kernel configs: disable unprivileged BPF

[neheb]

Fixes wrong CPU vulnerability output:

/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation:Vulnerable: Unprivileged eBPF enabled

It's enabled but CONFIG_BPF_UNPRIV_DEFAULT_OFF being unset causes the warning.

This warning happens on ARM32 and ARM64 devices.

Edited with:
find -name "*.config" -exec sed -i 's/# CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set/CONFIG_BPF_UNPRIV_DEFAULT_OFF=y/g' '{}' ;

CONFIG_BPF_UNPRIV_DEFAULT_OFF is a Linux kernel build-time hardening option that disables unprivileged use of the bpf() syscall (and thus unprivileged eBPF loading) by default by setting kernel.unprivileged_bpf_disabled=2 at boot. With this default, only privileged processes (e.g., with CAP_SYS_ADMIN / CAP_BPF, depending on kernel) can load eBPF unless an administrator explicitly relaxes it. [1], [2]

Operational behavior you should know

kernel.unprivileged_bpf_disabled semantics (as documented in the kernel sysctl docs/patch):

• 0: unprivileged bpf() allowed
• 1: unprivileged bpf() blocked and cannot be re-enabled until reboot (no transition back to 0 while running)
• 2: unprivileged bpf() blocked but admin can later switch to 0 or 1 if needed
  If CONFIG_BPF_UNPRIV_DEFAULT_OFF=y, the default becomes 2 instead of 0. [2]

Summary by CodeRabbit

Summary by CodeRabbit

• Chores
  • Enhanced kernel compilation configuration by adding an additional eBPF security option when sufficient RAM is available during the build process.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[EvilOlaf]

Why should this override?

[tabrisnet]

My original question here was whether the automated machinery would elide the changed line altogether, as, being an overlay, if it would already by =y then it would be evaluated as redundant by savedefconfig.

[neheb]

https://github.com/neheb/build/actions/runs/20403772655 refuses to run

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

config/kernel/linux-mvebu-legacy.config (1)

94-105: CONFIG_BPF_UNPRIV_DEFAULT_OFF=y here is correct and aligned with the PR’s goal

Placing CONFIG_BPF_UNPRIV_DEFAULT_OFF=y alongside CONFIG_BPF=y / CONFIG_BPF_SYSCALL=y cleanly enforces “unprivileged eBPF default-off” on this legacy mvebu kernel, which is exactly what the spectre_v2 reporting logic expects. No conflicting BPF options are present in this block, so the change is safe and behaviorally clear.

If you later regenerate this autogen .config via rewrite-kernel-config, just ensure the armbian-kernel.sh hook also sets this symbol so the change persists and you don’t see churn in this file. Based on learnings, these configs are overlays on top of arch defconfig and are periodically rewritten.

config/kernel/linux-mvebu-current.config (1)

6-12: Defconfig overlay use of CONFIG_BPF_UNPRIV_DEFAULT_OFF=y looks good

Setting CONFIG_BPF_UNPRIV_DEFAULT_OFF=y in this Armbian mvebu “current” defconfig cleanly enforces unprivileged-BPF default-off (while keeping CONFIG_BPF_JIT=y and privileged BPF intact), matching the PR’s objective and the legacy config behavior. As an overlay, this is the appropriate place to override the kernel’s default for this family; any future rewrite of defconfigs will either preserve or drop it as redundant without functional risk.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 29fbc19 and b02f95c.

📒 Files selected for processing (33)

