPF enabled” status on this kernel.

Given these .config files are auto-generated overlays, please double‑check that:

• lib/functions/compilation/armbian-kernel.sh (e.g. armbian_kernel_config__600_enable_ebpf_and_btf_info) is also setting BPF_UNPRIV_DEFAULT_OFF, and
• rewrite-kernel-config has been run so this file reflects the scripted change rather than a one‑off manual edit.

That keeps this setting stable across future config rewrites and avoids drift.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 6e96db7 and 47db71f.

📒 Files selected for processing (33)

• config/kernel/linux-bcm2711-current.config (1 hunks)
• config/kernel/linux-bcm2711-edge.config (1 hunks)
• config/kernel/linux-bcm2711-legacy.config (1 hunks)
• config/kernel/linux-imx6-current.config (1 hunks)
• config/kernel/linux-imx6-edge.config (1 hunks)
• config/kernel/linux-imx6-legacy.config (1 hunks)
• config/kernel/linux-meson64-current.config (1 hunks)
• config/kernel/linux-meson64-edge.config (1 hunks)
• config/kernel/linux-mvebu-current.config (1 hunks)
• config/kernel/linux-mvebu-edge.config (1 hunks)
• config/kernel/linux-mvebu-legacy.config (1 hunks)
• config/kernel/linux-mvebu64-current.config (1 hunks)
• config/kernel/linux-mvebu64-edge.config (1 hunks)
• config/kernel/linux-mvebu64-legacy.config (1 hunks)
• config/kernel/linux-odroidxu4-current.config (1 hunks)
• config/kernel/linux-odroidxu4-edge.config (1 hunks)
• config/kernel/linux-rk322x-current.config (1 hunks)
• config/kernel/linux-rk322x-edge.config (1 hunks)
• config/kernel/linux-rk35xx-vendor.config (1 hunks)
• config/kernel/linux-rockchip-current.config (1 hunks)
• config/kernel/linux-rockchip-edge.config (1 hunks)
• config/kernel/linux-rockchip-rk3588-edge.config (1 hunks)
• config/kernel/linux-rockchip64-current.config (1 hunks)
• config/kernel/linux-rockchip64-edge.config (1 hunks)
• config/kernel/linux-sunxi-current.config (1 hunks)
• config/kernel/linux-sunxi-edge.config (1 hunks)
• config/kernel/linux-sunxi-legacy.config (1 hunks)
• config/kernel/linux-sunxi64-current.config (1 hunks)
• config/kernel/linux-sunxi64-edge.config (1 hunks)
• config/kernel/linux-sunxi64-legacy.config (1 hunks)
• config/kernel/linux-thead-legacy.config (1 hunks)
• config/kernel/linux-virtual-current.config (1 hunks)
• lib/functions/compilation/armbian-kernel.sh (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (21)

• config/kernel/linux-rockchip-edge.config
• config/kernel/linux-rockchip64-edge.config
• config/kernel/linux-imx6-legacy.config
• config/kernel/linux-sunxi-edge.config
• config/kernel/linux-rockchip64-current.config
• config/kernel/linux-rockchip-rk3588-edge.config
• config/kernel/linux-bcm2711-current.config
• config/kernel/linux-imx6-edge.config
• config/kernel/linux-mvebu-legacy.config
• config/kernel/linux-sunxi64-legacy.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-rk35xx-vendor.config
• config/kernel/linux-bcm2711-edge.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-odroidxu4-edge.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-imx6-current.config
• config/kernel/linux-mvebu64-edge.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-rk322x-edge.config
• config/kernel/linux-thead-legacy.config

🧰 Additional context used

🧠 Learnings (20)

📓 Common learnings

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-199
Timestamp: 2025-09-25T18:37:00.330Z
Learning: In PR armbian/build#8661, line 235 of lib/functions/compilation/armbian-kernel.sh already contains the corrected comment "BPF link support for netfilter hooks" for NETFILTER_BPF_LINK, not the misleading "BPF_SYSCALL" comment that was flagged during review.

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-199
Timestamp: 2025-09-25T18:37:00.330Z
Learning: In PR armbian/build#8661, line 235 of lib/functions/compilation/armbian-kernel.sh already contains the corrected comment "BPF link support for netfilter hooks" for NETFILTER_BPF_LINK, not the misleading "BPF_SYSCALL" comment that was flagged during review.

Learnt from: EvilOlaf
Repo: armbian/build PR: 8428
File: config/boards/lckfb-taishanpi.csc:5-9
Timestamp: 2025-07-25T03:51:50.830Z
Learning: When reviewing PRs in the Armbian build system, U-Boot defconfig files and patches may be added as part of the PR changes but might not be visible in the current repository clone state during review. It's important to check the actual PR file changes directly via GitHub or the PR API to get the complete picture of what files are being added or modified.

Learnt from: EvilOlaf
Repo: armbian/build PR: 8428
File: config/boards/lckfb-taishanpi.csc:5-9
Timestamp: 2025-07-25T03:51:50.830Z
Learning: When reviewing PRs in the Armbian build system, U-Boot defconfig files and patches may be added as part of the PR changes but might not be visible in the current repository clone state during review. It's important to check the actual PR file changes directly via GitHub API (https://api.github.com/repos/armbian/build/pulls/{pr_number}/files) to get the complete picture of what files are being added or modified, especially for U-Boot patches that will be applied during the build process.

Learnt from: igorpecovnik
Repo: armbian/build PR: 8849
File: config/boards/radxa-e54c.csc:14-28
Timestamp: 2025-11-02T20:49:56.719Z
Learning: In Armbian board configuration files (config/boards/*.conf, *.csc, etc.), do not use kernel_config_set, kernel_config_set_m, kernel_config_set_y, or custom_kernel_config__* functions to modify kernel configuration. Kernel configuration is associated with LINUXFAMILY/BOARDFAMILY, not individual BOARD. Board-specific kernel modifications cause inconsistency in kernel packages published to the apt repository because boards within a family share the same kernel packages. Kernel configuration changes must be made in the appropriate kernel config file (e.g., config/kernel/linux-*-*.config) or in family configuration files (config/sources/families/*.conf, *.inc) instead.

Learnt from: igorpecovnik
Repo: armbian/build PR: 8705
File: .github/workflows/rewrite-kernel-configs.yml:217-220
Timestamp: 2025-10-04T17:59:19.369Z
Learning: In the Armbian build repository's kernel config rewrite workflow (.github/workflows/rewrite-kernel-configs.yml), the workflow is designed to rewrite existing kernel configs only. New/untracked files can be safely ignored, so using `git diff --quiet` (which ignores untracked files) is the correct approach for detecting changes rather than `git status --porcelain`.

Learnt from: EvilOlaf
Repo: armbian/build PR: 8968
File: patch/u-boot/u-boot-sunxi/arm64-dts-sun50i-h6-orangepi.dtsi-Rollback-r_rsb-to-r_i2c.patch:36-36
Timestamp: 2025-11-20T18:20:11.985Z
Learning: The rewrite-patches tool (REWRITE_PATCHES=yes) in the Armbian build system can inadvertently introduce semantic changes when the u-boot/kernel git base revision differs from expected state. The tool applies patches, commits them, and re-exports them using git format-patch, which can cause the re-exported patch to reflect the base revision's state rather than preserving the original patch intent. This is particularly problematic for device tree changes like interrupt specifications. The tool currently lacks validation mechanisms to detect such semantic drift, and affected patches must be manually corrected after rewriting.

Learnt from: glneo
Repo: armbian/build PR: 8913
File: config/sources/families/include/k3_common.inc:57-60
Timestamp: 2025-11-11T20:56:20.303Z
Learning: In config/sources/families/include/k3_common.inc, the OP-TEE build command at line 59 should be updated in a future PR to explicitly set CROSS_COMPILE64=aarch64-linux-gnu- and CROSS_COMPILE32=arm-linux-gnueabihf- instead of relying on OP-TEE's internal defaults, for better clarity and maintainability. User glneo agreed to address this in a separate PR.

Learnt from: igorpecovnik
Repo: armbian/build PR: 8705
File: .github/workflows/rewrite-kernel-configs.yml:96-169
Timestamp: 2025-10-03T11:42:46.660Z
Learning: In the Armbian build repository's kernel config rewrite workflow (.github/workflows/rewrite-kernel-configs.yml), deletion of kernel config files does not need to be handled. The workflow intentionally only captures ACMR (added/copied/modified/renamed) changes and does not need to propagate deletions to the aggregator.

Learnt from: libiunc
Repo: armbian/build PR: 8033
File: config/kernel/linux-starfive2-vendor.config:43-43
Timestamp: 2025-03-31T12:57:13.880Z
Learning: For StarFive2 platform kernel configurations, maintain alignment with vendor-provided configurations rather than modifying security settings like SECCOMP. This ensures hardware compatibility as intended by the manufacturer.

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: The kernel_config_set_m function in lib/functions/compilation/armbian-kernel.sh preserves existing 'y' (built-in) settings and only sets options to 'm' (module) when they are not already built-in, achieving "prefer modules but allow built-ins" behavior.

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: The kernel_config_set_m function in lib/functions/compilation/armbian-kernel.sh preserves existing 'y' (built-in) settings and only sets options to 'm' (module) when they are not already built-in, achieving "prefer modules but allow built-ins" behavior.

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T06:56:33.372Z
Learning: In Armbian kernel configuration, the BTRFS configuration logic preserves existing settings (whether built-in 'y' or module 'm') and only sets BTRFS_FS to module when it was previously disabled or not set, achieving "allow but not require" flexibility while maintaining backward compatibility.

Learnt from: igorpecovnik
Repo: armbian/build PR: 8789
File: config/kernel/linux-sunxi64-edge.config:839-839
Timestamp: 2025-10-22T07:56:19.424Z
Learning: In Linux kernel configuration, some `=y` (builtin) options are infrastructure or feature flags that enable subsystems or features for modular drivers, rather than directly compiling code into the kernel. For example, in Armbian wireless configs, options like CONFIG_SPARD_WLAN_SUPPORT=y, CONFIG_SC23XX=y, CONFIG_WCN_BSP_DRIVER_BUILDIN=y, CONFIG_UNISOC_WIFI_PS=y are module infrastructure/feature enablers, while the actual drivers (CONFIG_WLAN_UWE5621=m, CONFIG_WLAN_UWE5622=m) remain as loadable modules. These infrastructure options don't cause kernel bloat.

Learnt from: rpardini
Repo: armbian/build PR: 8820
File: config/sources/families/include/meson64_common.inc:51-53
Timestamp: 2025-10-26T12:56:29.185Z
Learning: In the Armbian build framework, scripts/config correctly handles kernel configuration option names both with and without the CONFIG_ prefix, so opts_m+=("CONFIG_RTL8822CS") and opts_m+=("RTL8822CS") are both valid and will work correctly.

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: In lib/functions/compilation/armbian-kernel.sh, the kernel_config_modifying_hashes array is not universally required for all kernel configuration functions - some functions like armbian_kernel_config__netkit() operate without it, and adding entries with '=m' would be incorrect when the actual result might be '=y' for options already built-in.

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: In lib/functions/compilation/armbian-kernel.sh, the kernel_config_modifying_hashes array is not universally required for all kernel configuration functions - some functions like armbian_kernel_config__netkit() operate without it, and adding entries with '=m' would be incorrect when the actual result might be '=y' for options already built-in.

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T06:48:09.091Z
Learning: In lib/functions/compilation/armbian-kernel.sh, the user prefers flexible grep patterns over anchored ones for BTRFS configuration checks, but agrees to use quiet grep (-q) to avoid polluting build logs.

📚 Learning: 2025-09-25T18:37:00.330Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-199
Timestamp: 2025-09-25T18:37:00.330Z
Learning: In PR armbian/build#8661, line 235 of lib/functions/compilation/armbian-kernel.sh already contains the corrected comment "BPF link support for netfilter hooks" for NETFILTER_BPF_LINK, not the misleading "BPF_SYSCALL" comment that was flagged during review.

Applied to files:

• lib/functions/compilation/armbian-kernel.sh
• config/kernel/linux-rockchip-current.config
• config/kernel/linux-mvebu-current.config
• config/kernel/linux-virtual-current.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-meson64-current.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-odroidxu4-current.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-09-22T21:52:01.225Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: In lib/functions/compilation/armbian-kernel.sh, the kernel_config_modifying_hashes array is not universally required for all kernel configuration functions - some functions like armbian_kernel_config__netkit() operate without it, and adding entries with '=m' would be incorrect when the actual result might be '=y' for options already built-in.

Applied to files:

• lib/functions/compilation/armbian-kernel.sh
• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-mvebu-edge.config

📚 Learning: 2025-09-22T21:52:01.225Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: The kernel_config_set_m function in lib/functions/compilation/armbian-kernel.sh preserves existing 'y' (built-in) settings and only sets options to 'm' (module) when they are not already built-in, achieving "prefer modules but allow built-ins" behavior.

Applied to files:

• lib/functions/compilation/armbian-kernel.sh
• config/kernel/linux-mvebu-current.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-meson64-current.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-odroidxu4-current.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-09-22T21:59:36.334Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:200-200
Timestamp: 2025-09-22T21:59:36.334Z
Learning: Functions named with the pattern `armbian_kernel_config__*` in lib/functions/compilation/armbian-kernel.sh are automatically discovered and invoked by Armbian's extension system via metaprogramming using `compgen -A function`, without requiring explicit registration or calls.

Applied to files:

• lib/functions/compilation/armbian-kernel.sh

📚 Learning: 2025-08-30T06:56:33.372Z

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T06:56:33.372Z
Learning: In Armbian kernel configuration, the BTRFS configuration logic preserves existing settings (whether built-in 'y' or module 'm') and only sets BTRFS_FS to module when it was previously disabled or not set, achieving "allow but not require" flexibility while maintaining backward compatibility.

Applied to files:

• lib/functions/compilation/armbian-kernel.sh
• config/kernel/linux-mvebu-current.config
• config/kernel/linux-virtual-current.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-meson64-current.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-odroidxu4-current.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-08-30T04:13:16.457Z

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T04:13:16.457Z
Learning: Armbian kernel configuration files like linux-filogic-current.config are autogenerated overlays on top of arch defconfig. Comments added manually will be lost during future updates by maintainers, and explicit "CONFIG_OPTION is not set" statements aren't needed for mutually exclusive options since these are overlay configs that only specify changes from the base configuration.

Applied to files:

• lib/functions/compilation/armbian-kernel.sh
• config/kernel/linux-rockchip-current.config
• config/kernel/linux-mvebu-current.config
• config/kernel/linux-virtual-current.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-meson64-current.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-odroidxu4-current.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-09-27T21:50:15.915Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-sunxi64-current.config:94-94
Timestamp: 2025-09-27T21:50:15.915Z
Learning: When kernel config files are generated through Armbian's automated process (previous config → armbian-kernel.sh changes → make oldconfig → Armbian machinery processing), manual config file edits are not appropriate since they would be overwritten. Deprecated option handling should be implemented in the automated tooling instead.

Applied to files:

• lib/functions/compilation/armbian-kernel.sh
• config/kernel/linux-rockchip-current.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-odroidxu4-current.config
• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-10-26T12:56:29.185Z

Learnt from: rpardini
Repo: armbian/build PR: 8820
File: config/sources/families/include/meson64_common.inc:51-53
Timestamp: 2025-10-26T12:56:29.185Z
Learning: In the Armbian build framework, scripts/config correctly handles kernel configuration option names both with and without the CONFIG_ prefix, so opts_m+=("CONFIG_RTL8822CS") and opts_m+=("RTL8822CS") are both valid and will work correctly.

Applied to files:

• lib/functions/compilation/armbian-kernel.sh
• config/kernel/linux-rk322x-current.config

📚 Learning: 2025-11-02T20:49:56.719Z

Learnt from: igorpecovnik
Repo: armbian/build PR: 8849
File: config/boards/radxa-e54c.csc:14-28
Timestamp: 2025-11-02T20:49:56.719Z
Learning: In Armbian board configuration files (config/boards/*.conf, *.csc, etc.), do not use kernel_config_set, kernel_config_set_m, kernel_config_set_y, or custom_kernel_config__* functions to modify kernel configuration. Kernel configuration is associated with LINUXFAMILY/BOARDFAMILY, not individual BOARD. Board-specific kernel modifications cause inconsistency in kernel packages published to the apt repository because boards within a family share the same kernel packages. Kernel configuration changes must be made in the appropriate kernel config file (e.g., config/kernel/linux-*-*.config) or in family configuration files (config/sources/families/*.conf, *.inc) instead.

Applied to files:

• config/kernel/linux-rockchip-current.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-meson64-current.config
• config/kernel/linux-odroidxu4-current.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-03-31T12:57:13.880Z

Learnt from: libiunc
Repo: armbian/build PR: 8033
File: config/kernel/linux-starfive2-vendor.config:43-43
Timestamp: 2025-03-31T12:57:13.880Z
Learning: For StarFive2 platform kernel configurations, maintain alignment with vendor-provided configurations rather than modifying security settings like SECCOMP. This ensures hardware compatibility as intended by the manufacturer.

