Improve UEFI x86 / arm64 images

[igorpecovnik]

Description

• synchronize x86 config with Ubuntu kernel

How Has This Been Tested?

• Build XFCE and Gnome image and booted on Intel laptop and Khadas Mind
• Sound output
• Video acceleration

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• My changes generate no new warnings
• Any dependent changes have been merged and published in downstream modules

[coderabbitai]

Walkthrough

The changes involve extensive updates to two Linux kernel configuration files, primarily for x86 UEFI and edge variants. Key modifications include switching the kernel compression algorithm from LZ4 to ZSTD, enabling full tickless (NO_HZ_FULL) operation, and activating a wide range of new hardware drivers and subsystems. Numerous security, debugging, and performance features are enabled, such as RCU lazy mode, user shadow stack, SLS mitigation, and livepatch. The kernel timer frequency is set to 1000 Hz. Additional support for networking, Bluetooth, storage, sensors, power management, and platform-specific drivers is introduced, along with expanded cryptography and tracing options.

Suggested labels

Ready to merge

Suggested reviewers

• rpardini
• PanderMusubi
• janprunk
• krachlatte
• leggewie
• EvilOlaf
• sgjava
• AGM1968
• TheSnowfield
• Tonymac32
• JohnTheCoolingFan
• pyavitz
• NicoD-SBC
• schwar3kat

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch x86

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai auto-generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

config/kernel/linux-uefi-x86-edge.config (2)

155-156: Enabling the legacy ISA bus widens attack-surface

CONFIG_ISA_BUS=y re-opens a class of 16-bit PIO device drivers that have been dormant for years. None of the target x86-UEFI devices (Khadas Mind, modern laptops) expose an ISA bridge; the option just pulls in piles of unsigned in-tree code.

Recommend reverting unless you have a concrete ISA-needs board.

---

6078-6090: Heavy debug/sanitiser set will slow runtime & explode image size

DWARF5 (DEBUG_INFO_DWARF5), BTF, UBSAN, DYNAMIC_DEBUG, KGDB, KDB, LATENCYTOP, STACK_TRACER, etc. add ~30 MiB to the vmlinuz and keep a lot of code permanently built-in. This is excellent for development but hurts boot time and memory on production images.

If the edge flavour targets end-users rather than kernel hackers, consider moving these to a separate -dbg build.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3a9babe and d52adfd.

📒 Files selected for processing (2)

• config/kernel/linux-uefi-x86-current.config (180 hunks)
• config/kernel/linux-uefi-x86-edge.config (178 hunks)

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: EvilOlaf
PR: armbian/build#8328
File: lib/functions/compilation/patch/drivers_network.sh:542-545
Timestamp: 2025-06-24T10:08:40.313Z
Learning: In the Armbian build system, when a PR removes build support for a specific kernel version, version check issues for that removed version become practically irrelevant even if they appear incorrect in isolation. Context about which kernel versions are being deprecated/removed is important for understanding the impact of version-related code changes.

Learnt from: rpardini
PR: armbian/build#8044
File: patch/u-boot/v2025.04/cmd-fileenv-read-string-from-file-into-env.patch:76-86
Timestamp: 2025-03-31T22:20:48.475Z
Learning: For the Armbian build project, maintaining consistency with existing patches across U-Boot versions (such as between 2025.01 and 2025.04) is prioritized over refactoring individual patches for code improvements.

Learnt from: rpardini
PR: armbian/build#8044
File: patch/u-boot/v2025.04/cmd-fileenv-read-string-from-file-into-env.patch:73-75
Timestamp: 2025-03-31T22:20:41.849Z
Learning: When porting patches between U-Boot versions (like from 2025.01 to 2025.04), rpardini prefers to maintain patches as-is rather than introducing refactoring changes, even when potential improvements are identified. This approach prioritizes consistency and reduces the risk of introducing new issues.

Learnt from: libiunc
PR: armbian/build#8033
File: config/kernel/linux-starfive2-vendor.config:43-43
Timestamp: 2025-03-31T12:57:13.880Z
Learning: For StarFive2 platform kernel configurations, maintain alignment with vendor-provided configurations rather than modifying security settings like SECCOMP. This ensures hardware compatibility as intended by the manufacturer.