• config/kernel/linux-bcm2711-current.config (1 hunks)
• config/kernel/linux-bcm2711-edge.config (1 hunks)
• config/kernel/linux-bcm2711-legacy.config (1 hunks)
• config/kernel/linux-imx6-current.config (1 hunks)
• config/kernel/linux-imx6-edge.config (1 hunks)
• config/kernel/linux-imx6-legacy.config (1 hunks)
• config/kernel/linux-meson64-current.config (1 hunks)
• config/kernel/linux-meson64-edge.config (1 hunks)
• config/kernel/linux-mvebu-current.config (1 hunks)
• config/kernel/linux-mvebu-edge.config (1 hunks)
• config/kernel/linux-mvebu-legacy.config (1 hunks)
• config/kernel/linux-mvebu64-current.config (1 hunks)
• config/kernel/linux-mvebu64-edge.config (1 hunks)
• config/kernel/linux-mvebu64-legacy.config (1 hunks)
• config/kernel/linux-odroidxu4-current.config (1 hunks)
• config/kernel/linux-odroidxu4-edge.config (1 hunks)
• config/kernel/linux-rk322x-current.config (1 hunks)
• config/kernel/linux-rk322x-edge.config (1 hunks)
• config/kernel/linux-rk35xx-vendor.config (1 hunks)
• config/kernel/linux-rockchip-current.config (1 hunks)
• config/kernel/linux-rockchip-edge.config (1 hunks)
• config/kernel/linux-rockchip-rk3588-edge.config (1 hunks)
• config/kernel/linux-rockchip64-current.config (1 hunks)
• config/kernel/linux-rockchip64-edge.config (1 hunks)
• config/kernel/linux-sunxi-current.config (1 hunks)
• config/kernel/linux-sunxi-edge.config (1 hunks)
• config/kernel/linux-sunxi-legacy.config (1 hunks)
• config/kernel/linux-sunxi64-current.config (1 hunks)
• config/kernel/linux-sunxi64-edge.config (1 hunks)
• config/kernel/linux-sunxi64-legacy.config (1 hunks)
• config/kernel/linux-thead-legacy.config (1 hunks)
• config/kernel/linux-virtual-current.config (1 hunks)
• lib/functions/compilation/armbian-kernel.sh (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (22)

• config/kernel/linux-rockchip-edge.config
• config/kernel/linux-sunxi64-legacy.config
• config/kernel/linux-rockchip64-edge.config
• config/kernel/linux-mvebu64-edge.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-rockchip-current.config
• config/kernel/linux-odroidxu4-current.config
• config/kernel/linux-rk322x-edge.config
• config/kernel/linux-bcm2711-current.config
• config/kernel/linux-imx6-legacy.config
• lib/functions/compilation/armbian-kernel.sh
• config/kernel/linux-imx6-current.config
• config/kernel/linux-bcm2711-edge.config
• config/kernel/linux-meson64-edge.config
• config/kernel/linux-meson64-current.config
• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-rockchip64-current.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-sunxi-edge.config
• config/kernel/linux-virtual-current.config
• config/kernel/linux-rockchip-rk3588-edge.config

🧰 Additional context used

🧠 Learnings (20)

📓 Common learnings

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-199
Timestamp: 2025-09-25T18:37:00.330Z
Learning: In PR armbian/build#8661, line 235 of lib/functions/compilation/armbian-kernel.sh already contains the corrected comment "BPF link support for netfilter hooks" for NETFILTER_BPF_LINK, not the misleading "BPF_SYSCALL" comment that was flagged during review.

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-199
Timestamp: 2025-09-25T18:37:00.330Z
Learning: In PR armbian/build#8661, line 235 of lib/functions/compilation/armbian-kernel.sh already contains the corrected comment "BPF link support for netfilter hooks" for NETFILTER_BPF_LINK, not the misleading "BPF_SYSCALL" comment that was flagged during review.

Learnt from: EvilOlaf
Repo: armbian/build PR: 8428
File: config/boards/lckfb-taishanpi.csc:5-9
Timestamp: 2025-07-25T03:51:50.830Z
Learning: When reviewing PRs in the Armbian build system, U-Boot defconfig files and patches may be added as part of the PR changes but might not be visible in the current repository clone state during review. It's important to check the actual PR file changes directly via GitHub or the PR API to get the complete picture of what files are being added or modified.

Learnt from: EvilOlaf
Repo: armbian/build PR: 8428
File: config/boards/lckfb-taishanpi.csc:5-9
Timestamp: 2025-07-25T03:51:50.830Z
Learning: When reviewing PRs in the Armbian build system, U-Boot defconfig files and patches may be added as part of the PR changes but might not be visible in the current repository clone state during review. It's important to check the actual PR file changes directly via GitHub API (https://api.github.com/repos/armbian/build/pulls/{pr_number}/files) to get the complete picture of what files are being added or modified, especially for U-Boot patches that will be applied during the build process.

Learnt from: igorpecovnik
Repo: armbian/build PR: 9087
File: .github/workflows/pr-check-pictures.yml:138-146
Timestamp: 2025-12-16T13:40:07.649Z
Learning: In the Armbian build repository, when introducing new requirements or checks (like the board assets verification workflow), the project prefers an initial educational-only period where violations post helpful PR comments and warnings but don't block merges. This allows contributors to become familiar with new requirements before enforcement is enabled (typically after ~6 months).