Applied to files:

• config/kernel/linux-rockchip-current.config
• config/kernel/linux-virtual-current.config
• config/kernel/linux-meson64-current.config
• config/kernel/linux-odroidxu4-current.config

📚 Learning: 2025-09-27T21:47:58.020Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-bcm2711-edge.config:859-861
Timestamp: 2025-09-27T21:47:58.020Z
Learning: In the Armbian build system, kernel configuration files in config/kernel/ are generated through an automated process: taking previous config → applying scripted changes from armbian-kernel.sh → running kernel's `make oldconfig` → processing by Armbian machinery back into config files. This automated process properly handles kernel configuration dependencies and reduces the likelihood of manual configuration errors.

Applied to files:

• config/kernel/linux-rockchip-current.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-meson64-current.config
• config/kernel/linux-odroidxu4-current.config

📚 Learning: 2025-11-08T06:39:24.527Z

Learnt from: EvilOlaf
Repo: armbian/build PR: 8886
File: patch/kernel/rk35xx-vendor-6.1/dt/rk3528-nanopi-rev01.dts:9-9
Timestamp: 2025-11-08T06:39:24.527Z
Learning: In Armbian's Rockchip vendor kernel branches (rk35xx-vendor), device tree files may not require the same headers as mainline Linux. For example, input key definitions like KEY_BACK and KEY_VOLUMEUP may be handled differently in BSP kernels and don't necessarily need explicit includes like <dt-bindings/input/input.h> that would be required in mainline kernel device trees.

Applied to files:

• config/kernel/linux-rockchip-current.config

📚 Learning: 2025-09-27T21:49:55.796Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-sm8250-current.config:78-80
Timestamp: 2025-09-27T21:49:55.796Z
Learning: In the Armbian build system, kernel configuration files are generated through an automated process: taking previous config → applying scripted changes from armbian-kernel.sh → running kernel's `make oldconfig` → processing by Armbian machinery back into config files. This automated process properly handles kernel configuration dependencies and reduces the likelihood of manual configuration errors.

Applied to files:

• config/kernel/linux-rockchip-current.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-mvebu64-current.config

📚 Learning: 2025-09-27T21:50:04.845Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-sm8250-edge.config:80-82
Timestamp: 2025-09-27T21:50:04.845Z
Learning: In the Armbian build system, kernel configuration files are generated through this automated process: taking previous config → applying scripted changes from armbian-kernel.sh → running kernel's `make oldconfig` → processing by Armbian machinery back into config files. This automated process properly handles kernel configuration dependencies and reduces the likelihood of manual configuration errors.

Applied to files:

• config/kernel/linux-rockchip-current.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-meson64-current.config

📚 Learning: 2025-10-22T07:56:19.424Z

Learnt from: igorpecovnik
Repo: armbian/build PR: 8789
File: config/kernel/linux-sunxi64-edge.config:839-839
Timestamp: 2025-10-22T07:56:19.424Z
Learning: In Linux kernel configuration, some `=y` (builtin) options are infrastructure or feature flags that enable subsystems or features for modular drivers, rather than directly compiling code into the kernel. For example, in Armbian wireless configs, options like CONFIG_SPARD_WLAN_SUPPORT=y, CONFIG_SC23XX=y, CONFIG_WCN_BSP_DRIVER_BUILDIN=y, CONFIG_UNISOC_WIFI_PS=y are module infrastructure/feature enablers, while the actual drivers (CONFIG_WLAN_UWE5621=m, CONFIG_WLAN_UWE5622=m) remain as loadable modules. These infrastructure options don't cause kernel bloat.

Applied to files:

• config/kernel/linux-rockchip-current.config
• config/kernel/linux-mvebu-current.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-07-27T15:56:34.414Z

Learnt from: pyavitz
Repo: armbian/build PR: 8421
File: config/kernel/linux-sunxi64-edge.config:438-439
Timestamp: 2025-07-27T15:56:34.414Z
Learning: CONFIG_NET_SCH_DEFAULT is a boolean kernel configuration option (=y or =n) that enables/disables the ability to override the default network queueing discipline at runtime. When set to 'y', it allows setting the actual qdisc name via /proc/sys/net/core/default_qdisc at runtime, not in the kernel config file itself.

Applied to files:

• config/kernel/linux-mvebu-current.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-meson64-current.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-odroidxu4-current.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-07-19T00:03:42.995Z

Learnt from: lanefu
Repo: armbian/build PR: 8377
File: config/kernel/linux-uefi-arm64-cloud.config:165-170
Timestamp: 2025-07-19T00:03:42.995Z
Learning: CONFIG_NETKIT was introduced in Linux kernel 4.14.330 (November 2023) and enables BPF-programmable network devices that can operate in Layer 3 or Layer 2 mode. It's a valid configuration option in modern kernels including 6.12.

Applied to files:

• config/kernel/linux-mvebu-current.config
• config/kernel/linux-virtual-current.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-07-15T21:09:23.252Z

Learnt from: pyavitz
Repo: armbian/build PR: 8383
File: config/kernel/linux-sunxi64-edge.config:57-64
Timestamp: 2025-07-15T21:09:23.252Z
Learning: In Linux kernel configuration, when CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND=y is set, the ondemand governor is implicitly enabled by default, making the explicit CONFIG_CPU_FREQ_GOV_ONDEMAND=y line redundant. The make menuconfig tool automatically removes such redundant lines. This behavior applies to CPU frequency governor configurations in general - setting a default governor automatically enables that governor.

Applied to files:

• config/kernel/linux-sunxi-current.config

📚 Learning: 2025-08-02T05:46:10.664Z

Learnt from: EvilOlaf
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-02T05:46:10.664Z
Learning: In the Armbian build system, the KERNEL_CONFIGURE=yes switch is deprecated. The recommended approach for kernel configuration is now to use the `kernel-config` build command, which provides a more structured way to configure kernel options.

Applied to files:

• config/kernel/linux-meson64-edge.config

🔇 Additional comments (6)

config/kernel/linux-mvebu64-current.config (1)

9-12: CONFIG_BPF_UNPRIV_DEFAULT_OFF placement is correct

This aligns with the PR goal of disabling unprivileged eBPF by default while keeping BPF enabled for privileged use. The change is consistently applied across all 37 kernel config families in the codebase, confirming it came from the automated rewrite-kernel-config workflow rather than manual editing.

config/kernel/linux-meson64-current.config (1)

10-10: LGTM! Security configuration correctly applied.

The addition of CONFIG_BPF_UNPRIV_DEFAULT_OFF=y properly disables unprivileged BPF by default, which resolves the incorrect CPU vulnerability output mentioned in the PR description. The placement alongside other BPF-related options (after CONFIG_BPF_JIT=y) is logical and consistent.

Based on the PR comments and AI summary, this PR follows the recommended approach of updating both lib/functions/compilation/armbian-kernel.sh (for future config generation) and existing config files (for immediate deployment), which ensures consistency across all platforms.

config/kernel/linux-sunxi64-current.config (1)

9-9: LGTM! Consistent security configuration.

The CONFIG_BPF_UNPRIV_DEFAULT_OFF=y setting is correctly applied, consistent with other platform configurations in this PR. This ensures unprivileged BPF is disabled by default on sunxi64 platforms.

config/kernel/linux-rk322x-current.config (1)

95-107: BPF_UNPRIV_DEFAULT_OFF correctly enabled for rk322x

Setting CONFIG_BPF_UNPRIV_DEFAULT_OFF=y here is consistent with CONFIG_BPF=y and CONFIG_BPF_JIT=y, and achieves the PR’s goal of default‑disabling unprivileged BPF on this kernel family. No conflicts or regressions are apparent.

config/kernel/linux-mvebu-current.config (1)

6-15: Unprivileged BPF default‑off enabled for mvebu as intended

Adding CONFIG_BPF_UNPRIV_DEFAULT_OFF=y beside CONFIG_BPF_JIT=y cleanly applies the “unprivileged eBPF disabled by default” policy to the mvebu defconfig and is consistent with the rest of the networking/BPF setup.

lib/functions/compilation/armbian-kernel.sh (1)

123-123: LGTM! This is the correct approach.

Adding BPF_UNPRIV_DEFAULT_OFF to the opts_y array in the eBPF/BTF configuration function is the proper way to enable this option across all Armbian kernel configs. This change will automatically apply the setting when kernel configs are regenerated through the automated process.

The placement alongside other BPF-related options is appropriate, and this single change should eliminate the need for manual edits to individual config files.

Based on learnings about Armbian's kernel config automation and the PR discussion recommendation.

[tabrisnet]

@tabrisnet I think this is what you meant.

looks reasonable, but again have you tried running rewrite-kernel-config against these configs to see what it does? it may [this is speculation, I don't know it will happen] decide, for example, that the line isn't needed [b/c it would already be =y if it wasn't already explicitly disabled as it was].
config/kernel is an overlay, not a full .config.

[neheb]

torvalds/linux@8a03e56b253e9

looks to be from 5.16. So it looks like these configs are holdovers from before then.

[tabrisnet]

We run a massive rewrite-kernel-config job every week or every month [I'm not sure, but the workflow is configured for weekly] to try to keep things up synced [not related to your comment re 5.16], and my goal here is to not introduce a bunch of churn, where you make a change then the automated machinery does another change on top of that.

[neheb]

After some configuration (my repo was still on master), I started https://github.com/neheb/build/actions/runs/20253971351

[neheb]

Rebased.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

lib/functions/compilation/armbian-kernel.sh (1)

100-127: Consider enabling BPF_UNPRIV_DEFAULT_OFF unconditionally for consistent security posture.

BPF_UNPRIV_DEFAULT_OFF is currently only enabled when KERNEL_BTF != "no" (line 123). However, this is a security hardening option independent of BTF debug information:

• BPF_UNPRIV_DEFAULT_OFF: Controls whether unprivileged users can create BPF programs (security)
• KERNEL_BTF: Controls debug information for eBPF programs (debugging/observability)

When users set KERNEL_BTF=no (e.g., on low-memory systems per lines 111-116), the security hardening is skipped, leaving unprivileged BPF enabled by default. This inconsistency means the Spectre v2 vulnerability fix mentioned in the PR description won't apply universally.

🔎 Consider this approach to apply the security hardening unconditionally:

 function armbian_kernel_config__600_enable_ebpf_and_btf_info() {
+	# Always disable unprivileged BPF for security hardening (independent of BTF)
+	opts_y+=("BPF_UNPRIV_DEFAULT_OFF")
+
 	if [[ "${KERNEL_BTF}" == "no" ]]; then # If user is explicit by passing "KERNEL_BTF=no", then actually disable all debug info.
 		display_alert "Disabling eBPF and BTF info for kernel" "as requested by KERNEL_BTF=no" "info"
 		opts_y+=("DEBUG_INFO_NONE")                                                          # Enable the "none" option
 		opts_n+=("DEBUG_INFO" "DEBUG_INFO_DWARF5" "DEBUG_INFO_BTF" "DEBUG_INFO_BTF_MODULES") # BTF & CO-RE == off
 		# We don't disable the eBPF options, as eBPF itself doesn't require BTF (debug info) and doesnt' consume as much memory during build as BTF debug info does.
 	else
 		declare -i available_physical_memory_mib
 		available_physical_memory_mib=$(($(awk '/MemAvailable/ {print $2}' /proc/meminfo) / 1024)) # MiB
 		display_alert "Considering available RAM for BTF build" "${available_physical_memory_mib} MiB" "info"
 
 		if [[ ${available_physical_memory_mib} -lt 6451 ]]; then # If less than 6451 MiB of RAM is available, then exit with an error, telling the user to avoid pain and set KERNEL_BTF=no ...
 			if [[ "${KERNEL_BTF}" == "yes" ]]; then                 # ... except if the user knows better, and has set KERNEL_BTF=yes, then we'll just warn.
 				display_alert "Not enough RAM available (${available_physical_memory_mib}Mib) for BTF build" "but KERNEL_BTF=yes is set; enabling BTF" "warn"
 			else
 				exit_with_error "Not enough RAM available (${available_physical_memory_mib}Mib) for BTF build. Please set 'KERNEL_BTF=no' to avoid running out of memory during the kernel LD/BTF build step; or ignore this check by setting 'KERNEL_BTF=yes' -- that might put a lot of load on your swap disk, if any."
 			fi
 		fi
 
 		display_alert "Enabling eBPF and BTF info" "for fully BTF & CO-RE enabled kernel" "info"
 		opts_n+=("DEBUG_INFO_NONE") # Make sure the "none" option is disabled
 		opts_y+=(
 			"BPF_JIT" "BPF_JIT_DEFAULT_ON" "FTRACE_SYSCALLS" "PROBE_EVENTS_BTF_ARGS" "BPF_KPROBE_OVERRIDE" # eBPF == on
-			"BPF_UNPRIV_DEFAULT_OFF"
 			"DEBUG_INFO" "DEBUG_INFO_DWARF5" "DEBUG_INFO_BTF" "DEBUG_INFO_BTF_MODULES"                     # BTF & CO-RE == off
 		)
 	fi
 }

This ensures the security fix applies consistently regardless of memory constraints or BTF settings.

🧹 Nitpick comments (3)

config/kernel/linux-odroidxu4-current.config (1)

9-9: CONFIG_BPF_UNPRIV_DEFAULT_OFF=y here is semantically correct and aligns with the PR goal

This pairs correctly with existing CONFIG_BPF_SYSCALL/CONFIG_BPF_JIT and will default‑disable unprivileged eBPF on odroidxu4. If this PR also wires BPF_UNPRIV_DEFAULT_OFF into armbian-kernel.sh (as discussed in the thread), future rewrite-kernel-config runs should regenerate the same line, so this explicit edit is fine but somewhat redundant; relying on the scripted helper plus rewrite to touch all configs would keep churn lower.

config/kernel/linux-bcm2711-legacy.config (1)

10-10: Consistent enablement of CONFIG_BPF_UNPRIV_DEFAULT_OFF for bcm2711 legacy

Setting CONFIG_BPF_UNPRIV_DEFAULT_OFF=y here matches the other bcm2711 variants and correctly default‑disables unprivileged eBPF. Given the automated Armbian flow (armbian-kernel.sh → rewrite-kernel-config), you can optionally rely on the helper function alone and let the rewrite job regenerate this line, to avoid having to touch each family config manually next time.

config/kernel/linux-imx6-current.config (1)

12-12: Correctly default‑disables unprivileged eBPF for imx6-current

CONFIG_BPF_UNPRIV_DEFAULT_OFF=y fits with the existing BPF JIT settings and aligns this family with the PR’s cross‑arch policy. Assuming the option is also driven via armbian-kernel.sh, future rewrite-kernel-config runs should keep this line stable; using the script as the primary source and letting the rewrite workflow update configs will help avoid manual per‑file edits next time.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 47db71f and 29fbc19.

📒 Files selected for processing (33)

• config/kernel/linux-bcm2711-current.config (1 hunks)
• config/kernel/linux-bcm2711-edge.config (1 hunks)
• config/kernel/linux-bcm2711-legacy.config (1 hunks)
• config/kernel/linux-imx6-current.config (1 hunks)
• config/kernel/linux-imx6-edge.config (1 hunks)
• config/kernel/linux-imx6-legacy.config (1 hunks)
• config/kernel/linux-meson64-current.config (1 hunks)
• config/kernel/linux-meson64-edge.config (1 hunks)
• config/kernel/linux-mvebu-current.config (1 hunks)
• config/kernel/linux-mvebu-edge.config (1 hunks)
• config/kernel/linux-mvebu-legacy.config (1 hunks)
• config/kernel/linux-mvebu64-current.config (1 hunks)
• config/kernel/linux-mvebu64-edge.config (1 hunks)
• config/kernel/linux-mvebu64-legacy.config (1 hunks)
• config/kernel/linux-odroidxu4-current.config (1 hunks)
• config/kernel/linux-odroidxu4-edge.config (1 hunks)
• config/kernel/linux-rk322x-current.config (1 hunks)
• config/kernel/linux-rk322x-edge.config (1 hunks)
• config/kernel/linux-rk35xx-vendor.config (1 hunks)
• config/kernel/linux-rockchip-current.config (1 hunks)
• config/kernel/linux-rockchip-edge.config (1 hunks)
• config/kernel/linux-rockchip-rk3588-edge.config (1 hunks)
• config/kernel/linux-rockchip64-current.config (1 hunks)
• config/kernel/linux-rockchip64-edge.config (1 hunks)
• config/kernel/linux-sunxi-current.config (1 hunks)
• config/kernel/linux-sunxi-edge.config (1 hunks)
• config/kernel/linux-sunxi-legacy.config (1 hunks)
• config/kernel/linux-sunxi64-current.config (1 hunks)
• config/kernel/linux-sunxi64-edge.config (1 hunks)
• config/kernel/linux-sunxi64-legacy.config (1 hunks)
• config/kernel/linux-thead-legacy.config (1 hunks)
• config/kernel/linux-virtual-current.config (1 hunks)
• lib/functions/compilation/armbian-kernel.sh (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (25)

• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-rockchip-current.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-bcm2711-current.config
• config/kernel/linux-rockchip64-current.config
• config/kernel/linux-odroidxu4-edge.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-virtual-current.config
• config/kernel/linux-imx6-legacy.config
• config/kernel/linux-imx6-edge.config
• config/kernel/linux-sunxi64-legacy.config
• config/kernel/linux-rockchip64-edge.config
• config/kernel/linux-rockchip-edge.config
• config/kernel/linux-rk322x-edge.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-mvebu-current.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-thead-legacy.config
• config/kernel/linux-meson64-edge.config
• config/kernel/linux-bcm2711-edge.config
• config/kernel/linux-meson64-current.config
• config/kernel/linux-sunxi-edge.config

🧰 Additional context used

🧠 Learnings (22)

📓 Common learnings

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-199
Timestamp: 2025-09-25T18:37:00.330Z
Learning: In PR armbian/build#8661, line 235 of lib/functions/compilation/armbian-kernel.sh already contains the corrected comment "BPF link support for netfilter hooks" for NETFILTER_BPF_LINK, not the misleading "BPF_SYSCALL" comment that was flagged during review.