Learnt from: pyavitz
PR: armbian/build#8361
File: config/kernel/linux-sunxi64-edge.config:594-597
Timestamp: 2025-07-06T16:27:45.349Z
Learning: In Armbian sunxi64-edge kernel configurations, PCI/PCIe support may be enabled for future-proofing purposes to support upcoming Allwinner SoCs like the T536 that include PCIe Gen2 interfaces, even if current primary targets like H616 lack PCIe controllers. This forward-looking approach prepares the configuration for next-generation hardware in the same SoC family.

Learnt from: EvilOlaf
PR: armbian/build#8330
File: config/sources/families/sun55iw3.conf:32-36
Timestamp: 2025-06-25T03:42:09.086Z
Learning: In Armbian build system configuration files like config/sources/families/*.conf, KERNELSOURCE is explicitly declared when using unofficial or 3rd party kernel repositories (like the "dev" branch using https://github.com/apritzel/linux), but can be omitted when using the standard mainline kernel (like the "edge" branch) since it will fall back to the default mainline source.

Learnt from: EvilOlaf
PR: armbian/build#0
File: :0-0
Timestamp: 2025-06-16T03:24:00.458Z
Learning: In Armbian board configuration files (.csc), the standard pattern is to have only one line as a comment describing the board hardware specifications. This single-line description typically includes the SoC model, core count, RAM options, and key features like connectivity options, storage interfaces, and special features.

config/kernel/linux-uefi-x86-edge.config (5)

undefined

<retrieved_learning>
Learnt from: libiunc
PR: #8033
File: config/kernel/linux-starfive2-vendor.config:43-43
Timestamp: 2025-03-31T12:57:13.880Z
Learning: For StarFive2 platform kernel configurations, maintain alignment with vendor-provided configurations rather than modifying security settings like SECCOMP. This ensures hardware compatibility as intended by the manufacturer.
</retrieved_learning>

<retrieved_learning>
Learnt from: pyavitz
PR: #8361
File: config/kernel/linux-sunxi64-edge.config:594-597
Timestamp: 2025-07-06T16:27:45.349Z
Learning: In Armbian sunxi64-edge kernel configurations, PCI/PCIe support may be enabled for future-proofing purposes to support upcoming Allwinner SoCs like the T536 that include PCIe Gen2 interfaces, even if current primary targets like H616 lack PCIe controllers. This forward-looking approach prepares the configuration for next-generation hardware in the same SoC family.
</retrieved_learning>

<retrieved_learning>
Learnt from: EvilOlaf
PR: #8330
File: config/sources/families/sun55iw3.conf:32-36
Timestamp: 2025-06-25T03:42:09.086Z
Learning: In Armbian build system configuration files like config/sources/families/*.conf, KERNELSOURCE is explicitly declared when using unofficial or 3rd party kernel repositories (like the "dev" branch using https://github.com/apritzel/linux), but can be omitted when using the standard mainline kernel (like the "edge" branch) since it will fall back to the default mainline source.
</retrieved_learning>

<retrieved_learning>
Learnt from: EvilOlaf
PR: armbian/build#0
File: :0-0
Timestamp: 2025-06-16T03:24:00.458Z
Learning: In Armbian board configuration files (.csc), the standard pattern is to have only one line as a comment describing the board hardware specifications. This single-line description typically includes the SoC model, core count, RAM options, and key features like connectivity options, storage interfaces, and special features.
</retrieved_learning>

<retrieved_learning>
Learnt from: djurny
PR: #8235
File: packages/bsp/mvebu/helios4/helios4-wol.service:0-0
Timestamp: 2025-05-29T01:56:01.604Z
Learning: For ARM-based devices like Helios4 that use DeviceTree, the expected systemd network interface naming scheme is "end[0-9]+" (DeviceTree alias index), making the regex "^(eth|en[do])[0-9]+" appropriate as it covers traditional "eth", PCI on-board "eno", and DeviceTree "end" interfaces without unnecessary "enp" (PCI slot) support.
</retrieved_learning>

config/kernel/linux-uefi-x86-current.config (4)

undefined

<retrieved_learning>
Learnt from: libiunc
PR: #8033
File: config/kernel/linux-starfive2-vendor.config:43-43
Timestamp: 2025-03-31T12:57:13.880Z
Learning: For StarFive2 platform kernel configurations, maintain alignment with vendor-provided configurations rather than modifying security settings like SECCOMP. This ensures hardware compatibility as intended by the manufacturer.
</retrieved_learning>