Learnt from: EvilOlaf
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-12-19T13:56:45.124Z
Learning: When reviewing kernel or u-boot version bump PRs in the Armbian build system, check if patches existed in previous kernel version directories (e.g., sunxi-6.12, sunxi-6.13) before describing them as new features. If a patch and the majority of its contents existed previously with no major functionality changes, focus the review on the actual changes: the version bump itself and patch compatibility adjustments. Don't describe existing patches being ported/maintained across versions as new features or drivers—this is misleading. The patches are existing code being re-aligned to work with the new upstream version.

Learnt from: EvilOlaf
Repo: armbian/build PR: 8328
File: lib/functions/compilation/patch/drivers_network.sh:542-545
Timestamp: 2025-06-24T10:08:40.313Z
Learning: In the Armbian build system, when a PR removes build support for a specific kernel version, version check issues for that removed version become practically irrelevant even if they appear incorrect in isolation. Context about which kernel versions are being deprecated/removed is important for understanding the impact of version-related code changes.

Learnt from: EvilOlaf
Repo: armbian/build PR: 8968
File: patch/u-boot/u-boot-sunxi/arm64-dts-sun50i-h6-orangepi.dtsi-Rollback-r_rsb-to-r_i2c.patch:36-36
Timestamp: 2025-11-20T18:20:11.985Z
Learning: The rewrite-patches tool (REWRITE_PATCHES=yes) in the Armbian build system can inadvertently introduce semantic changes when the u-boot/kernel git base revision differs from expected state. The tool applies patches, commits them, and re-exports them using git format-patch, which can cause the re-exported patch to reflect the base revision's state rather than preserving the original patch intent. This is particularly problematic for device tree changes like interrupt specifications. The tool currently lacks validation mechanisms to detect such semantic drift, and affected patches must be manually corrected after rewriting.

Learnt from: igorpecovnik
Repo: armbian/build PR: 8849
File: config/boards/radxa-e54c.csc:14-28
Timestamp: 2025-11-02T20:49:56.719Z
Learning: In Armbian board configuration files (config/boards/*.conf, *.csc, etc.), do not use kernel_config_set, kernel_config_set_m, kernel_config_set_y, or custom_kernel_config__* functions to modify kernel configuration. Kernel configuration is associated with LINUXFAMILY/BOARDFAMILY, not individual BOARD. Board-specific kernel modifications cause inconsistency in kernel packages published to the apt repository because boards within a family share the same kernel packages. Kernel configuration changes must be made in the appropriate kernel config file (e.g., config/kernel/linux-*-*.config) or in family configuration files (config/sources/families/*.conf, *.inc) instead.

Learnt from: glneo
Repo: armbian/build PR: 8913
File: config/sources/families/include/k3_common.inc:57-60
Timestamp: 2025-11-11T20:56:20.303Z
Learning: In config/sources/families/include/k3_common.inc, the OP-TEE build command at line 59 should be updated in a future PR to explicitly set CROSS_COMPILE64=aarch64-linux-gnu- and CROSS_COMPILE32=arm-linux-gnueabihf- instead of relying on OP-TEE's internal defaults, for better clarity and maintainability. User glneo agreed to address this in a separate PR.

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: The kernel_config_set_m function in lib/functions/compilation/armbian-kernel.sh preserves existing 'y' (built-in) settings and only sets options to 'm' (module) when they are not already built-in, achieving "prefer modules but allow built-ins" behavior.

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: The kernel_config_set_m function in lib/functions/compilation/armbian-kernel.sh preserves existing 'y' (built-in) settings and only sets options to 'm' (module) when they are not already built-in, achieving "prefer modules but allow built-ins" behavior.

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T06:56:33.372Z
Learning: In Armbian kernel configuration, the BTRFS configuration logic preserves existing settings (whether built-in 'y' or module 'm') and only sets BTRFS_FS to module when it was previously disabled or not set, achieving "allow but not require" flexibility while maintaining backward compatibility.