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-199
Timestamp: 2025-09-25T18:37:00.330Z
Learning: In PR armbian/build#8661, line 235 of lib/functions/compilation/armbian-kernel.sh already contains the corrected comment "BPF link support for netfilter hooks" for NETFILTER_BPF_LINK, not the misleading "BPF_SYSCALL" comment that was flagged during review.

Learnt from: EvilOlaf
Repo: armbian/build PR: 8428
File: config/boards/lckfb-taishanpi.csc:5-9
Timestamp: 2025-07-25T03:51:50.830Z
Learning: When reviewing PRs in the Armbian build system, U-Boot defconfig files and patches may be added as part of the PR changes but might not be visible in the current repository clone state during review. It's important to check the actual PR file changes directly via GitHub or the PR API to get the complete picture of what files are being added or modified.

Learnt from: EvilOlaf
Repo: armbian/build PR: 8428
File: config/boards/lckfb-taishanpi.csc:5-9
Timestamp: 2025-07-25T03:51:50.830Z
Learning: When reviewing PRs in the Armbian build system, U-Boot defconfig files and patches may be added as part of the PR changes but might not be visible in the current repository clone state during review. It's important to check the actual PR file changes directly via GitHub API (https://api.github.com/repos/armbian/build/pulls/{pr_number}/files) to get the complete picture of what files are being added or modified, especially for U-Boot patches that will be applied during the build process.

Learnt from: igorpecovnik
Repo: armbian/build PR: 9087
File: .github/workflows/pr-check-pictures.yml:138-146
Timestamp: 2025-12-16T13:40:01.143Z
Learning: In the Armbian build repository, when introducing new requirements or checks (like the board assets verification workflow), the project prefers an initial educational-only period where violations post helpful PR comments and warnings but don't block merges. This allows contributors to become familiar with new requirements before enforcement is enabled (typically after ~6 months).

Learnt from: glneo
Repo: armbian/build PR: 8913
File: config/sources/families/include/k3_common.inc:57-60
Timestamp: 2025-11-11T20:56:20.303Z
Learning: In config/sources/families/include/k3_common.inc, the OP-TEE build command at line 59 should be updated in a future PR to explicitly set CROSS_COMPILE64=aarch64-linux-gnu- and CROSS_COMPILE32=arm-linux-gnueabihf- instead of relying on OP-TEE's internal defaults, for better clarity and maintainability. User glneo agreed to address this in a separate PR.

Learnt from: EvilOlaf
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-12-17T05:09:02.274Z
Learning: In the Armbian build system, kernel patches (e.g., in patch/kernel/archive/sunxi-6.18/patches.armbian/) contain device tree overlays and other code that have existed for years and are maintained/ported across kernel versions. When reviewing PRs that modify these patch files, focus on the actual changes being made (e.g., Makefile fixes, new additions) rather than reviewing the entire existing content within the patch as if it were new code. The patch file contents are existing, stable code unless explicitly modified in the PR diff.

Learnt from: EvilOlaf
Repo: armbian/build PR: 8328
File: lib/functions/compilation/patch/drivers_network.sh:542-545
Timestamp: 2025-06-24T10:08:40.313Z
Learning: In the Armbian build system, when a PR removes build support for a specific kernel version, version check issues for that removed version become practically irrelevant even if they appear incorrect in isolation. Context about which kernel versions are being deprecated/removed is important for understanding the impact of version-related code changes.

Learnt from: igorpecovnik
Repo: armbian/build PR: 8705
File: .github/workflows/rewrite-kernel-configs.yml:217-220
Timestamp: 2025-10-04T17:59:19.369Z
Learning: In the Armbian build repository's kernel config rewrite workflow (.github/workflows/rewrite-kernel-configs.yml), the workflow is designed to rewrite existing kernel configs only. New/untracked files can be safely ignored, so using `git diff --quiet` (which ignores untracked files) is the correct approach for detecting changes rather than `git status --porcelain`.

Learnt from: EvilOlaf
Repo: armbian/build PR: 8968
File: patch/u-boot/u-boot-sunxi/arm64-dts-sun50i-h6-orangepi.dtsi-Rollback-r_rsb-to-r_i2c.patch:36-36
Timestamp: 2025-11-20T18:20:11.985Z
Learning: The rewrite-patches tool (REWRITE_PATCHES=yes) in the Armbian build system can inadvertently introduce semantic changes when the u-boot/kernel git base revision differs from expected state. The tool applies patches, commits them, and re-exports them using git format-patch, which can cause the re-exported patch to reflect the base revision's state rather than preserving the original patch intent. This is particularly problematic for device tree changes like interrupt specifications. The tool currently lacks validation mechanisms to detect such semantic drift, and affected patches must be manually corrected after rewriting.

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: The kernel_config_set_m function in lib/functions/compilation/armbian-kernel.sh preserves existing 'y' (built-in) settings and only sets options to 'm' (module) when they are not already built-in, achieving "prefer modules but allow built-ins" behavior.

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: The kernel_config_set_m function in lib/functions/compilation/armbian-kernel.sh preserves existing 'y' (built-in) settings and only sets options to 'm' (module) when they are not already built-in, achieving "prefer modules but allow built-ins" behavior.

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T06:56:33.372Z
Learning: In Armbian kernel configuration, the BTRFS configuration logic preserves existing settings (whether built-in 'y' or module 'm') and only sets BTRFS_FS to module when it was previously disabled or not set, achieving "allow but not require" flexibility while maintaining backward compatibility.

Learnt from: igorpecovnik
Repo: armbian/build PR: 8789
File: config/kernel/linux-sunxi64-edge.config:839-839
Timestamp: 2025-10-22T07:56:19.424Z
Learning: In Linux kernel configuration, some `=y` (builtin) options are infrastructure or feature flags that enable subsystems or features for modular drivers, rather than directly compiling code into the kernel. For example, in Armbian wireless configs, options like CONFIG_SPARD_WLAN_SUPPORT=y, CONFIG_SC23XX=y, CONFIG_WCN_BSP_DRIVER_BUILDIN=y, CONFIG_UNISOC_WIFI_PS=y are module infrastructure/feature enablers, while the actual drivers (CONFIG_WLAN_UWE5621=m, CONFIG_WLAN_UWE5622=m) remain as loadable modules. These infrastructure options don't cause kernel bloat.

Learnt from: rpardini
Repo: armbian/build PR: 8820
File: config/sources/families/include/meson64_common.inc:51-53
Timestamp: 2025-10-26T12:56:29.185Z
Learning: In the Armbian build framework, scripts/config correctly handles kernel configuration option names both with and without the CONFIG_ prefix, so opts_m+=("CONFIG_RTL8822CS") and opts_m+=("RTL8822CS") are both valid and will work correctly.

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: In lib/functions/compilation/armbian-kernel.sh, the kernel_config_modifying_hashes array is not universally required for all kernel configuration functions - some functions like armbian_kernel_config__netkit() operate without it, and adding entries with '=m' would be incorrect when the actual result might be '=y' for options already built-in.

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: In lib/functions/compilation/armbian-kernel.sh, the kernel_config_modifying_hashes array is not universally required for all kernel configuration functions - some functions like armbian_kernel_config__netkit() operate without it, and adding entries with '=m' would be incorrect when the actual result might be '=y' for options already built-in.

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T06:48:09.091Z
Learning: In lib/functions/compilation/armbian-kernel.sh, the user prefers flexible grep patterns over anchored ones for BTRFS configuration checks, but agrees to use quiet grep (-q) to avoid polluting build logs.

📚 Learning: 2025-08-30T04:13:16.457Z

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T04:13:16.457Z
Learning: Armbian kernel configuration files like linux-filogic-current.config are autogenerated overlays on top of arch defconfig. Comments added manually will be lost during future updates by maintainers, and explicit "CONFIG_OPTION is not set" statements aren't needed for mutually exclusive options since these are overlay configs that only specify changes from the base configuration.

Applied to files:

• config/kernel/linux-imx6-current.config
• config/kernel/linux-mvebu64-edge.config
• config/kernel/linux-rk35xx-vendor.config
• config/kernel/linux-mvebu-legacy.config
• config/kernel/linux-rockchip-rk3588-edge.config
• config/kernel/linux-odroidxu4-current.config
• config/kernel/linux-bcm2711-legacy.config

📚 Learning: 2025-09-25T18:37:00.330Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-199
Timestamp: 2025-09-25T18:37:00.330Z
Learning: In PR armbian/build#8661, line 235 of lib/functions/compilation/armbian-kernel.sh already contains the corrected comment "BPF link support for netfilter hooks" for NETFILTER_BPF_LINK, not the misleading "BPF_SYSCALL" comment that was flagged during review.

Applied to files:

• config/kernel/linux-imx6-current.config
• config/kernel/linux-mvebu64-edge.config
• config/kernel/linux-rk35xx-vendor.config
• config/kernel/linux-mvebu-legacy.config
• config/kernel/linux-rockchip-rk3588-edge.config
• lib/functions/compilation/armbian-kernel.sh
• config/kernel/linux-odroidxu4-current.config
• config/kernel/linux-bcm2711-legacy.config

📚 Learning: 2025-11-02T20:49:56.719Z

Learnt from: igorpecovnik
Repo: armbian/build PR: 8849
File: config/boards/radxa-e54c.csc:14-28
Timestamp: 2025-11-02T20:49:56.719Z
Learning: In Armbian board configuration files (config/boards/*.conf, *.csc, etc.), do not use kernel_config_set, kernel_config_set_m, kernel_config_set_y, or custom_kernel_config__* functions to modify kernel configuration. Kernel configuration is associated with LINUXFAMILY/BOARDFAMILY, not individual BOARD. Board-specific kernel modifications cause inconsistency in kernel packages published to the apt repository because boards within a family share the same kernel packages. Kernel configuration changes must be made in the appropriate kernel config file (e.g., config/kernel/linux-*-*.config) or in family configuration files (config/sources/families/*.conf, *.inc) instead.

Applied to files:

• config/kernel/linux-imx6-current.config
• config/kernel/linux-mvebu64-edge.config
• config/kernel/linux-rk35xx-vendor.config
• config/kernel/linux-mvebu-legacy.config
• config/kernel/linux-rockchip-rk3588-edge.config
• config/kernel/linux-odroidxu4-current.config
• config/kernel/linux-bcm2711-legacy.config

📚 Learning: 2025-09-22T21:52:01.225Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: The kernel_config_set_m function in lib/functions/compilation/armbian-kernel.sh preserves existing 'y' (built-in) settings and only sets options to 'm' (module) when they are not already built-in, achieving "prefer modules but allow built-ins" behavior.

Applied to files:

• config/kernel/linux-imx6-current.config
• config/kernel/linux-mvebu64-edge.config
• config/kernel/linux-rk35xx-vendor.config
• config/kernel/linux-mvebu-legacy.config
• config/kernel/linux-rockchip-rk3588-edge.config
• config/kernel/linux-bcm2711-legacy.config

📚 Learning: 2025-10-22T07:56:19.424Z

Learnt from: igorpecovnik
Repo: armbian/build PR: 8789
File: config/kernel/linux-sunxi64-edge.config:839-839
Timestamp: 2025-10-22T07:56:19.424Z
Learning: In Linux kernel configuration, some `=y` (builtin) options are infrastructure or feature flags that enable subsystems or features for modular drivers, rather than directly compiling code into the kernel. For example, in Armbian wireless configs, options like CONFIG_SPARD_WLAN_SUPPORT=y, CONFIG_SC23XX=y, CONFIG_WCN_BSP_DRIVER_BUILDIN=y, CONFIG_UNISOC_WIFI_PS=y are module infrastructure/feature enablers, while the actual drivers (CONFIG_WLAN_UWE5621=m, CONFIG_WLAN_UWE5622=m) remain as loadable modules. These infrastructure options don't cause kernel bloat.

Applied to files:

• config/kernel/linux-imx6-current.config
• config/kernel/linux-mvebu64-edge.config
• config/kernel/linux-rk35xx-vendor.config
• config/kernel/linux-mvebu-legacy.config
• config/kernel/linux-rockchip-rk3588-edge.config
• config/kernel/linux-bcm2711-legacy.config

📚 Learning: 2025-08-30T06:56:33.372Z

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T06:56:33.372Z
Learning: In Armbian kernel configuration, the BTRFS configuration logic preserves existing settings (whether built-in 'y' or module 'm') and only sets BTRFS_FS to module when it was previously disabled or not set, achieving "allow but not require" flexibility while maintaining backward compatibility.

Applied to files:

• config/kernel/linux-imx6-current.config
• config/kernel/linux-mvebu64-edge.config
• config/kernel/linux-rk35xx-vendor.config
• config/kernel/linux-mvebu-legacy.config
• config/kernel/linux-rockchip-rk3588-edge.config
• lib/functions/compilation/armbian-kernel.sh
• config/kernel/linux-odroidxu4-current.config
• config/kernel/linux-bcm2711-legacy.config

📚 Learning: 2025-03-31T12:57:13.880Z

Learnt from: libiunc
Repo: armbian/build PR: 8033
File: config/kernel/linux-starfive2-vendor.config:43-43
Timestamp: 2025-03-31T12:57:13.880Z
Learning: For StarFive2 platform kernel configurations, maintain alignment with vendor-provided configurations rather than modifying security settings like SECCOMP. This ensures hardware compatibility as intended by the manufacturer.

Applied to files:

• config/kernel/linux-mvebu64-edge.config
• config/kernel/linux-rk35xx-vendor.config
• config/kernel/linux-odroidxu4-current.config

📚 Learning: 2025-09-22T21:52:01.225Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: In lib/functions/compilation/armbian-kernel.sh, the kernel_config_modifying_hashes array is not universally required for all kernel configuration functions - some functions like armbian_kernel_config__netkit() operate without it, and adding entries with '=m' would be incorrect when the actual result might be '=y' for options already built-in.

Applied to files:

• config/kernel/linux-mvebu64-edge.config
• lib/functions/compilation/armbian-kernel.sh

📚 Learning: 2025-07-27T15:56:34.414Z

Learnt from: pyavitz
Repo: armbian/build PR: 8421
File: config/kernel/linux-sunxi64-edge.config:438-439
Timestamp: 2025-07-27T15:56:34.414Z
Learning: CONFIG_NET_SCH_DEFAULT is a boolean kernel configuration option (=y or =n) that enables/disables the ability to override the default network queueing discipline at runtime. When set to 'y', it allows setting the actual qdisc name via /proc/sys/net/core/default_qdisc at runtime, not in the kernel config file itself.

Applied to files:

• config/kernel/linux-mvebu64-edge.config
• config/kernel/linux-rk35xx-vendor.config
• config/kernel/linux-bcm2711-legacy.config

📚 Learning: 2025-07-19T00:03:42.995Z

Learnt from: lanefu
Repo: armbian/build PR: 8377
File: config/kernel/linux-uefi-arm64-cloud.config:165-170
Timestamp: 2025-07-19T00:03:42.995Z
Learning: CONFIG_NETKIT was introduced in Linux kernel 4.14.330 (November 2023) and enables BPF-programmable network devices that can operate in Layer 3 or Layer 2 mode. It's a valid configuration option in modern kernels including 6.12.