<retrieved_learning>
Learnt from: pyavitz
PR: #8361
File: config/kernel/linux-sunxi64-edge.config:594-597
Timestamp: 2025-07-06T16:27:45.349Z
Learning: In Armbian sunxi64-edge kernel configurations, PCI/PCIe support may be enabled for future-proofing purposes to support upcoming Allwinner SoCs like the T536 that include PCIe Gen2 interfaces, even if current primary targets like H616 lack PCIe controllers. This forward-looking approach prepares the configuration for next-generation hardware in the same SoC family.
</retrieved_learning>

<retrieved_learning>
Learnt from: EvilOlaf
PR: armbian/build#0
File: :0-0
Timestamp: 2025-06-16T03:24:00.458Z
Learning: In Armbian board configuration files (.csc), the standard pattern is to have only one line as a comment describing the board hardware specifications. This single-line description typically includes the SoC model, core count, RAM options, and key features like connectivity options, storage interfaces, and special features.
</retrieved_learning>

<retrieved_learning>
Learnt from: djurny
PR: #8235
File: packages/bsp/mvebu/helios4/helios4-wol.service:0-0
Timestamp: 2025-05-29T01:56:01.604Z
Learning: For ARM-based devices like Helios4 that use DeviceTree, the expected systemd network interface naming scheme is "end[0-9]+" (DeviceTree alias index), making the regex "^(eth|en[do])[0-9]+" appropriate as it covers traditional "eth", PCI on-board "eno", and DeviceTree "end" interfaces without unnecessary "enp" (PCI slot) support.
</retrieved_learning>

🔇 Additional comments (6)

config/kernel/linux-uefi-x86-edge.config (4)

7-8: NO_HZ _FULL is a specialist option – confirm runtime isolation strategy

CONFIG_NO_HZ_FULL=y turns all non-housekeeping CPUs into full-tickless mode.
Without the matching boot parameters (nohz_full=<cpu-list>, isolcpus=, rcu_nocbs= …) users will see higher latency, scheduler stalls and RCU warnings.

Please double-check that the image generator injects the proper kernel command-line dynamically or consider keeping only CONFIG_NO_HZ (dyn-tick) for generic images.

---

158-162: KVM_WERROR stops the build on any new GCC/Clang warning

While useful for CI on upstream, CONFIG_KVM_WERROR=y makes distribution builds brittle (new compiler versions ‑> fail). Consider switching it off for release artefacts.

-CONFIG_KVM_WERROR=y
+# CONFIG_KVM_WERROR is not set

---

166-168: 32-bit and compat ASLR entropy maxed – verify userspace

ARCH_MMAP_RND_BITS=32 / ARCH_MMAP_RND_COMPAT_BITS=16 are the absolute maxima.
Some 32-bit Wine / proprietary binaries still choke on >8 bits entropy.
If legacy 32-bit support matters, consider dialing this back (e.g. 24 / 8).

---

5749-5778: BCACHEFS is still marked experimental – shipping it as a module needs tooling

Enabling:

CONFIG_BCACHEFS_FS=m
CONFIG_BCACHEFS_{QUOTA,ERASURE_CODING,POSIX_ACL}=y

is fine, but:

1. mkfs.bcachefs is not in Debian/Ubuntu main – the rootfs builder must add the userspace package from upstream.
2. Upstreams warn about on-disk format churn until v1.0 lands.

Please confirm you really want to expose this to end-users now.

config/kernel/linux-uefi-x86-current.config (2)

70-76: Re-evaluate CONFIG_MAXSMP; huge memory overhead for little gain.