Learnt from: igorpecovnik
Repo: armbian/build PR: 8789
File: config/kernel/linux-sunxi64-edge.config:839-839
Timestamp: 2025-10-22T07:56:19.424Z
Learning: In Linux kernel configuration, some `=y` (builtin) options are infrastructure or feature flags that enable subsystems or features for modular drivers, rather than directly compiling code into the kernel. For example, in Armbian wireless configs, options like CONFIG_SPARD_WLAN_SUPPORT=y, CONFIG_SC23XX=y, CONFIG_WCN_BSP_DRIVER_BUILDIN=y, CONFIG_UNISOC_WIFI_PS=y are module infrastructure/feature enablers, while the actual drivers (CONFIG_WLAN_UWE5621=m, CONFIG_WLAN_UWE5622=m) remain as loadable modules. These infrastructure options don't cause kernel bloat.

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: In lib/functions/compilation/armbian-kernel.sh, the kernel_config_modifying_hashes array is not universally required for all kernel configuration functions - some functions like armbian_kernel_config__netkit() operate without it, and adding entries with '=m' would be incorrect when the actual result might be '=y' for options already built-in.

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: In lib/functions/compilation/armbian-kernel.sh, the kernel_config_modifying_hashes array is not universally required for all kernel configuration functions - some functions like armbian_kernel_config__netkit() operate without it, and adding entries with '=m' would be incorrect when the actual result might be '=y' for options already built-in.

Learnt from: rpardini
Repo: armbian/build PR: 8820
File: config/sources/families/include/meson64_common.inc:51-53
Timestamp: 2025-10-26T12:56:29.185Z
Learning: In the Armbian build framework, scripts/config correctly handles kernel configuration option names both with and without the CONFIG_ prefix, so opts_m+=("CONFIG_RTL8822CS") and opts_m+=("RTL8822CS") are both valid and will work correctly.

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T06:48:09.091Z
Learning: In lib/functions/compilation/armbian-kernel.sh, the user prefers flexible grep patterns over anchored ones for BTRFS configuration checks, but agrees to use quiet grep (-q) to avoid polluting build logs.

📚 Learning: 2025-08-30T04:13:16.457Z

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T04:13:16.457Z
Learning: Armbian kernel configuration files like linux-filogic-current.config are autogenerated overlays on top of arch defconfig. Comments added manually will be lost during future updates by maintainers, and explicit "CONFIG_OPTION is not set" statements aren't needed for mutually exclusive options since these are overlay configs that only specify changes from the base configuration.

Applied to files:

• config/kernel/linux-imx6-edge.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-mvebu-current.config
• config/kernel/linux-odroidxu4-edge.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-mvebu-legacy.config
• config/kernel/linux-rk35xx-vendor.config

📚 Learning: 2025-09-25T18:37:00.330Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-199
Timestamp: 2025-09-25T18:37:00.330Z
Learning: In PR armbian/build#8661, line 235 of lib/functions/compilation/armbian-kernel.sh already contains the corrected comment "BPF link support for netfilter hooks" for NETFILTER_BPF_LINK, not the misleading "BPF_SYSCALL" comment that was flagged during review.

Applied to files:

• config/kernel/linux-imx6-edge.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-thead-legacy.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-mvebu-current.config
• config/kernel/linux-odroidxu4-edge.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-mvebu-legacy.config
• config/kernel/linux-rk35xx-vendor.config

📚 Learning: 2025-03-31T12:57:13.880Z

Learnt from: libiunc
Repo: armbian/build PR: 8033
File: config/kernel/linux-starfive2-vendor.config:43-43
Timestamp: 2025-03-31T12:57:13.880Z
Learning: For StarFive2 platform kernel configurations, maintain alignment with vendor-provided configurations rather than modifying security settings like SECCOMP. This ensures hardware compatibility as intended by the manufacturer.

Applied to files:

• config/kernel/linux-imx6-edge.config
• config/kernel/linux-thead-legacy.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-odroidxu4-edge.config
• config/kernel/linux-rk35xx-vendor.config

📚 Learning: 2025-11-02T20:49:56.719Z

Learnt from: igorpecovnik
Repo: armbian/build PR: 8849
File: config/boards/radxa-e54c.csc:14-28
Timestamp: 2025-11-02T20:49:56.719Z
Learning: In Armbian board configuration files (config/boards/*.conf, *.csc, etc.), do not use kernel_config_set, kernel_config_set_m, kernel_config_set_y, or custom_kernel_config__* functions to modify kernel configuration. Kernel configuration is associated with LINUXFAMILY/BOARDFAMILY, not individual BOARD. Board-specific kernel modifications cause inconsistency in kernel packages published to the apt repository because boards within a family share the same kernel packages. Kernel configuration changes must be made in the appropriate kernel config file (e.g., config/kernel/linux-*-*.config) or in family configuration files (config/sources/families/*.conf, *.inc) instead.