Applied to files:

• config/kernel/linux-mvebu64-edge.config
• config/kernel/linux-mvebu-legacy.config
• config/kernel/linux-rockchip-rk3588-edge.config
• config/kernel/linux-bcm2711-legacy.config

📚 Learning: 2025-08-11T22:00:13.411Z

Learnt from: rafayahmed317
Repo: armbian/build PR: 8484
File: config/kernel/linux-rk35xx-vendor.config:904-906
Timestamp: 2025-08-11T22:00:13.411Z
Learning: In the linux-rk35xx-vendor kernel, the LTE driver options (CONFIG_LTE, CONFIG_LTE_RM310, CONFIG_LTE_EM05) are defined as boolean in drivers/net/lte/Kconfig and cannot be built as modules - they must be either built-in (=y) or disabled.

Applied to files:

• config/kernel/linux-rk35xx-vendor.config

📚 Learning: 2025-11-08T06:39:24.527Z

Learnt from: EvilOlaf
Repo: armbian/build PR: 8886
File: patch/kernel/rk35xx-vendor-6.1/dt/rk3528-nanopi-rev01.dts:9-9
Timestamp: 2025-11-08T06:39:24.527Z
Learning: In Armbian's Rockchip vendor kernel branches (rk35xx-vendor), device tree files may not require the same headers as mainline Linux. For example, input key definitions like KEY_BACK and KEY_VOLUMEUP may be handled differently in BSP kernels and don't necessarily need explicit includes like <dt-bindings/input/input.h> that would be required in mainline kernel device trees.

Applied to files:

• config/kernel/linux-rk35xx-vendor.config

📚 Learning: 2025-09-14T06:29:18.958Z

Learnt from: amazingfate
Repo: armbian/build PR: 8619
File: config/sources/families/rockchip.conf:64-70
Timestamp: 2025-09-14T06:29:18.958Z
Learning: In the Armbian build system, vendor branch configurations in family files are designed to be shared across multiple SoCs within the same family that use the same vendor kernel tree. For example, rk35xx and rockchip-rk3588 families both use identical vendor branch settings (same KERNELSOURCE, KERNELBRANCH, and KERNELPATCHDIR), demonstrating that vendor branches are intentionally generic rather than SoC-specific.

Applied to files:

• config/kernel/linux-rk35xx-vendor.config

📚 Learning: 2025-09-27T21:47:58.020Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-bcm2711-edge.config:859-861
Timestamp: 2025-09-27T21:47:58.020Z
Learning: In the Armbian build system, kernel configuration files in config/kernel/ are generated through an automated process: taking previous config → applying scripted changes from armbian-kernel.sh → running kernel's `make oldconfig` → processing by Armbian machinery back into config files. This automated process properly handles kernel configuration dependencies and reduces the likelihood of manual configuration errors.

Applied to files:

• config/kernel/linux-mvebu-legacy.config
• config/kernel/linux-bcm2711-legacy.config

📚 Learning: 2025-09-27T21:50:15.915Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-sunxi64-current.config:94-94
Timestamp: 2025-09-27T21:50:15.915Z
Learning: When kernel config files are generated through Armbian's automated process (previous config → armbian-kernel.sh changes → make oldconfig → Armbian machinery processing), manual config file edits are not appropriate since they would be overwritten. Deprecated option handling should be implemented in the automated tooling instead.

Applied to files:

• config/kernel/linux-mvebu-legacy.config
• lib/functions/compilation/armbian-kernel.sh
• config/kernel/linux-odroidxu4-current.config
• config/kernel/linux-bcm2711-legacy.config

📚 Learning: 2025-09-27T21:49:55.796Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-sm8250-current.config:78-80
Timestamp: 2025-09-27T21:49:55.796Z
Learning: In the Armbian build system, kernel configuration files are generated through an automated process: taking previous config → applying scripted changes from armbian-kernel.sh → running kernel's `make oldconfig` → processing by Armbian machinery back into config files. This automated process properly handles kernel configuration dependencies and reduces the likelihood of manual configuration errors.

Applied to files:

• config/kernel/linux-mvebu-legacy.config
• lib/functions/compilation/armbian-kernel.sh

📚 Learning: 2025-10-26T10:41:35.118Z

Learnt from: HackingGate
Repo: armbian/build PR: 8665
File: config/boards/photonicat2.csc:4-4
Timestamp: 2025-10-26T10:41:35.118Z
Learning: In the Armbian build system, rk3576 boards consistently use BOARDFAMILY="rk35xx" for both vendor and edge kernel targets. The rk35xx family configuration sources rockchip64_common.inc, which provides edge and current kernel branch definitions, making these branches available even though they're not defined directly in rk35xx.conf.

Applied to files:

• config/kernel/linux-rockchip-rk3588-edge.config

📚 Learning: 2025-09-27T21:50:04.845Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-sm8250-edge.config:80-82
Timestamp: 2025-09-27T21:50:04.845Z
Learning: In the Armbian build system, kernel configuration files are generated through this automated process: taking previous config → applying scripted changes from armbian-kernel.sh → running kernel's `make oldconfig` → processing by Armbian machinery back into config files. This automated process properly handles kernel configuration dependencies and reduces the likelihood of manual configuration errors.

Applied to files:

• lib/functions/compilation/armbian-kernel.sh
• config/kernel/linux-bcm2711-legacy.config

📚 Learning: 2025-09-22T21:59:36.334Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:200-200
Timestamp: 2025-09-22T21:59:36.334Z
Learning: Functions named with the pattern `armbian_kernel_config__*` in lib/functions/compilation/armbian-kernel.sh are automatically discovered and invoked by Armbian's extension system via metaprogramming using `compgen -A function`, without requiring explicit registration or calls.

Applied to files:

• lib/functions/compilation/armbian-kernel.sh

📚 Learning: 2025-07-25T03:51:50.830Z

Learnt from: EvilOlaf
Repo: armbian/build PR: 8428
File: config/boards/lckfb-taishanpi.csc:5-9
Timestamp: 2025-07-25T03:51:50.830Z
Learning: When reviewing PRs in the Armbian build system, U-Boot defconfig files and patches may be added as part of the PR changes but might not be visible in the current repository clone state during review. It's important to check the actual PR file changes directly via GitHub or the PR API to get the complete picture of what files are being added or modified.

Applied to files:

• lib/functions/compilation/armbian-kernel.sh
• config/kernel/linux-odroidxu4-current.config

📚 Learning: 2025-10-26T12:56:29.185Z

Learnt from: rpardini
Repo: armbian/build PR: 8820
File: config/sources/families/include/meson64_common.inc:51-53
Timestamp: 2025-10-26T12:56:29.185Z
Learning: In the Armbian build framework, scripts/config correctly handles kernel configuration option names both with and without the CONFIG_ prefix, so opts_m+=("CONFIG_RTL8822CS") and opts_m+=("RTL8822CS") are both valid and will work correctly.

Applied to files:

• lib/functions/compilation/armbian-kernel.sh

🔇 Additional comments (4)

config/kernel/linux-rockchip-rk3588-edge.config (1)

92-106: Enabling CONFIG_BPF_UNPRIV_DEFAULT_OFF here is correct and aligned with the PR goal

This makes unprivileged eBPF disabled by default on rk3588-edge while keeping BPF/JIT available for privileged users, and aligns this defconfig with the rest of the arches updated in the PR. I don’t see conflicts in the surrounding BPF settings; assuming the armbian-kernel.sh helper was updated as discussed so rewrite-kernel-config reproduces this, this change looks good to keep.

If you haven’t already, it’s worth running the kernel-config rewrite workflow (or ./lib/tools/rewrite-kernel-config) once to confirm this line is preserved/generated rather than being a one-off manual edit.

config/kernel/linux-mvebu64-edge.config (1)

8-12: Enable unprivileged BPF default‑off on mvebu64 edge is appropriate

Placing CONFIG_BPF_UNPRIV_DEFAULT_OFF=y alongside CONFIG_BPF_SYSCALL/CONFIG_BPF_JIT cleanly enforces “no unprivileged BPF by default” while preserving privileged BPF functionality, which matches the PR’s stated goal and Armbian’s overlay-config workflow. Based on learnings, this looks correct and low‑risk.

config/kernel/linux-mvebu-legacy.config (1)

94-105: Consistent unprivileged BPF default‑off across mvebu legacy config

Adding CONFIG_BPF_UNPRIV_DEFAULT_OFF=y here mirrors the 64‑bit edge/current configs and ensures legacy mvebu kernels also default to unprivileged BPF disabled, aligning with the vulnerability-mitigation intent without introducing conflicting options. Based on learnings, this is a sensible, consistent configuration.

config/kernel/linux-rk35xx-vendor.config (1)

10-10: LGTM! Config file correctly reflects the script change.

The addition of CONFIG_BPF_UNPRIV_DEFAULT_OFF=y aligns with the PR objective to disable unprivileged BPF and fix the Spectre v2 vulnerability output. Based on learnings, this config file appears to be properly auto-generated after modifying lib/functions/compilation/armbian-kernel.sh.

[neheb]

@EvilOlaf not sure I follow.

if

# CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set

will override the changes here, how would it be fixed?

[EvilOlaf]

Why should this override?

[tabrisnet]

My original question here was whether the automated machinery would elide the changed line altogether, as, being an overlay, if it would already by =y then it would be evaluated as redundant by savedefconfig.

[neheb]

https://github.com/neheb/build/actions/runs/20403772655 refuses to run

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

config/kernel/linux-mvebu-legacy.config (1)

94-105: CONFIG_BPF_UNPRIV_DEFAULT_OFF=y here is correct and aligned with the PR’s goal

Placing CONFIG_BPF_UNPRIV_DEFAULT_OFF=y alongside CONFIG_BPF=y / CONFIG_BPF_SYSCALL=y cleanly enforces “unprivileged eBPF default-off” on this legacy mvebu kernel, which is exactly what the spectre_v2 reporting logic expects. No conflicting BPF options are present in this block, so the change is safe and behaviorally clear.

If you later regenerate this autogen .config via rewrite-kernel-config, just ensure the armbian-kernel.sh hook also sets this symbol so the change persists and you don’t see churn in this file. Based on learnings, these configs are overlays on top of arch defconfig and are periodically rewritten.

config/kernel/linux-mvebu-current.config (1)

6-12: Defconfig overlay use of CONFIG_BPF_UNPRIV_DEFAULT_OFF=y looks good

Setting CONFIG_BPF_UNPRIV_DEFAULT_OFF=y in this Armbian mvebu “current” defconfig cleanly enforces unprivileged-BPF default-off (while keeping CONFIG_BPF_JIT=y and privileged BPF intact), matching the PR’s objective and the legacy config behavior. As an overlay, this is the appropriate place to override the kernel’s default for this family; any future rewrite of defconfigs will either preserve or drop it as redundant without functional risk.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 29fbc19 and b02f95c.

📒 Files selected for processing (33)

• config/kernel/linux-bcm2711-current.config (1 hunks)
• config/kernel/linux-bcm2711-edge.config (1 hunks)
• config/kernel/linux-bcm2711-legacy.config (1 hunks)
• config/kernel/linux-imx6-current.config (1 hunks)
• config/kernel/linux-imx6-edge.config (1 hunks)
• config/kernel/linux-imx6-legacy.config (1 hunks)
• config/kernel/linux-meson64-current.config (1 hunks)
• config/kernel/linux-meson64-edge.config (1 hunks)
• config/kernel/linux-mvebu-current.config (1 hunks)
• config/kernel/linux-mvebu-edge.config (1 hunks)
• config/kernel/linux-mvebu-legacy.config (1 hunks)
• config/kernel/linux-mvebu64-current.config (1 hunks)
• config/kernel/linux-mvebu64-edge.config (1 hunks)
• config/kernel/linux-mvebu64-legacy.config (1 hunks)
• config/kernel/linux-odroidxu4-current.config (1 hunks)
• config/kernel/linux-odroidxu4-edge.config (1 hunks)
• config/kernel/linux-rk322x-current.config (1 hunks)
• config/kernel/linux-rk322x-edge.config (1 hunks)
• config/kernel/linux-rk35xx-vendor.config (1 hunks)
• config/kernel/linux-rockchip-current.config (1 hunks)
• config/kernel/linux-rockchip-edge.config (1 hunks)
• config/kernel/linux-rockchip-rk3588-edge.config (1 hunks)
• config/kernel/linux-rockchip64-current.config (1 hunks)
• config/kernel/linux-rockchip64-edge.config (1 hunks)
• config/kernel/linux-sunxi-current.config (1 hunks)
• config/kernel/linux-sunxi-edge.config (1 hunks)
• config/kernel/linux-sunxi-legacy.config (1 hunks)
• config/kernel/linux-sunxi64-current.config (1 hunks)
• config/kernel/linux-sunxi64-edge.config (1 hunks)
• config/kernel/linux-sunxi64-legacy.config (1 hunks)
• config/kernel/linux-thead-legacy.config (1 hunks)
• config/kernel/linux-virtual-current.config (1 hunks)
• lib/functions/compilation/armbian-kernel.sh (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (22)

• config/kernel/linux-rockchip-edge.config
• config/kernel/linux-sunxi64-legacy.config
• config/kernel/linux-rockchip64-edge.config
• config/kernel/linux-mvebu64-edge.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-rockchip-current.config
• config/kernel/linux-odroidxu4-current.config
• config/kernel/linux-rk322x-edge.config
• config/kernel/linux-bcm2711-current.config
• config/kernel/linux-imx6-legacy.config
• lib/functions/compilation/armbian-kernel.sh
• config/kernel/linux-imx6-current.config
• config/kernel/linux-bcm2711-edge.config
• config/kernel/linux-meson64-edge.config
• config/kernel/linux-meson64-current.config
• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-rockchip64-current.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-sunxi-edge.config
• config/kernel/linux-virtual-current.config
• config/kernel/linux-rockchip-rk3588-edge.config

🧰 Additional context used

🧠 Learnings (20)

📓 Common learnings

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-199
Timestamp: 2025-09-25T18:37:00.330Z
Learning: In PR armbian/build#8661, line 235 of lib/functions/compilation/armbian-kernel.sh already contains the corrected comment "BPF link support for netfilter hooks" for NETFILTER_BPF_LINK, not the misleading "BPF_SYSCALL" comment that was flagged during review.

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-199
Timestamp: 2025-09-25T18:37:00.330Z
Learning: In PR armbian/build#8661, line 235 of lib/functions/compilation/armbian-kernel.sh already contains the corrected comment "BPF link support for netfilter hooks" for NETFILTER_BPF_LINK, not the misleading "BPF_SYSCALL" comment that was flagged during review.

Learnt from: EvilOlaf
Repo: armbian/build PR: 8428
File: config/boards/lckfb-taishanpi.csc:5-9
Timestamp: 2025-07-25T03:51:50.830Z
Learning: When reviewing PRs in the Armbian build system, U-Boot defconfig files and patches may be added as part of the PR changes but might not be visible in the current repository clone state during review. It's important to check the actual PR file changes directly via GitHub or the PR API to get the complete picture of what files are being added or modified.

Learnt from: EvilOlaf
Repo: armbian/build PR: 8428
File: config/boards/lckfb-taishanpi.csc:5-9
Timestamp: 2025-07-25T03:51:50.830Z
Learning: When reviewing PRs in the Armbian build system, U-Boot defconfig files and patches may be added as part of the PR changes but might not be visible in the current repository clone state during review. It's important to check the actual PR file changes directly via GitHub API (https://api.github.com/repos/armbian/build/pulls/{pr_number}/files) to get the complete picture of what files are being added or modified, especially for U-Boot patches that will be applied during the build process.

Learnt from: igorpecovnik
Repo: armbian/build PR: 9087
File: .github/workflows/pr-check-pictures.yml:138-146
Timestamp: 2025-12-16T13:40:07.649Z
Learning: In the Armbian build repository, when introducing new requirements or checks (like the board assets verification workflow), the project prefers an initial educational-only period where violations post helpful PR comments and warnings but don't block merges. This allows contributors to become familiar with new requirements before enforcement is enabled (typically after ~6 months).

Learnt from: EvilOlaf
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-12-19T13:56:45.124Z
Learning: When reviewing kernel or u-boot version bump PRs in the Armbian build system, check if patches existed in previous kernel version directories (e.g., sunxi-6.12, sunxi-6.13) before describing them as new features. If a patch and the majority of its contents existed previously with no major functionality changes, focus the review on the actual changes: the version bump itself and patch compatibility adjustments. Don't describe existing patches being ported/maintained across versions as new features or drivers—this is misleading. The patches are existing code being re-aligned to work with the new upstream version.

Learnt from: EvilOlaf
Repo: armbian/build PR: 8328
File: lib/functions/compilation/patch/drivers_network.sh:542-545
Timestamp: 2025-06-24T10:08:40.313Z
Learning: In the Armbian build system, when a PR removes build support for a specific kernel version, version check issues for that removed version become practically irrelevant even if they appear incorrect in isolation. Context about which kernel versions are being deprecated/removed is important for understanding the impact of version-related code changes.