CONFIG_MAXSMP bumps NR_CPUS to the architecture maximum (8192 on x86_64) and disables a number of static optimisations.
Result: larger .text, bigger per-CPU memory allocations and longer boot on modest HW, with zero benefit on typical x86 devices (< 64 CPUs).

Unless you explicitly need >512 logical cores, prefer the regular CONFIG_NR_CPUS=<reasonable> setting used by Ubuntu’s generic kernel.

---

6125-6135: Heavy debug options enabled – check that they are intended for release kernels.

CONFIG_BOOT_PRINTK_DELAY, extensive CONFIG_DYNAMIC_DEBUG, CONFIG_DEBUG_INFO_DWARF5, CONFIG_GDB_SCRIPTS, CONFIG_UBSAN, CONFIG_KGDB*, etc. are all on.
These bloat the image, grow DWARF to ~hundreds MB, and can hit boot time.
If the goal is strict parity with Ubuntu-generic, confirm that each of these flags is really supposed to stay enabled.

[coderabbitai]

🛠️ Refactor suggestion

MAXSMP inflates kernel text/data by >15 MiB for little gain

CONFIG_MAXSMP=y forces NR_CPUS=8192, bloating the .text/.data/bss sections and slowing boot (sibling CPU maps, mask copies). Real-world x86_64 HW in the field rarely exceeds 512 logical CPUs.

-CONFIG_MAXSMP=y
+# CONFIG_MAXSMP is not set
+CONFIG_NR_CPUS=512

Unless you have a hard requirement for >512 CPUs, disabling MAXSMP and capping NR_CPUS keeps the kernel footprint lean while still covering contemporary HEDT/EPYC hardware.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	CONFIG_PROCESSOR_SELECT=y
	CONFIG_GART_IOMMU=y
	CONFIG_NR_CPUS=512
	CONFIG_MAXSMP=y
	CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS=y
	CONFIG_PROCESSOR_SELECT=y
	CONFIG_GART_IOMMU=y
	# CONFIG_MAXSMP is not set
	CONFIG_NR_CPUS=512
	CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS=y

🤖 Prompt for AI Agents

In config/kernel/linux-uefi-x86-edge.config around lines 74 to 77, the
CONFIG_MAXSMP=y setting causes excessive kernel size by forcing NR_CPUS=8192,
which is unnecessary for most real-world hardware. To fix this, disable
CONFIG_MAXSMP by setting it to 'n' or removing it, and explicitly set NR_CPUS to
512 or a suitable lower value to reduce kernel bloat and improve boot
performance.

[coderabbitai]

⚠️ Potential issue

Do not ship the kernel with CONFIG_KVM_WERROR=y.

CONFIG_KVM_WERROR converts any WARN_ON*() inside KVM into a hard failure that terminates the VM or panics the host (depending on context).
That is appropriate for development CI but far too risky for a production-grade distro kernel – a single harmless warning can instantly take a user’s machine down.

-CONFIG_KVM_WERROR=y
+# Keep KVM warnings non-fatal
+# They are logged anyway and can be promoted to panics via kernel command line if needed.
+#CONFIG_KVM_WERROR is not set

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	CONFIG_KVM=m
	CONFIG_KVM_WERROR=y
	CONFIG_KVM_SW_PROTECTED_VM=y
	CONFIG_KVM_INTEL=m
	CONFIG_KVM_INTEL_PROVE_VE=y
	CONFIG_KVM=m
	# Keep KVM warnings non-fatal
	# They are logged anyway and can be promoted to panics via kernel command line if needed.
	#CONFIG_KVM_WERROR is not set
	CONFIG_KVM_SW_PROTECTED_VM=y
	CONFIG_KVM_INTEL=m
	CONFIG_KVM_INTEL_PROVE_VE=y

🤖 Prompt for AI Agents

In config/kernel/linux-uefi-x86-current.config around lines 156 to 160, the
CONFIG_KVM_WERROR option is set to 'y', which causes any KVM warnings to trigger
hard failures or panics, unsuitable for production. Change CONFIG_KVM_WERROR
from 'y' to 'n' or remove it entirely to prevent these warnings from causing VM
termination or host panics in production environments.