Applied to files:

• config/kernel/linux-imx6-edge.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-mvebu-current.config
• config/kernel/linux-odroidxu4-edge.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-mvebu-legacy.config
• config/kernel/linux-rk35xx-vendor.config

📚 Learning: 2025-09-27T21:47:58.020Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-bcm2711-edge.config:859-861
Timestamp: 2025-09-27T21:47:58.020Z
Learning: In the Armbian build system, kernel configuration files in config/kernel/ are generated through an automated process: taking previous config → applying scripted changes from armbian-kernel.sh → running kernel's `make oldconfig` → processing by Armbian machinery back into config files. This automated process properly handles kernel configuration dependencies and reduces the likelihood of manual configuration errors.

Applied to files:

• config/kernel/linux-imx6-edge.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-odroidxu4-edge.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-rk35xx-vendor.config

📚 Learning: 2025-08-30T06:56:33.372Z

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T06:56:33.372Z
Learning: In Armbian kernel configuration, the BTRFS configuration logic preserves existing settings (whether built-in 'y' or module 'm') and only sets BTRFS_FS to module when it was previously disabled or not set, achieving "allow but not require" flexibility while maintaining backward compatibility.

Applied to files:

• config/kernel/linux-imx6-edge.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-thead-legacy.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-mvebu-current.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-mvebu-legacy.config
• config/kernel/linux-rk35xx-vendor.config

📚 Learning: 2025-09-27T21:49:55.796Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-sm8250-current.config:78-80
Timestamp: 2025-09-27T21:49:55.796Z
Learning: In the Armbian build system, kernel configuration files are generated through an automated process: taking previous config → applying scripted changes from armbian-kernel.sh → running kernel's `make oldconfig` → processing by Armbian machinery back into config files. This automated process properly handles kernel configuration dependencies and reduces the likelihood of manual configuration errors.

Applied to files:

• config/kernel/linux-imx6-edge.config
• config/kernel/linux-odroidxu4-edge.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-rk35xx-vendor.config

📚 Learning: 2025-09-27T21:50:15.915Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-sunxi64-current.config:94-94
Timestamp: 2025-09-27T21:50:15.915Z
Learning: When kernel config files are generated through Armbian's automated process (previous config → armbian-kernel.sh changes → make oldconfig → Armbian machinery processing), manual config file edits are not appropriate since they would be overwritten. Deprecated option handling should be implemented in the automated tooling instead.

Applied to files:

• config/kernel/linux-imx6-edge.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-thead-legacy.config
• config/kernel/linux-odroidxu4-edge.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-bcm2711-legacy.config

📚 Learning: 2025-10-22T07:56:19.424Z

Learnt from: igorpecovnik
Repo: armbian/build PR: 8789
File: config/kernel/linux-sunxi64-edge.config:839-839
Timestamp: 2025-10-22T07:56:19.424Z
Learning: In Linux kernel configuration, some `=y` (builtin) options are infrastructure or feature flags that enable subsystems or features for modular drivers, rather than directly compiling code into the kernel. For example, in Armbian wireless configs, options like CONFIG_SPARD_WLAN_SUPPORT=y, CONFIG_SC23XX=y, CONFIG_WCN_BSP_DRIVER_BUILDIN=y, CONFIG_UNISOC_WIFI_PS=y are module infrastructure/feature enablers, while the actual drivers (CONFIG_WLAN_UWE5621=m, CONFIG_WLAN_UWE5622=m) remain as loadable modules. These infrastructure options don't cause kernel bloat.

Applied to files:

• config/kernel/linux-imx6-edge.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-thead-legacy.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-mvebu-current.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-mvebu-legacy.config
• config/kernel/linux-rk35xx-vendor.config

📚 Learning: 2025-09-22T21:52:01.225Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: The kernel_config_set_m function in lib/functions/compilation/armbian-kernel.sh preserves existing 'y' (built-in) settings and only sets options to 'm' (module) when they are not already built-in, achieving "prefer modules but allow built-ins" behavior.