Learnt from: EvilOlaf
Repo: armbian/build PR: 8968
File: patch/u-boot/u-boot-sunxi/arm64-dts-sun50i-h6-orangepi.dtsi-Rollback-r_rsb-to-r_i2c.patch:36-36
Timestamp: 2025-11-20T18:20:11.985Z
Learning: The rewrite-patches tool (REWRITE_PATCHES=yes) in the Armbian build system can inadvertently introduce semantic changes when the u-boot/kernel git base revision differs from expected state. The tool applies patches, commits them, and re-exports them using git format-patch, which can cause the re-exported patch to reflect the base revision's state rather than preserving the original patch intent. This is particularly problematic for device tree changes like interrupt specifications. The tool currently lacks validation mechanisms to detect such semantic drift, and affected patches must be manually corrected after rewriting.

Learnt from: igorpecovnik
Repo: armbian/build PR: 8849
File: config/boards/radxa-e54c.csc:14-28
Timestamp: 2025-11-02T20:49:56.719Z
Learning: In Armbian board configuration files (config/boards/*.conf, *.csc, etc.), do not use kernel_config_set, kernel_config_set_m, kernel_config_set_y, or custom_kernel_config__* functions to modify kernel configuration. Kernel configuration is associated with LINUXFAMILY/BOARDFAMILY, not individual BOARD. Board-specific kernel modifications cause inconsistency in kernel packages published to the apt repository because boards within a family share the same kernel packages. Kernel configuration changes must be made in the appropriate kernel config file (e.g., config/kernel/linux-*-*.config) or in family configuration files (config/sources/families/*.conf, *.inc) instead.

Learnt from: glneo
Repo: armbian/build PR: 8913
File: config/sources/families/include/k3_common.inc:57-60
Timestamp: 2025-11-11T20:56:20.303Z
Learning: In config/sources/families/include/k3_common.inc, the OP-TEE build command at line 59 should be updated in a future PR to explicitly set CROSS_COMPILE64=aarch64-linux-gnu- and CROSS_COMPILE32=arm-linux-gnueabihf- instead of relying on OP-TEE's internal defaults, for better clarity and maintainability. User glneo agreed to address this in a separate PR.

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: The kernel_config_set_m function in lib/functions/compilation/armbian-kernel.sh preserves existing 'y' (built-in) settings and only sets options to 'm' (module) when they are not already built-in, achieving "prefer modules but allow built-ins" behavior.

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: The kernel_config_set_m function in lib/functions/compilation/armbian-kernel.sh preserves existing 'y' (built-in) settings and only sets options to 'm' (module) when they are not already built-in, achieving "prefer modules but allow built-ins" behavior.

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T06:56:33.372Z
Learning: In Armbian kernel configuration, the BTRFS configuration logic preserves existing settings (whether built-in 'y' or module 'm') and only sets BTRFS_FS to module when it was previously disabled or not set, achieving "allow but not require" flexibility while maintaining backward compatibility.

Learnt from: igorpecovnik
Repo: armbian/build PR: 8789
File: config/kernel/linux-sunxi64-edge.config:839-839
Timestamp: 2025-10-22T07:56:19.424Z
Learning: In Linux kernel configuration, some `=y` (builtin) options are infrastructure or feature flags that enable subsystems or features for modular drivers, rather than directly compiling code into the kernel. For example, in Armbian wireless configs, options like CONFIG_SPARD_WLAN_SUPPORT=y, CONFIG_SC23XX=y, CONFIG_WCN_BSP_DRIVER_BUILDIN=y, CONFIG_UNISOC_WIFI_PS=y are module infrastructure/feature enablers, while the actual drivers (CONFIG_WLAN_UWE5621=m, CONFIG_WLAN_UWE5622=m) remain as loadable modules. These infrastructure options don't cause kernel bloat.

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: In lib/functions/compilation/armbian-kernel.sh, the kernel_config_modifying_hashes array is not universally required for all kernel configuration functions - some functions like armbian_kernel_config__netkit() operate without it, and adding entries with '=m' would be incorrect when the actual result might be '=y' for options already built-in.

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: In lib/functions/compilation/armbian-kernel.sh, the kernel_config_modifying_hashes array is not universally required for all kernel configuration functions - some functions like armbian_kernel_config__netkit() operate without it, and adding entries with '=m' would be incorrect when the actual result might be '=y' for options already built-in.

Learnt from: rpardini
Repo: armbian/build PR: 8820
File: config/sources/families/include/meson64_common.inc:51-53
Timestamp: 2025-10-26T12:56:29.185Z
Learning: In the Armbian build framework, scripts/config correctly handles kernel configuration option names both with and without the CONFIG_ prefix, so opts_m+=("CONFIG_RTL8822CS") and opts_m+=("RTL8822CS") are both valid and will work correctly.

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T06:48:09.091Z
Learning: In lib/functions/compilation/armbian-kernel.sh, the user prefers flexible grep patterns over anchored ones for BTRFS configuration checks, but agrees to use quiet grep (-q) to avoid polluting build logs.

📚 Learning: 2025-08-30T04:13:16.457Z

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T04:13:16.457Z
Learning: Armbian kernel configuration files like linux-filogic-current.config are autogenerated overlays on top of arch defconfig. Comments added manually will be lost during future updates by maintainers, and explicit "CONFIG_OPTION is not set" statements aren't needed for mutually exclusive options since these are overlay configs that only specify changes from the base configuration.

Applied to files:

• config/kernel/linux-imx6-edge.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-mvebu-current.config
• config/kernel/linux-odroidxu4-edge.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-mvebu-legacy.config
• config/kernel/linux-rk35xx-vendor.config

📚 Learning: 2025-09-25T18:37:00.330Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-199
Timestamp: 2025-09-25T18:37:00.330Z
Learning: In PR armbian/build#8661, line 235 of lib/functions/compilation/armbian-kernel.sh already contains the corrected comment "BPF link support for netfilter hooks" for NETFILTER_BPF_LINK, not the misleading "BPF_SYSCALL" comment that was flagged during review.

Applied to files:

• config/kernel/linux-imx6-edge.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-thead-legacy.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-mvebu-current.config
• config/kernel/linux-odroidxu4-edge.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-mvebu-legacy.config
• config/kernel/linux-rk35xx-vendor.config

📚 Learning: 2025-03-31T12:57:13.880Z

Learnt from: libiunc
Repo: armbian/build PR: 8033
File: config/kernel/linux-starfive2-vendor.config:43-43
Timestamp: 2025-03-31T12:57:13.880Z
Learning: For StarFive2 platform kernel configurations, maintain alignment with vendor-provided configurations rather than modifying security settings like SECCOMP. This ensures hardware compatibility as intended by the manufacturer.

Applied to files:

• config/kernel/linux-imx6-edge.config
• config/kernel/linux-thead-legacy.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-odroidxu4-edge.config
• config/kernel/linux-rk35xx-vendor.config

📚 Learning: 2025-11-02T20:49:56.719Z

Learnt from: igorpecovnik
Repo: armbian/build PR: 8849
File: config/boards/radxa-e54c.csc:14-28
Timestamp: 2025-11-02T20:49:56.719Z
Learning: In Armbian board configuration files (config/boards/*.conf, *.csc, etc.), do not use kernel_config_set, kernel_config_set_m, kernel_config_set_y, or custom_kernel_config__* functions to modify kernel configuration. Kernel configuration is associated with LINUXFAMILY/BOARDFAMILY, not individual BOARD. Board-specific kernel modifications cause inconsistency in kernel packages published to the apt repository because boards within a family share the same kernel packages. Kernel configuration changes must be made in the appropriate kernel config file (e.g., config/kernel/linux-*-*.config) or in family configuration files (config/sources/families/*.conf, *.inc) instead.

Applied to files:

• config/kernel/linux-imx6-edge.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-mvebu-current.config
• config/kernel/linux-odroidxu4-edge.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-mvebu-legacy.config
• config/kernel/linux-rk35xx-vendor.config

📚 Learning: 2025-09-27T21:47:58.020Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-bcm2711-edge.config:859-861
Timestamp: 2025-09-27T21:47:58.020Z
Learning: In the Armbian build system, kernel configuration files in config/kernel/ are generated through an automated process: taking previous config → applying scripted changes from armbian-kernel.sh → running kernel's `make oldconfig` → processing by Armbian machinery back into config files. This automated process properly handles kernel configuration dependencies and reduces the likelihood of manual configuration errors.

Applied to files:

• config/kernel/linux-imx6-edge.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-odroidxu4-edge.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-rk35xx-vendor.config

📚 Learning: 2025-08-30T06:56:33.372Z

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T06:56:33.372Z
Learning: In Armbian kernel configuration, the BTRFS configuration logic preserves existing settings (whether built-in 'y' or module 'm') and only sets BTRFS_FS to module when it was previously disabled or not set, achieving "allow but not require" flexibility while maintaining backward compatibility.

Applied to files:

• config/kernel/linux-imx6-edge.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-thead-legacy.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-mvebu-current.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-mvebu-legacy.config
• config/kernel/linux-rk35xx-vendor.config

📚 Learning: 2025-09-27T21:49:55.796Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-sm8250-current.config:78-80
Timestamp: 2025-09-27T21:49:55.796Z
Learning: In the Armbian build system, kernel configuration files are generated through an automated process: taking previous config → applying scripted changes from armbian-kernel.sh → running kernel's `make oldconfig` → processing by Armbian machinery back into config files. This automated process properly handles kernel configuration dependencies and reduces the likelihood of manual configuration errors.

Applied to files:

• config/kernel/linux-imx6-edge.config
• config/kernel/linux-odroidxu4-edge.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-rk35xx-vendor.config

📚 Learning: 2025-09-27T21:50:15.915Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-sunxi64-current.config:94-94
Timestamp: 2025-09-27T21:50:15.915Z
Learning: When kernel config files are generated through Armbian's automated process (previous config → armbian-kernel.sh changes → make oldconfig → Armbian machinery processing), manual config file edits are not appropriate since they would be overwritten. Deprecated option handling should be implemented in the automated tooling instead.

Applied to files:

• config/kernel/linux-imx6-edge.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-thead-legacy.config
• config/kernel/linux-odroidxu4-edge.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-bcm2711-legacy.config

📚 Learning: 2025-10-22T07:56:19.424Z

Learnt from: igorpecovnik
Repo: armbian/build PR: 8789
File: config/kernel/linux-sunxi64-edge.config:839-839
Timestamp: 2025-10-22T07:56:19.424Z
Learning: In Linux kernel configuration, some `=y` (builtin) options are infrastructure or feature flags that enable subsystems or features for modular drivers, rather than directly compiling code into the kernel. For example, in Armbian wireless configs, options like CONFIG_SPARD_WLAN_SUPPORT=y, CONFIG_SC23XX=y, CONFIG_WCN_BSP_DRIVER_BUILDIN=y, CONFIG_UNISOC_WIFI_PS=y are module infrastructure/feature enablers, while the actual drivers (CONFIG_WLAN_UWE5621=m, CONFIG_WLAN_UWE5622=m) remain as loadable modules. These infrastructure options don't cause kernel bloat.

Applied to files:

• config/kernel/linux-imx6-edge.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-thead-legacy.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-mvebu-current.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-mvebu-legacy.config
• config/kernel/linux-rk35xx-vendor.config

📚 Learning: 2025-09-22T21:52:01.225Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: The kernel_config_set_m function in lib/functions/compilation/armbian-kernel.sh preserves existing 'y' (built-in) settings and only sets options to 'm' (module) when they are not already built-in, achieving "prefer modules but allow built-ins" behavior.

Applied to files:

• config/kernel/linux-rk322x-current.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-thead-legacy.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-mvebu-current.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-mvebu-legacy.config

📚 Learning: 2025-07-19T00:03:42.995Z

Learnt from: lanefu
Repo: armbian/build PR: 8377
File: config/kernel/linux-uefi-arm64-cloud.config:165-170
Timestamp: 2025-07-19T00:03:42.995Z
Learning: CONFIG_NETKIT was introduced in Linux kernel 4.14.330 (November 2023) and enables BPF-programmable network devices that can operate in Layer 3 or Layer 2 mode. It's a valid configuration option in modern kernels including 6.12.

Applied to files:

• config/kernel/linux-rk322x-current.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-mvebu-current.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-mvebu-legacy.config

📚 Learning: 2025-10-26T12:56:29.185Z

Learnt from: rpardini
Repo: armbian/build PR: 8820
File: config/sources/families/include/meson64_common.inc:51-53
Timestamp: 2025-10-26T12:56:29.185Z
Learning: In the Armbian build framework, scripts/config correctly handles kernel configuration option names both with and without the CONFIG_ prefix, so opts_m+=("CONFIG_RTL8822CS") and opts_m+=("RTL8822CS") are both valid and will work correctly.

Applied to files:

• config/kernel/linux-rk322x-current.config

📚 Learning: 2025-07-27T15:56:34.414Z

Learnt from: pyavitz
Repo: armbian/build PR: 8421
File: config/kernel/linux-sunxi64-edge.config:438-439
Timestamp: 2025-07-27T15:56:34.414Z
Learning: CONFIG_NET_SCH_DEFAULT is a boolean kernel configuration option (=y or =n) that enables/disables the ability to override the default network queueing discipline at runtime. When set to 'y', it allows setting the actual qdisc name via /proc/sys/net/core/default_qdisc at runtime, not in the kernel config file itself.

Applied to files:

• config/kernel/linux-rk322x-current.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-mvebu-current.config
• config/kernel/linux-odroidxu4-edge.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-rk35xx-vendor.config

📚 Learning: 2025-09-22T21:52:01.225Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: In lib/functions/compilation/armbian-kernel.sh, the kernel_config_modifying_hashes array is not universally required for all kernel configuration functions - some functions like armbian_kernel_config__netkit() operate without it, and adding entries with '=m' would be incorrect when the actual result might be '=y' for options already built-in.

Applied to files:

• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-mvebu64-legacy.config

📚 Learning: 2025-09-27T21:50:04.845Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-sm8250-edge.config:80-82
Timestamp: 2025-09-27T21:50:04.845Z
Learning: In the Armbian build system, kernel configuration files are generated through this automated process: taking previous config → applying scripted changes from armbian-kernel.sh → running kernel's `make oldconfig` → processing by Armbian machinery back into config files. This automated process properly handles kernel configuration dependencies and reduces the likelihood of manual configuration errors.

Applied to files:

• config/kernel/linux-odroidxu4-edge.config
• config/kernel/linux-bcm2711-legacy.config

📚 Learning: 2025-08-02T05:46:10.664Z

Learnt from: EvilOlaf
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-02T05:46:10.664Z
Learning: In the Armbian build system, the KERNEL_CONFIGURE=yes switch is deprecated. The recommended approach for kernel configuration is now to use the `kernel-config` build command, which provides a more structured way to configure kernel options.

Applied to files:

• config/kernel/linux-sunxi-legacy.config

📚 Learning: 2025-07-15T21:09:23.252Z

Learnt from: pyavitz
Repo: armbian/build PR: 8383
File: config/kernel/linux-sunxi64-edge.config:57-64
Timestamp: 2025-07-15T21:09:23.252Z
Learning: In Linux kernel configuration, when CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND=y is set, the ondemand governor is implicitly enabled by default, making the explicit CONFIG_CPU_FREQ_GOV_ONDEMAND=y line redundant. The make menuconfig tool automatically removes such redundant lines. This behavior applies to CPU frequency governor configurations in general - setting a default governor automatically enables that governor.

Applied to files:

• config/kernel/linux-sunxi-legacy.config

📚 Learning: 2025-08-11T22:00:13.411Z

Learnt from: rafayahmed317
Repo: armbian/build PR: 8484
File: config/kernel/linux-rk35xx-vendor.config:904-906
Timestamp: 2025-08-11T22:00:13.411Z
Learning: In the linux-rk35xx-vendor kernel, the LTE driver options (CONFIG_LTE, CONFIG_LTE_RM310, CONFIG_LTE_EM05) are defined as boolean in drivers/net/lte/Kconfig and cannot be built as modules - they must be either built-in (=y) or disabled.

Applied to files:

• config/kernel/linux-rk35xx-vendor.config

📚 Learning: 2025-11-08T06:39:24.527Z

Learnt from: EvilOlaf
Repo: armbian/build PR: 8886
File: patch/kernel/rk35xx-vendor-6.1/dt/rk3528-nanopi-rev01.dts:9-9
Timestamp: 2025-11-08T06:39:24.527Z
Learning: In Armbian's Rockchip vendor kernel branches (rk35xx-vendor), device tree files may not require the same headers as mainline Linux. For example, input key definitions like KEY_BACK and KEY_VOLUMEUP may be handled differently in BSP kernels and don't necessarily need explicit includes like <dt-bindings/input/input.h> that would be required in mainline kernel device trees.

Applied to files:

• config/kernel/linux-rk35xx-vendor.config

🔇 Additional comments (8)

config/kernel/linux-mvebu64-legacy.config (1)

10-10: Verify implementation approach: config file edits may not persist.