Applied to files:

• config/kernel/linux-rk322x-current.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-thead-legacy.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-mvebu-current.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-mvebu-legacy.config

📚 Learning: 2025-07-19T00:03:42.995Z

Learnt from: lanefu
Repo: armbian/build PR: 8377
File: config/kernel/linux-uefi-arm64-cloud.config:165-170
Timestamp: 2025-07-19T00:03:42.995Z
Learning: CONFIG_NETKIT was introduced in Linux kernel 4.14.330 (November 2023) and enables BPF-programmable network devices that can operate in Layer 3 or Layer 2 mode. It's a valid configuration option in modern kernels including 6.12.

Applied to files:

• config/kernel/linux-rk322x-current.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-mvebu-current.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-mvebu-legacy.config

📚 Learning: 2025-10-26T12:56:29.185Z

Learnt from: rpardini
Repo: armbian/build PR: 8820
File: config/sources/families/include/meson64_common.inc:51-53
Timestamp: 2025-10-26T12:56:29.185Z
Learning: In the Armbian build framework, scripts/config correctly handles kernel configuration option names both with and without the CONFIG_ prefix, so opts_m+=("CONFIG_RTL8822CS") and opts_m+=("RTL8822CS") are both valid and will work correctly.

Applied to files:

• config/kernel/linux-rk322x-current.config

📚 Learning: 2025-07-27T15:56:34.414Z

Learnt from: pyavitz
Repo: armbian/build PR: 8421
File: config/kernel/linux-sunxi64-edge.config:438-439
Timestamp: 2025-07-27T15:56:34.414Z
Learning: CONFIG_NET_SCH_DEFAULT is a boolean kernel configuration option (=y or =n) that enables/disables the ability to override the default network queueing discipline at runtime. When set to 'y', it allows setting the actual qdisc name via /proc/sys/net/core/default_qdisc at runtime, not in the kernel config file itself.

Applied to files:

• config/kernel/linux-rk322x-current.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-mvebu-current.config
• config/kernel/linux-odroidxu4-edge.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-rk35xx-vendor.config

📚 Learning: 2025-09-22T21:52:01.225Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: In lib/functions/compilation/armbian-kernel.sh, the kernel_config_modifying_hashes array is not universally required for all kernel configuration functions - some functions like armbian_kernel_config__netkit() operate without it, and adding entries with '=m' would be incorrect when the actual result might be '=y' for options already built-in.

Applied to files:

• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-mvebu64-legacy.config

📚 Learning: 2025-09-27T21:50:04.845Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-sm8250-edge.config:80-82
Timestamp: 2025-09-27T21:50:04.845Z
Learning: In the Armbian build system, kernel configuration files are generated through this automated process: taking previous config → applying scripted changes from armbian-kernel.sh → running kernel's `make oldconfig` → processing by Armbian machinery back into config files. This automated process properly handles kernel configuration dependencies and reduces the likelihood of manual configuration errors.

Applied to files:

• config/kernel/linux-odroidxu4-edge.config
• config/kernel/linux-bcm2711-legacy.config

📚 Learning: 2025-08-02T05:46:10.664Z

Learnt from: EvilOlaf
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-02T05:46:10.664Z
Learning: In the Armbian build system, the KERNEL_CONFIGURE=yes switch is deprecated. The recommended approach for kernel configuration is now to use the `kernel-config` build command, which provides a more structured way to configure kernel options.

Applied to files:

• config/kernel/linux-sunxi-legacy.config

📚 Learning: 2025-07-15T21:09:23.252Z

Learnt from: pyavitz
Repo: armbian/build PR: 8383
File: config/kernel/linux-sunxi64-edge.config:57-64
Timestamp: 2025-07-15T21:09:23.252Z
Learning: In Linux kernel configuration, when CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND=y is set, the ondemand governor is implicitly enabled by default, making the explicit CONFIG_CPU_FREQ_GOV_ONDEMAND=y line redundant. The make menuconfig tool automatically removes such redundant lines. This behavior applies to CPU frequency governor configurations in general - setting a default governor automatically enables that governor.