Based on the PR discussion and learnings about the Armbian build system, kernel configuration files in config/kernel/ are autogenerated overlays that are periodically rewritten by automated processes. Direct edits to these files may be overwritten during future rewrite-kernel-config runs.

Per the PR discussion (comments from tabrisnet and coderabbitai), the recommended approach is to add BPF_UNPRIV_DEFAULT_OFF to the opts_y array in the armbian_kernel_config__600_enable_ebpf_and_btf_info function in lib/functions/compilation/armbian-kernel.sh. This ensures the configuration persists through the automated kernel config generation workflow: previous config → armbian-kernel.sh changes → make oldconfig → Armbian processing.

Please confirm:

1. Are changes to lib/functions/compilation/armbian-kernel.sh also included in this PR but not visible in the current review files?
2. If only config file edits are being made, have you verified these changes will persist through the next automated rewrite?

Based on learnings about the Armbian build system's kernel configuration workflow.

config/kernel/linux-imx6-edge.config (1)

12-12: Config option correctly enabled; see implementation approach concern.

The addition of CONFIG_BPF_UNPRIV_DEFAULT_OFF=y is correct and addresses the vulnerability warning issue described in the PR objectives. The placement is appropriate alongside other BPF-related configuration options.

However, the same persistence concern raised for linux-mvebu64-legacy.config applies here regarding the automated kernel config generation workflow. Please ensure the implementation approach will maintain these changes across future automated rewrites.

config/kernel/linux-thead-legacy.config (1)

182-182: Verification complete: armbian-kernel.sh properly updated.

The concern about manual config file edits being overwritten is addressed. The PR correctly adds BPF_UNPRIV_DEFAULT_OFF to the opts_y array in the armbian_kernel_config__600_enable_ebpf_and_btf_info() function (line 123 of lib/functions/compilation/armbian-kernel.sh), which is the proper approach. The config file entry will be auto-generated from this function during automated config regeneration, so the manual edit is consistent with Armbian's build system architecture.

config/kernel/linux-rk322x-current.config (1)

95-107: CONFIG_BPF_UNPRIV_DEFAULT_OFF=y here correctly enforces unprivileged BPF off by default

With CONFIG_BPF, CONFIG_BPF_SYSCALL, and CONFIG_BPF_JIT already enabled, setting CONFIG_BPF_UNPRIV_DEFAULT_OFF=y is the right way to make unprivileged eBPF default‑off on this RK322x kernel and aligns with the PR’s spectre_v2 mitigation goal. Note that this file is an autogenerated Armbian overlay; the canonical behavior should come from the updated armbian-kernel.sh, and future rewrite-kernel-config runs may drop this explicit line if it becomes redundant. Based on learnings, Armbian kernel overlays are periodically regenerated.

config/kernel/linux-mvebu-edge.config (1)

6-12: mvebu-edge: enabling CONFIG_BPF_UNPRIV_DEFAULT_OFF=y is consistent and desirable

Adding CONFIG_BPF_UNPRIV_DEFAULT_OFF=y next to CONFIG_BPF_JIT=y gives mvebu-edge the same “unprivileged BPF default‑off” behavior as other families, matching the PR’s objective. Since this is an autogenerated Armbian defconfig overlay, ensure the corresponding armbian-kernel.sh logic is treated as the canonical source and check after running rewrite-kernel-config that this setting is preserved (or made redundant) as expected. Based on learnings, these overlays are periodically regenerated.

config/kernel/linux-bcm2711-legacy.config (1)

10-10: Configuration change is consistent across files.

The change matches the pattern applied to other kernel configs in this PR. The placement after CONFIG_BPF_JIT=y is appropriate and consistent with the BPF configuration grouping.

Please see the verification request in the review of linux-sunxi-legacy.config regarding the persistence of manual config file changes versus implementing this in armbian-kernel.sh.

config/kernel/linux-odroidxu4-edge.config (1)

9-9: Configuration change is consistent across kernel variants.

The change is correctly placed in the BPF configuration section and follows the same pattern as other kernel configs in this PR. The syntax is correct and aligns with the security objective to disable unprivileged BPF by default.

Please refer to the verification request and discussion in the review of linux-sunxi-legacy.config regarding the optimal approach for ensuring this change persists through Armbian's automated kernel configuration regeneration process.

config/kernel/linux-sunxi-legacy.config (1)

9-9: Remove manual CONFIG_BPF_UNPRIV_DEFAULT_OFF additions from config files.

CONFIG_BPF_UNPRIV_DEFAULT_OFF is already being set via lib/functions/compilation/armbian-kernel.sh in the armbian_kernel_config__600_enable_ebpf_and_btf_info() function (line 123, within the opts_y array). Manual additions of this option to kernel config files are redundant and will be overwritten during Armbian's automated config regeneration process.

Remove CONFIG_BPF_UNPRIV_DEFAULT_OFF=y from all config files affected by this PR. The setting is already properly enforced through the automated tooling.

⛔ Skipped due to learnings

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-199
Timestamp: 2025-09-25T18:37:00.330Z
Learning: In PR armbian/build#8661, line 235 of lib/functions/compilation/armbian-kernel.sh already contains the corrected comment "BPF link support for netfilter hooks" for NETFILTER_BPF_LINK, not the misleading "BPF_SYSCALL" comment that was flagged during review.

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-199
Timestamp: 2025-09-25T18:37:00.330Z
Learning: In PR armbian/build#8661, line 235 of lib/functions/compilation/armbian-kernel.sh already contains the corrected comment "BPF link support for netfilter hooks" for NETFILTER_BPF_LINK, not the misleading "BPF_SYSCALL" comment that was flagged during review.

Learnt from: EvilOlaf
Repo: armbian/build PR: 8428
File: config/boards/lckfb-taishanpi.csc:5-9
Timestamp: 2025-07-25T03:51:50.830Z
Learning: When reviewing PRs in the Armbian build system, U-Boot defconfig files and patches may be added as part of the PR changes but might not be visible in the current repository clone state during review. It's important to check the actual PR file changes directly via GitHub or the PR API to get the complete picture of what files are being added or modified.

Learnt from: libiunc
Repo: armbian/build PR: 8033
File: config/kernel/linux-starfive2-vendor.config:43-43
Timestamp: 2025-03-31T12:57:13.880Z
Learning: For StarFive2 platform kernel configurations, maintain alignment with vendor-provided configurations rather than modifying security settings like SECCOMP. This ensures hardware compatibility as intended by the manufacturer.

Learnt from: EvilOlaf
Repo: armbian/build PR: 8428
File: config/boards/lckfb-taishanpi.csc:5-9
Timestamp: 2025-07-25T03:51:50.830Z
Learning: When reviewing PRs in the Armbian build system, U-Boot defconfig files and patches may be added as part of the PR changes but might not be visible in the current repository clone state during review. It's important to check the actual PR file changes directly via GitHub API (https://api.github.com/repos/armbian/build/pulls/{pr_number}/files) to get the complete picture of what files are being added or modified, especially for U-Boot patches that will be applied during the build process.

Learnt from: igorpecovnik
Repo: armbian/build PR: 8849
File: config/boards/radxa-e54c.csc:14-28
Timestamp: 2025-11-02T20:49:56.719Z
Learning: In Armbian board configuration files (config/boards/*.conf, *.csc, etc.), do not use kernel_config_set, kernel_config_set_m, kernel_config_set_y, or custom_kernel_config__* functions to modify kernel configuration. Kernel configuration is associated with LINUXFAMILY/BOARDFAMILY, not individual BOARD. Board-specific kernel modifications cause inconsistency in kernel packages published to the apt repository because boards within a family share the same kernel packages. Kernel configuration changes must be made in the appropriate kernel config file (e.g., config/kernel/linux-*-*.config) or in family configuration files (config/sources/families/*.conf, *.inc) instead.

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-sunxi64-current.config:94-94
Timestamp: 2025-09-27T21:50:15.915Z
Learning: When kernel config files are generated through Armbian's automated process (previous config → armbian-kernel.sh changes → make oldconfig → Armbian machinery processing), manual config file edits are not appropriate since they would be overwritten. Deprecated option handling should be implemented in the automated tooling instead.

Learnt from: EvilOlaf
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-12-19T13:56:45.124Z
Learning: When reviewing kernel or u-boot version bump PRs in the Armbian build system, check if patches existed in previous kernel version directories (e.g., sunxi-6.12, sunxi-6.13) before describing them as new features. If a patch and the majority of its contents existed previously with no major functionality changes, focus the review on the actual changes: the version bump itself and patch compatibility adjustments. Don't describe existing patches being ported/maintained across versions as new features or drivers—this is misleading. The patches are existing code being re-aligned to work with the new upstream version.

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: In lib/functions/compilation/armbian-kernel.sh, the kernel_config_modifying_hashes array is not universally required for all kernel configuration functions - some functions like armbian_kernel_config__netkit() operate without it, and adding entries with '=m' would be incorrect when the actual result might be '=y' for options already built-in.

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: In lib/functions/compilation/armbian-kernel.sh, the kernel_config_modifying_hashes array is not universally required for all kernel configuration functions - some functions like armbian_kernel_config__netkit() operate without it, and adding entries with '=m' would be incorrect when the actual result might be '=y' for options already built-in.

Learnt from: lanefu
Repo: armbian/build PR: 8377
File: config/kernel/linux-uefi-arm64-cloud.config:165-170
Timestamp: 2025-07-19T00:03:42.995Z
Learning: CONFIG_NETKIT was introduced in Linux kernel 4.14.330 (November 2023) and enables BPF-programmable network devices that can operate in Layer 3 or Layer 2 mode. It's a valid configuration option in modern kernels including 6.12.

Learnt from: pyavitz
Repo: armbian/build PR: 8421
File: config/kernel/linux-sunxi64-edge.config:438-439
Timestamp: 2025-07-27T15:56:34.414Z
Learning: CONFIG_NET_SCH_DEFAULT is a boolean kernel configuration option (=y or =n) that enables/disables the ability to override the default network queueing discipline at runtime. When set to 'y', it allows setting the actual qdisc name via /proc/sys/net/core/default_qdisc at runtime, not in the kernel config file itself.

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T06:56:33.372Z
Learning: In Armbian kernel configuration, the BTRFS configuration logic preserves existing settings (whether built-in 'y' or module 'm') and only sets BTRFS_FS to module when it was previously disabled or not set, achieving "allow but not require" flexibility while maintaining backward compatibility.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (2)

config/kernel/linux-mvebu64-current.config (1)

11-11: Consider centralizing this change in armbian-kernel.sh instead of editing config files directly.

The change itself is correct and addresses the security posture issue. However, based on the PR discussion and Armbian's kernel config generation workflow, modifying lib/functions/compilation/armbian-kernel.sh (function armbian_kernel_config__600_enable_ebpf_and_btf_info) would be the preferred approach:

• Config files in config/kernel/ are autogenerated overlays that can be overwritten by periodic rewrite-kernel-config jobs
• Adding BPF_UNPRIV_DEFAULT_OFF to the opts_y array in the script ensures the change propagates to all generated configs
• This reduces file churn and avoids potential conflicts during config regeneration

Based on learnings, Armbian kernel configuration files are overlays maintained through generation scripts, and manual edits may not persist.

Example implementation in armbian-kernel.sh

In lib/functions/compilation/armbian-kernel.sh, within the armbian_kernel_config__600_enable_ebpf_and_btf_info function, add:

 opts_y+=(
   "BPF_SYSCALL" # eBPF
   "BPF_JIT"
+  "BPF_UNPRIV_DEFAULT_OFF" # Disable unprivileged eBPF by default
   # ... other options
 )

Then run rewrite-kernel-config to regenerate all config files with this change applied consistently.

lib/functions/compilation/armbian-kernel.sh (1)

119-125: Good: centralizing BPF_UNPRIV_DEFAULT_OFF in the eBPF/BTF helper.

Adding "BPF_UNPRIV_DEFAULT_OFF" to opts_y here makes the unprivileged‑BPF default‑off behavior part of the scripted kernel config pipeline, so rewrite‑kernel‑config will preserve it. If you ever want this enforced even when KERNEL_BTF="no", you could set it outside the BTF RAM check, but that’s an optional follow‑up rather than a blocker.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between b02f95c and de1f9ee.

📒 Files selected for processing (33)

• config/kernel/linux-bcm2711-current.config (1 hunks)
• config/kernel/linux-bcm2711-edge.config (1 hunks)
• config/kernel/linux-bcm2711-legacy.config (1 hunks)
• config/kernel/linux-imx6-current.config (1 hunks)
• config/kernel/linux-imx6-edge.config (1 hunks)
• config/kernel/linux-imx6-legacy.config (1 hunks)
• config/kernel/linux-meson64-current.config (1 hunks)
• config/kernel/linux-meson64-edge.config (1 hunks)
• config/kernel/linux-mvebu-current.config (1 hunks)
• config/kernel/linux-mvebu-edge.config (1 hunks)
• config/kernel/linux-mvebu-legacy.config (1 hunks)
• config/kernel/linux-mvebu64-current.config (1 hunks)
• config/kernel/linux-mvebu64-edge.config (1 hunks)
• config/kernel/linux-mvebu64-legacy.config (1 hunks)
• config/kernel/linux-odroidxu4-current.config (1 hunks)
• config/kernel/linux-odroidxu4-edge.config (1 hunks)
• config/kernel/linux-rk322x-current.config (1 hunks)
• config/kernel/linux-rk322x-edge.config (1 hunks)
• config/kernel/linux-rk35xx-vendor.config (1 hunks)
• config/kernel/linux-rockchip-current.config (1 hunks)
• config/kernel/linux-rockchip-edge.config (1 hunks)
• config/kernel/linux-rockchip-rk3588-edge.config (1 hunks)
• config/kernel/linux-rockchip64-current.config (1 hunks)
• config/kernel/linux-rockchip64-edge.config (1 hunks)
• config/kernel/linux-sunxi-current.config (1 hunks)
• config/kernel/linux-sunxi-edge.config (1 hunks)
• config/kernel/linux-sunxi-legacy.config (1 hunks)
• config/kernel/linux-sunxi64-current.config (1 hunks)
• config/kernel/linux-sunxi64-edge.config (1 hunks)
• config/kernel/linux-sunxi64-legacy.config (1 hunks)
• config/kernel/linux-thead-legacy.config (1 hunks)
• config/kernel/linux-virtual-current.config (1 hunks)
• lib/functions/compilation/armbian-kernel.sh (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (20)

• config/kernel/linux-rockchip64-edge.config
• config/kernel/linux-sunxi64-legacy.config
• config/kernel/linux-odroidxu4-current.config
• config/kernel/linux-sunxi-edge.config
• config/kernel/linux-bcm2711-current.config
• config/kernel/linux-virtual-current.config
• config/kernel/linux-odroidxu4-edge.config
• config/kernel/linux-imx6-current.config
• config/kernel/linux-rk35xx-vendor.config
• config/kernel/linux-rockchip-current.config
• config/kernel/linux-bcm2711-edge.config
• config/kernel/linux-meson64-current.config
• config/kernel/linux-mvebu-current.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-mvebu64-edge.config
• config/kernel/linux-thead-legacy.config
• config/kernel/linux-imx6-legacy.config
• config/kernel/linux-rockchip-rk3588-edge.config
• config/kernel/linux-rk322x-edge.config
• config/kernel/linux-mvebu-legacy.config

🧰 Additional context used

🧠 Learnings (33)

📓 Common learnings

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-199
Timestamp: 2025-09-25T18:37:00.330Z
Learning: In PR armbian/build#8661, line 235 of lib/functions/compilation/armbian-kernel.sh already contains the corrected comment "BPF link support for netfilter hooks" for NETFILTER_BPF_LINK, not the misleading "BPF_SYSCALL" comment that was flagged during review.

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-199
Timestamp: 2025-09-25T18:37:00.330Z
Learning: In PR armbian/build#8661, line 235 of lib/functions/compilation/armbian-kernel.sh already contains the corrected comment "BPF link support for netfilter hooks" for NETFILTER_BPF_LINK, not the misleading "BPF_SYSCALL" comment that was flagged during review.

Learnt from: EvilOlaf
Repo: armbian/build PR: 8428
File: config/boards/lckfb-taishanpi.csc:5-9
Timestamp: 2025-07-25T03:51:50.830Z
Learning: When reviewing PRs in the Armbian build system, U-Boot defconfig files and patches may be added as part of the PR changes but might not be visible in the current repository clone state during review. It's important to check the actual PR file changes directly via GitHub or the PR API to get the complete picture of what files are being added or modified.

Learnt from: EvilOlaf
Repo: armbian/build PR: 8428
File: config/boards/lckfb-taishanpi.csc:5-9
Timestamp: 2025-07-25T03:51:50.830Z
Learning: When reviewing PRs in the Armbian build system, U-Boot defconfig files and patches may be added as part of the PR changes but might not be visible in the current repository clone state during review. It's important to check the actual PR file changes directly via GitHub API (https://api.github.com/repos/armbian/build/pulls/{pr_number}/files) to get the complete picture of what files are being added or modified, especially for U-Boot patches that will be applied during the build process.

Learnt from: igorpecovnik
Repo: armbian/build PR: 9087
File: .github/workflows/pr-check-pictures.yml:138-146
Timestamp: 2025-12-16T13:40:07.649Z
Learning: In the Armbian build repository, when introducing new requirements or checks (like the board assets verification workflow), the project prefers an initial educational-only period where violations post helpful PR comments and warnings but don't block merges. This allows contributors to become familiar with new requirements before enforcement is enabled (typically after ~6 months).

Learnt from: EvilOlaf
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-12-19T13:56:45.124Z
Learning: When reviewing kernel or u-boot version bump PRs in the Armbian build system, check if patches existed in previous kernel version directories (e.g., sunxi-6.12, sunxi-6.13) before describing them as new features. If a patch and the majority of its contents existed previously with no major functionality changes, focus the review on the actual changes: the version bump itself and patch compatibility adjustments. Don't describe existing patches being ported/maintained across versions as new features or drivers—this is misleading. The patches are existing code being re-aligned to work with the new upstream version.

Learnt from: igorpecovnik
Repo: armbian/build PR: 8849
File: config/boards/radxa-e54c.csc:14-28
Timestamp: 2025-11-02T20:49:56.719Z
Learning: In Armbian board configuration files (config/boards/*.conf, *.csc, etc.), do not use kernel_config_set, kernel_config_set_m, kernel_config_set_y, or custom_kernel_config__* functions to modify kernel configuration. Kernel configuration is associated with LINUXFAMILY/BOARDFAMILY, not individual BOARD. Board-specific kernel modifications cause inconsistency in kernel packages published to the apt repository because boards within a family share the same kernel packages. Kernel configuration changes must be made in the appropriate kernel config file (e.g., config/kernel/linux-*-*.config) or in family configuration files (config/sources/families/*.conf, *.inc) instead.

Learnt from: EvilOlaf
Repo: armbian/build PR: 8328
File: lib/functions/compilation/patch/drivers_network.sh:542-545
Timestamp: 2025-06-24T10:08:40.313Z
Learning: In the Armbian build system, when a PR removes build support for a specific kernel version, version check issues for that removed version become practically irrelevant even if they appear incorrect in isolation. Context about which kernel versions are being deprecated/removed is important for understanding the impact of version-related code changes.

Learnt from: EvilOlaf
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-12-17T05:09:02.306Z
Learning: In the Armbian build system, kernel patches (e.g., in patch/kernel/archive/sunxi-6.18/patches.armbian/) contain device tree overlays and other code that have existed for years and are maintained/ported across kernel versions. When reviewing PRs that modify these patch files, focus on the actual changes being made (e.g., Makefile fixes, new additions) rather than reviewing the entire existing content within the patch as if it were new code. The patch file contents are existing, stable code unless explicitly modified in the PR diff.

Learnt from: EvilOlaf
Repo: armbian/build PR: 8968
File: patch/u-boot/u-boot-sunxi/arm64-dts-sun50i-h6-orangepi.dtsi-Rollback-r_rsb-to-r_i2c.patch:36-36
Timestamp: 2025-11-20T18:20:11.985Z
Learning: The rewrite-patches tool (REWRITE_PATCHES=yes) in the Armbian build system can inadvertently introduce semantic changes when the u-boot/kernel git base revision differs from expected state. The tool applies patches, commits them, and re-exports them using git format-patch, which can cause the re-exported patch to reflect the base revision's state rather than preserving the original patch intent. This is particularly problematic for device tree changes like interrupt specifications. The tool currently lacks validation mechanisms to detect such semantic drift, and affected patches must be manually corrected after rewriting.

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: The kernel_config_set_m function in lib/functions/compilation/armbian-kernel.sh preserves existing 'y' (built-in) settings and only sets options to 'm' (module) when they are not already built-in, achieving "prefer modules but allow built-ins" behavior.

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: The kernel_config_set_m function in lib/functions/compilation/armbian-kernel.sh preserves existing 'y' (built-in) settings and only sets options to 'm' (module) when they are not already built-in, achieving "prefer modules but allow built-ins" behavior.

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T06:56:33.372Z
Learning: In Armbian kernel configuration, the BTRFS configuration logic preserves existing settings (whether built-in 'y' or module 'm') and only sets BTRFS_FS to module when it was previously disabled or not set, achieving "allow but not require" flexibility while maintaining backward compatibility.

Learnt from: igorpecovnik
Repo: armbian/build PR: 8789
File: config/kernel/linux-sunxi64-edge.config:839-839
Timestamp: 2025-10-22T07:56:19.424Z
Learning: In Linux kernel configuration, some `=y` (builtin) options are infrastructure or feature flags that enable subsystems or features for modular drivers, rather than directly compiling code into the kernel. For example, in Armbian wireless configs, options like CONFIG_SPARD_WLAN_SUPPORT=y, CONFIG_SC23XX=y, CONFIG_WCN_BSP_DRIVER_BUILDIN=y, CONFIG_UNISOC_WIFI_PS=y are module infrastructure/feature enablers, while the actual drivers (CONFIG_WLAN_UWE5621=m, CONFIG_WLAN_UWE5622=m) remain as loadable modules. These infrastructure options don't cause kernel bloat.

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: In lib/functions/compilation/armbian-kernel.sh, the kernel_config_modifying_hashes array is not universally required for all kernel configuration functions - some functions like armbian_kernel_config__netkit() operate without it, and adding entries with '=m' would be incorrect when the actual result might be '=y' for options already built-in.

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: In lib/functions/compilation/armbian-kernel.sh, the kernel_config_modifying_hashes array is not universally required for all kernel configuration functions - some functions like armbian_kernel_config__netkit() operate without it, and adding entries with '=m' would be incorrect when the actual result might be '=y' for options already built-in.

Learnt from: rpardini
Repo: armbian/build PR: 8820
File: config/sources/families/include/meson64_common.inc:51-53
Timestamp: 2025-10-26T12:56:29.185Z
Learning: In the Armbian build framework, scripts/config correctly handles kernel configuration option names both with and without the CONFIG_ prefix, so opts_m+=("CONFIG_RTL8822CS") and opts_m+=("RTL8822CS") are both valid and will work correctly.

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T06:48:09.091Z
Learning: In lib/functions/compilation/armbian-kernel.sh, the user prefers flexible grep patterns over anchored ones for BTRFS configuration checks, but agrees to use quiet grep (-q) to avoid polluting build logs.

📚 Learning: 2025-08-30T04:13:16.457Z

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T04:13:16.457Z
Learning: Armbian kernel configuration files like linux-filogic-current.config are autogenerated overlays on top of arch defconfig. Comments added manually will be lost during future updates by maintainers, and explicit "CONFIG_OPTION is not set" statements aren't needed for mutually exclusive options since these are overlay configs that only specify changes from the base configuration.

Applied to files:

• config/kernel/linux-rockchip64-current.config
• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-meson64-edge.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-rockchip-edge.config
• lib/functions/compilation/armbian-kernel.sh
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-imx6-edge.config

📚 Learning: 2025-11-02T20:49:56.719Z

Learnt from: igorpecovnik
Repo: armbian/build PR: 8849
File: config/boards/radxa-e54c.csc:14-28
Timestamp: 2025-11-02T20:49:56.719Z
Learning: In Armbian board configuration files (config/boards/*.conf, *.csc, etc.), do not use kernel_config_set, kernel_config_set_m, kernel_config_set_y, or custom_kernel_config__* functions to modify kernel configuration. Kernel configuration is associated with LINUXFAMILY/BOARDFAMILY, not individual BOARD. Board-specific kernel modifications cause inconsistency in kernel packages published to the apt repository because boards within a family share the same kernel packages. Kernel configuration changes must be made in the appropriate kernel config file (e.g., config/kernel/linux-*-*.config) or in family configuration files (config/sources/families/*.conf, *.inc) instead.

Applied to files:

• config/kernel/linux-rockchip64-current.config
• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-meson64-edge.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-rockchip-edge.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-imx6-edge.config

📚 Learning: 2025-09-25T18:37:00.330Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-199
Timestamp: 2025-09-25T18:37:00.330Z
Learning: In PR armbian/build#8661, line 235 of lib/functions/compilation/armbian-kernel.sh already contains the corrected comment "BPF link support for netfilter hooks" for NETFILTER_BPF_LINK, not the misleading "BPF_SYSCALL" comment that was flagged during review.

Applied to files:

• config/kernel/linux-rockchip64-current.config
• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-meson64-edge.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-rockchip-edge.config
• lib/functions/compilation/armbian-kernel.sh
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-imx6-edge.config

📚 Learning: 2025-03-31T12:57:13.880Z

Learnt from: libiunc
Repo: armbian/build PR: 8033
File: config/kernel/linux-starfive2-vendor.config:43-43
Timestamp: 2025-03-31T12:57:13.880Z
Learning: For StarFive2 platform kernel configurations, maintain alignment with vendor-provided configurations rather than modifying security settings like SECCOMP. This ensures hardware compatibility as intended by the manufacturer.

Applied to files:

• config/kernel/linux-rockchip64-current.config
• config/kernel/linux-meson64-edge.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-rockchip-edge.config
• config/kernel/linux-imx6-edge.config

📚 Learning: 2025-08-30T06:56:33.372Z

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T06:56:33.372Z
Learning: In Armbian kernel configuration, the BTRFS configuration logic preserves existing settings (whether built-in 'y' or module 'm') and only sets BTRFS_FS to module when it was previously disabled or not set, achieving "allow but not require" flexibility while maintaining backward compatibility.

Applied to files:

• config/kernel/linux-rockchip64-current.config
• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-meson64-edge.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-rockchip-edge.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-imx6-edge.config

📚 Learning: 2025-07-27T15:56:34.414Z

Learnt from: pyavitz
Repo: armbian/build PR: 8421
File: config/kernel/linux-sunxi64-edge.config:438-439
Timestamp: 2025-07-27T15:56:34.414Z
Learning: CONFIG_NET_SCH_DEFAULT is a boolean kernel configuration option (=y or =n) that enables/disables the ability to override the default network queueing discipline at runtime. When set to 'y', it allows setting the actual qdisc name via /proc/sys/net/core/default_qdisc at runtime, not in the kernel config file itself.

Applied to files:

• config/kernel/linux-rockchip64-current.config
• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-meson64-edge.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-bcm2711-legacy.config

📚 Learning: 2025-10-22T07:56:19.424Z

Learnt from: igorpecovnik
Repo: armbian/build PR: 8789
File: config/kernel/linux-sunxi64-edge.config:839-839
Timestamp: 2025-10-22T07:56:19.424Z
Learning: In Linux kernel configuration, some `=y` (builtin) options are infrastructure or feature flags that enable subsystems or features for modular drivers, rather than directly compiling code into the kernel. For example, in Armbian wireless configs, options like CONFIG_SPARD_WLAN_SUPPORT=y, CONFIG_SC23XX=y, CONFIG_WCN_BSP_DRIVER_BUILDIN=y, CONFIG_UNISOC_WIFI_PS=y are module infrastructure/feature enablers, while the actual drivers (CONFIG_WLAN_UWE5621=m, CONFIG_WLAN_UWE5622=m) remain as loadable modules. These infrastructure options don't cause kernel bloat.

Applied to files:

• config/kernel/linux-rockchip64-current.config
• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-meson64-edge.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-rockchip-edge.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-imx6-edge.config

📚 Learning: 2025-09-22T21:52:01.225Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: The kernel_config_set_m function in lib/functions/compilation/armbian-kernel.sh preserves existing 'y' (built-in) settings and only sets options to 'm' (module) when they are not already built-in, achieving "prefer modules but allow built-ins" behavior.

Applied to files:

• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-meson64-edge.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-mvebu-edge.config
• lib/functions/compilation/armbian-kernel.sh
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-bcm2711-legacy.config

📚 Learning: 2025-09-22T21:52:01.225Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: In lib/functions/compilation/armbian-kernel.sh, the kernel_config_modifying_hashes array is not universally required for all kernel configuration functions - some functions like armbian_kernel_config__netkit() operate without it, and adding entries with '=m' would be incorrect when the actual result might be '=y' for options already built-in.

Applied to files:

• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-meson64-edge.config
• config/kernel/linux-mvebu-edge.config
• lib/functions/compilation/armbian-kernel.sh

📚 Learning: 2025-07-19T00:03:42.995Z

Learnt from: lanefu
Repo: armbian/build PR: 8377
File: config/kernel/linux-uefi-arm64-cloud.config:165-170
Timestamp: 2025-07-19T00:03:42.995Z
Learning: CONFIG_NETKIT was introduced in Linux kernel 4.14.330 (November 2023) and enables BPF-programmable network devices that can operate in Layer 3 or Layer 2 mode. It's a valid configuration option in modern kernels including 6.12.

Applied to files:

• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-meson64-edge.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-rockchip-edge.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-bcm2711-legacy.config

📚 Learning: 2025-12-19T13:56:45.124Z

Learnt from: EvilOlaf
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-12-19T13:56:45.124Z
Learning: When reviewing kernel or u-boot version bump PRs in the Armbian build system, check if patches existed in previous kernel version directories (e.g., sunxi-6.12, sunxi-6.13) before describing them as new features. If a patch and the majority of its contents existed previously with no major functionality changes, focus the review on the actual changes: the version bump itself and patch compatibility adjustments. Don't describe existing patches being ported/maintained across versions as new features or drivers—this is misleading. The patches are existing code being re-aligned to work with the new upstream version.

Applied to files:

• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-07-25T03:51:50.830Z

Learnt from: EvilOlaf
Repo: armbian/build PR: 8428
File: config/boards/lckfb-taishanpi.csc:5-9
Timestamp: 2025-07-25T03:51:50.830Z
Learning: When reviewing PRs in the Armbian build system, U-Boot defconfig files and patches may be added as part of the PR changes but might not be visible in the current repository clone state during review. It's important to check the actual PR file changes directly via GitHub or the PR API to get the complete picture of what files are being added or modified.

Applied to files:

• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-09-27T21:47:58.020Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-bcm2711-edge.config:859-861
Timestamp: 2025-09-27T21:47:58.020Z
Learning: In the Armbian build system, kernel configuration files in config/kernel/ are generated through an automated process: taking previous config → applying scripted changes from armbian-kernel.sh → running kernel's `make oldconfig` → processing by Armbian machinery back into config files. This automated process properly handles kernel configuration dependencies and reduces the likelihood of manual configuration errors.

Applied to files:

• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-imx6-edge.config

📚 Learning: 2025-09-27T21:49:55.796Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-sm8250-current.config:78-80
Timestamp: 2025-09-27T21:49:55.796Z
Learning: In the Armbian build system, kernel configuration files are generated through an automated process: taking previous config → applying scripted changes from armbian-kernel.sh → running kernel's `make oldconfig` → processing by Armbian machinery back into config files. This automated process properly handles kernel configuration dependencies and reduces the likelihood of manual configuration errors.

Applied to files:

• config/kernel/linux-sunxi64-current.config
• lib/functions/compilation/armbian-kernel.sh
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-imx6-edge.config

📚 Learning: 2025-09-27T21:50:04.845Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-sm8250-edge.config:80-82
Timestamp: 2025-09-27T21:50:04.845Z
Learning: In the Armbian build system, kernel configuration files are generated through this automated process: taking previous config → applying scripted changes from armbian-kernel.sh → running kernel's `make oldconfig` → processing by Armbian machinery back into config files. This automated process properly handles kernel configuration dependencies and reduces the likelihood of manual configuration errors.

Applied to files:

• config/kernel/linux-sunxi64-current.config
• lib/functions/compilation/armbian-kernel.sh
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-imx6-edge.config

📚 Learning: 2025-09-27T21:50:15.915Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-sunxi64-current.config:94-94
Timestamp: 2025-09-27T21:50:15.915Z
Learning: When kernel config files are generated through Armbian's automated process (previous config → armbian-kernel.sh changes → make oldconfig → Armbian machinery processing), manual config file edits are not appropriate since they would be overwritten. Deprecated option handling should be implemented in the automated tooling instead.

Applied to files:

• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-meson64-edge.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-rockchip-edge.config
• lib/functions/compilation/armbian-kernel.sh
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-imx6-edge.config

📚 Learning: 2025-08-02T05:46:10.664Z

Learnt from: EvilOlaf
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-02T05:46:10.664Z
Learning: In the Armbian build system, the KERNEL_CONFIGURE=yes switch is deprecated. The recommended approach for kernel configuration is now to use the `kernel-config` build command, which provides a more structured way to configure kernel options.

Applied to files:

• config/kernel/linux-sunxi64-current.config

📚 Learning: 2025-11-20T18:20:11.985Z

Learnt from: EvilOlaf
Repo: armbian/build PR: 8968
File: patch/u-boot/u-boot-sunxi/arm64-dts-sun50i-h6-orangepi.dtsi-Rollback-r_rsb-to-r_i2c.patch:36-36
Timestamp: 2025-11-20T18:20:11.985Z
Learning: The rewrite-patches tool (REWRITE_PATCHES=yes) in the Armbian build system can inadvertently introduce semantic changes when the u-boot/kernel git base revision differs from expected state. The tool applies patches, commits them, and re-exports them using git format-patch, which can cause the re-exported patch to reflect the base revision's state rather than preserving the original patch intent. This is particularly problematic for device tree changes like interrupt specifications. The tool currently lacks validation mechanisms to detect such semantic drift, and affected patches must be manually corrected after rewriting.

Applied to files:

• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-10-03T11:42:46.660Z

Learnt from: igorpecovnik
Repo: armbian/build PR: 8705
File: .github/workflows/rewrite-kernel-configs.yml:96-169
Timestamp: 2025-10-03T11:42:46.660Z
Learning: In the Armbian build repository's kernel config rewrite workflow (.github/workflows/rewrite-kernel-configs.yml), deletion of kernel config files does not need to be handled. The workflow intentionally only captures ACMR (added/copied/modified/renamed) changes and does not need to propagate deletions to the aggregator.

Applied to files:

• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-10-04T17:59:19.369Z

Learnt from: igorpecovnik
Repo: armbian/build PR: 8705
File: .github/workflows/rewrite-kernel-configs.yml:217-220
Timestamp: 2025-10-04T17:59:19.369Z
Learning: In the Armbian build repository's kernel config rewrite workflow (.github/workflows/rewrite-kernel-configs.yml), the workflow is designed to rewrite existing kernel configs only. New/untracked files can be safely ignored, so using `git diff --quiet` (which ignores untracked files) is the correct approach for detecting changes rather than `git status --porcelain`.

Applied to files:

• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-12-01T02:34:37.451Z

Learnt from: tabrisnet
Repo: armbian/build PR: 9000
File: config/desktop/questing/environments/xfce/debian/postinst:17-18
Timestamp: 2025-12-01T02:34:37.451Z
Learning: In the Armbian build system shell scripts, the sed pattern with -i flag placed after the script argument (e.g., `sed "s/.../.../" -i file`) is intentional and correct. While non-POSIX, this GNU sed extension is used throughout the codebase and works correctly in the Armbian build environment. This pattern should not be flagged as incorrect.

Applied to files:

• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-06-24T10:08:40.313Z

Learnt from: EvilOlaf
Repo: armbian/build PR: 8328
File: lib/functions/compilation/patch/drivers_network.sh:542-545
Timestamp: 2025-06-24T10:08:40.313Z
Learning: In the Armbian build system, when a PR removes build support for a specific kernel version, version check issues for that removed version become practically irrelevant even if they appear incorrect in isolation. Context about which kernel versions are being deprecated/removed is important for understanding the impact of version-related code changes.

Applied to files:

• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-12-17T05:09:02.306Z

Learnt from: EvilOlaf
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-12-17T05:09:02.306Z
Learning: In the Armbian build system, kernel patches (e.g., in patch/kernel/archive/sunxi-6.18/patches.armbian/) contain device tree overlays and other code that have existed for years and are maintained/ported across kernel versions. When reviewing PRs that modify these patch files, focus on the actual changes being made (e.g., Makefile fixes, new additions) rather than reviewing the entire existing content within the patch as if it were new code. The patch file contents are existing, stable code unless explicitly modified in the PR diff.

Applied to files:

• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-07-25T03:51:50.830Z

Learnt from: EvilOlaf
Repo: armbian/build PR: 8428
File: config/boards/lckfb-taishanpi.csc:5-9
Timestamp: 2025-07-25T03:51:50.830Z
Learning: When reviewing PRs in the Armbian build system, U-Boot defconfig files and patches may be added as part of the PR changes but might not be visible in the current repository clone state during review. It's important to check the actual PR file changes directly via GitHub API (https://api.github.com/repos/armbian/build/pulls/{pr_number}/files) to get the complete picture of what files are being added or modified, especially for U-Boot patches that will be applied during the build process.

Applied to files:

• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-12-16T13:40:07.649Z

Learnt from: igorpecovnik
Repo: armbian/build PR: 9087
File: .github/workflows/pr-check-pictures.yml:138-146
Timestamp: 2025-12-16T13:40:07.649Z
Learning: In the Armbian build repository, when introducing new requirements or checks (like the board assets verification workflow), the project prefers an initial educational-only period where violations post helpful PR comments and warnings but don't block merges. This allows contributors to become familiar with new requirements before enforcement is enabled (typically after ~6 months).

Applied to files:

• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-12-17T15:46:22.709Z

Learnt from: EvilOlaf
Repo: armbian/build PR: 9096
File: patch/kernel/archive/sunxi-6.18/patches.armbian/arm64-dts-sun50i-h616-add-overlays.patch:4-5
Timestamp: 2025-12-17T15:46:22.709Z
Learning: In Armbian kernel patches, when patches are renamed or reorganized, the old Subject line may be intentionally preserved in the patch header (as a second Subject line) for archival/historical purposes to document the previous patch name. This is an Armbian-specific practice for tracking patch evolution and should not be flagged as an error when the maintainer has intentionally included it for documentation.

Applied to files:

• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-03-31T22:20:48.475Z

Learnt from: rpardini
Repo: armbian/build PR: 8044
File: patch/u-boot/v2025.04/cmd-fileenv-read-string-from-file-into-env.patch:76-86
Timestamp: 2025-03-31T22:20:48.475Z
Learning: For the Armbian build project, maintaining consistency with existing patches across U-Boot versions (such as between 2025.01 and 2025.04) is prioritized over refactoring individual patches for code improvements.

Applied to files:

• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-11-11T20:56:20.303Z

Learnt from: glneo
Repo: armbian/build PR: 8913
File: config/sources/families/include/k3_common.inc:57-60
Timestamp: 2025-11-11T20:56:20.303Z
Learning: In config/sources/families/include/k3_common.inc, the OP-TEE build command at line 59 should be updated in a future PR to explicitly set CROSS_COMPILE64=aarch64-linux-gnu- and CROSS_COMPILE32=arm-linux-gnueabihf- instead of relying on OP-TEE's internal defaults, for better clarity and maintainability. User glneo agreed to address this in a separate PR.

Applied to files:

• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-07-15T21:09:23.252Z

Learnt from: pyavitz
Repo: armbian/build PR: 8383
File: config/kernel/linux-sunxi64-edge.config:57-64
Timestamp: 2025-07-15T21:09:23.252Z
Learning: In Linux kernel configuration, when CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND=y is set, the ondemand governor is implicitly enabled by default, making the explicit CONFIG_CPU_FREQ_GOV_ONDEMAND=y line redundant. The make menuconfig tool automatically removes such redundant lines. This behavior applies to CPU frequency governor configurations in general - setting a default governor automatically enables that governor.

Applied to files:

• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-sunxi-current.config

📚 Learning: 2025-10-26T10:41:35.118Z

Learnt from: HackingGate
Repo: armbian/build PR: 8665
File: config/boards/photonicat2.csc:4-4
Timestamp: 2025-10-26T10:41:35.118Z
Learning: In the Armbian build system, rk3576 boards consistently use BOARDFAMILY="rk35xx" for both vendor and edge kernel targets. The rk35xx family configuration sources rockchip64_common.inc, which provides edge and current kernel branch definitions, making these branches available even though they're not defined directly in rk35xx.conf.

Applied to files:

• config/kernel/linux-rockchip-edge.config

📚 Learning: 2025-10-26T12:56:29.185Z

Learnt from: rpardini
Repo: armbian/build PR: 8820
File: config/sources/families/include/meson64_common.inc:51-53
Timestamp: 2025-10-26T12:56:29.185Z
Learning: In the Armbian build framework, scripts/config correctly handles kernel configuration option names both with and without the CONFIG_ prefix, so opts_m+=("CONFIG_RTL8822CS") and opts_m+=("RTL8822CS") are both valid and will work correctly.

Applied to files:

• lib/functions/compilation/armbian-kernel.sh
• config/kernel/linux-rk322x-current.config

📚 Learning: 2025-12-18T23:40:41.627Z

Learnt from: rpardini
Repo: armbian/build PR: 9101
File: lib/functions/image/compress-checksum.sh:44-48
Timestamp: 2025-12-18T23:40:41.627Z
Learning: In the Armbian build framework, scripts run with set -e, so a non-zero exit status will abort the script. During reviews, assume failures will stop execution unless explicitly handled. Verify that commands that must fail are checked, errors are propagated, and any critical steps have proper error handling (e.g., using pipefail where appropriate, checking exit codes, and not masking failures).

Applied to files:

• lib/functions/compilation/armbian-kernel.sh

🔇 Additional comments (8)

config/kernel/linux-sunxi-current.config (1)

9-9: Remove manual config edit; BPF_UNPRIV_DEFAULT_OFF is already handled centrally.

The security improvement is correct, but the manual config file edit is redundant. The armbian_kernel_config__600_enable_ebpf_and_btf_info function already sets BPF_UNPRIV_DEFAULT_OFF in its opts_y array (line 123 of lib/functions/compilation/armbian-kernel.sh). This setting is applied automatically during kernel compilation, making the manual edit to the config file unnecessary.

Remove this change from the config file and rely on the existing central function to apply the setting consistently across all configurations.

Likely an incorrect or invalid review comment.

config/kernel/linux-mvebu-edge.config (1)

9-12: Unprivileged BPF default-off correctly enabled for mvebu

Setting CONFIG_BPF_UNPRIV_DEFAULT_OFF=y here is consistent with the existing BPF enablement and matches the PR goal of disabling unprivileged eBPF by default while preserving privileged BPF use. No conflicts apparent in this defconfig overlay.

config/kernel/linux-rockchip64-current.config (1)

9-13: Rockchip64: BPF_UNPRIV_DEFAULT_OFF aligns with existing BPF stack

With CONFIG_BPF_SYSCALL=y, CONFIG_BPF_JIT=y and CONFIG_BPF_LSM=y already enabled, adding CONFIG_BPF_UNPRIV_DEFAULT_OFF=y gives the intended “BPF available but unprivileged disabled by default” behavior and should clean up the Spectre v2 vulnerability reporting. Looks coherent for this family.

config/kernel/linux-imx6-edge.config (1)

10-14: i.MX6 edge: consistent unprivileged BPF default-off

Adding CONFIG_BPF_UNPRIV_DEFAULT_OFF=y next to the existing BPF JIT options consistently applies the “unprivileged BPF disabled by default” policy here as well, matching the other families and the PR’s security objective.

config/kernel/linux-rk322x-current.config (1)

95-106: Enable CONFIG_BPF_UNPRIV_DEFAULT_OFF for correct unprivileged eBPF state

Setting CONFIG_BPF_UNPRIV_DEFAULT_OFF=y here is consistent with the existing BPF settings and with the PR goal of having unprivileged eBPF disabled by default and properly reflected in the Spectre v2 vulnerability output. No issues spotted.

config/kernel/linux-rockchip-edge.config (1)

8-12: Rockchip edge: unprivileged eBPF default‑off is correctly enabled

CONFIG_BPF_UNPRIV_DEFAULT_OFF=y complements CONFIG_BPF_SYSCALL/CONFIG_BPF_JIT and aligns this defconfig with the intended “unprivileged eBPF disabled by default” behavior and reporting. Looks good.

config/kernel/linux-meson64-edge.config (1)

7-11: Enabling CONFIG_BPF_UNPRIV_DEFAULT_OFF here is correct and consistent.

Placed alongside the other BPF options, this ensures unprivileged BPF is default‑off for meson64 edge and matches the central armbian‑kernel.sh logic.

config/kernel/linux-sunxi64-edge.config (1)

7-9: Sunxi64 edge config correctly enables CONFIG_BPF_UNPRIV_DEFAULT_OFF.

The new line sits with the other BPF knobs and matches the intended “unprivileged BPF default‑off” behavior across ARM64 kernels.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

Implement this change centrally in armbian-kernel.sh instead of editing config files directly.

Based on PR discussion and project maintainers' feedback, kernel config changes should be made in lib/functions/compilation/armbian-kernel.sh (function armbian_kernel_config__600_enable_ebpf_and_btf_info), not by directly editing config overlay files. Config files in config/kernel/ are autogenerated and periodically rewritten, so these manual edits will be lost.

Recommended centralized approach

In lib/functions/compilation/armbian-kernel.sh, modify the armbian_kernel_config__600_enable_ebpf_and_btf_info function to include:

 function armbian_kernel_config__600_enable_ebpf_and_btf_info() {
     # ... existing code ...
     declare -g -a opts_y=(
         # ... existing opts_y entries ...
+        "BPF_UNPRIV_DEFAULT_OFF"  # Disable unprivileged BPF by default
     )
     # ... rest of function ...
 }

Then run rewrite-kernel-config to propagate the change to all affected config files automatically. This avoids mass file churn and ensures the setting persists through future config regeneration cycles.

Based on learnings: Armbian kernel configuration files are generated through an automated process and manual edits will be lost during future updates.

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In config/kernel/linux-bcm2711-legacy.config around line 10 the change
CONFIG_BPF_UNPRIV_DEFAULT_OFF=y was made directly in a generated config file;
instead, open lib/functions/compilation/armbian-kernel.sh and update the
function armbian_kernel_config__600_enable_ebpf_and_btf_info to add the
CONFIG_BPF_UNPRIV_DEFAULT_OFF=y setting there (so it is applied centrally during
config generation), save the file, then run the rewrite-kernel-config helper to
regenerate all config overlays so the change propagates and avoids being
overwritten by future automated rewrites.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Modify lib/functions/compilation/armbian-kernel.sh instead of direct config file edits.

The configuration value is correct, but this approach violates Armbian conventions. Per the PR comments and project practices, kernel config files in config/kernel/ are autogenerated overlays—direct edits will be overwritten by the periodic rewrite-kernel-config job.

The proper approach is to add BPF_UNPRIV_DEFAULT_OFF to the opts_y array in the armbian_kernel_config__600_enable_ebpf_and_btf_info function within lib/functions/compilation/armbian-kernel.sh. This ensures the option propagates correctly through the kernel config generation flow (previous config → script modifications → make oldconfig → Armbian processing) and persists across automated rewrites.

After making the change in the centralized script, run rewrite-kernel-config to regenerate all affected config files properly.

Based on learnings and PR comments from tabrisnet and coderabbitai bot.

🤖 Prompt for AI Agents

In config/kernel/linux-mvebu64-legacy.config line 10 you added
CONFIG_BPF_UNPRIV_DEFAULT_OFF=y directly, but kernel config overlays are
autogenerated and will be overwritten; instead edit
lib/functions/compilation/armbian-kernel.sh: locate the function
armbian_kernel_config__600_enable_ebpf_and_btf_info and add
BPF_UNPRIV_DEFAULT_OFF to its opts_y array (ensure the symbol name is exact, no
CONFIG_ prefix), remove the direct change to the config file, then run the
rewrite-kernel-config job locally to regenerate the config files so the change
persists across automated rewrites.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Modify lib/functions/compilation/armbian-kernel.sh instead of manually editing config files.

Directly editing config/kernel/*.config files is not the correct approach in Armbian. Kernel config files are autogenerated through an automated process—taking a previous config, applying scripted changes from armbian-kernel.sh, running kernel's make oldconfig, then processing back into config files. These changes will be overwritten during periodic rewrite-kernel-config jobs.

The correct approach is to add CONFIG_BPF_UNPRIV_DEFAULT_OFF to the appropriate kernel configuration function in lib/functions/compilation/armbian-kernel.sh (specifically in armbian_kernel_config__600_enable_ebpf_and_btf_info), then run rewrite-kernel-config to regenerate all config files consistently. This ensures the change survives future rewrites and maintains consistency across all board variants sharing the same kernel family.

Verify that armbian-kernel.sh has been properly modified with this option and that rewrite-kernel-config has been run to regenerate the config files.

🤖 Prompt for AI Agents

In config/kernel/linux-sunxi64-current.config around line 9, the change to add
CONFIG_BPF_UNPRIV_DEFAULT_OFF directly into a generated kernel config is
incorrect; instead, open lib/functions/compilation/armbian-kernel.sh and add the
CONFIG_BPF_UNPRIV_DEFAULT_OFF option to the
armbian_kernel_config__600_enable_ebpf_and_btf_info kernel-config function (so
it is applied during automated config generation), commit that change, then run
rewrite-kernel-config to regenerate all config/kernel/*.config files and verify
the option appears in the regenerated files; do not manually edit generated
config files.