Applied to files:

• config/kernel/linux-sunxi-legacy.config

📚 Learning: 2025-08-11T22:00:13.411Z

Learnt from: rafayahmed317
Repo: armbian/build PR: 8484
File: config/kernel/linux-rk35xx-vendor.config:904-906
Timestamp: 2025-08-11T22:00:13.411Z
Learning: In the linux-rk35xx-vendor kernel, the LTE driver options (CONFIG_LTE, CONFIG_LTE_RM310, CONFIG_LTE_EM05) are defined as boolean in drivers/net/lte/Kconfig and cannot be built as modules - they must be either built-in (=y) or disabled.

Applied to files:

• config/kernel/linux-rk35xx-vendor.config

📚 Learning: 2025-11-08T06:39:24.527Z

Learnt from: EvilOlaf
Repo: armbian/build PR: 8886
File: patch/kernel/rk35xx-vendor-6.1/dt/rk3528-nanopi-rev01.dts:9-9
Timestamp: 2025-11-08T06:39:24.527Z
Learning: In Armbian's Rockchip vendor kernel branches (rk35xx-vendor), device tree files may not require the same headers as mainline Linux. For example, input key definitions like KEY_BACK and KEY_VOLUMEUP may be handled differently in BSP kernels and don't necessarily need explicit includes like <dt-bindings/input/input.h> that would be required in mainline kernel device trees.

Applied to files:

• config/kernel/linux-rk35xx-vendor.config

🔇 Additional comments (8)

config/kernel/linux-mvebu64-legacy.config (1)

10-10: Verify implementation approach: config file edits may not persist.

Based on the PR discussion and learnings about the Armbian build system, kernel configuration files in config/kernel/ are autogenerated overlays that are periodically rewritten by automated processes. Direct edits to these files may be overwritten during future rewrite-kernel-config runs.

Per the PR discussion (comments from tabrisnet and coderabbitai), the recommended approach is to add BPF_UNPRIV_DEFAULT_OFF to the opts_y array in the armbian_kernel_config__600_enable_ebpf_and_btf_info function in lib/functions/compilation/armbian-kernel.sh. This ensures the configuration persists through the automated kernel config generation workflow: previous config → armbian-kernel.sh changes → make oldconfig → Armbian processing.

Please confirm:

1. Are changes to lib/functions/compilation/armbian-kernel.sh also included in this PR but not visible in the current review files?
2. If only config file edits are being made, have you verified these changes will persist through the next automated rewrite?

Based on learnings about the Armbian build system's kernel configuration workflow.

config/kernel/linux-imx6-edge.config (1)

12-12: Config option correctly enabled; see implementation approach concern.

The addition of CONFIG_BPF_UNPRIV_DEFAULT_OFF=y is correct and addresses the vulnerability warning issue described in the PR objectives. The placement is appropriate alongside other BPF-related configuration options.

However, the same persistence concern raised for linux-mvebu64-legacy.config applies here regarding the automated kernel config generation workflow. Please ensure the implementation approach will maintain these changes across future automated rewrites.

config/kernel/linux-thead-legacy.config (1)

182-182: Verification complete: armbian-kernel.sh properly updated.

The concern about manual config file edits being overwritten is addressed. The PR correctly adds BPF_UNPRIV_DEFAULT_OFF to the opts_y array in the armbian_kernel_config__600_enable_ebpf_and_btf_info() function (line 123 of lib/functions/compilation/armbian-kernel.sh), which is the proper approach. The config file entry will be auto-generated from this function during automated config regeneration, so the manual edit is consistent with Armbian's build system architecture.

config/kernel/linux-rk322x-current.config (1)

95-107: CONFIG_BPF_UNPRIV_DEFAULT_OFF=y here correctly enforces unprivileged BPF off by default

With CONFIG_BPF, CONFIG_BPF_SYSCALL, and CONFIG_BPF_JIT already enabled, setting CONFIG_BPF_UNPRIV_DEFAULT_OFF=y is the right way to make unprivileged eBPF default‑off on this RK322x kernel and aligns with the PR’s spectre_v2 mitigation goal. Note that this file is an autogenerated Armbian overlay; the canonical behavior should come from the updated armbian-kernel.sh, and future rewrite-kernel-config runs may drop this explicit line if it becomes redundant. Based on learnings, Armbian kernel overlays are periodically regenerated.

config/kernel/linux-mvebu-edge.config (1)

6-12: mvebu-edge: enabling CONFIG_BPF_UNPRIV_DEFAULT_OFF=y is consistent and desirable

Adding CONFIG_BPF_UNPRIV_DEFAULT_OFF=y next to CONFIG_BPF_JIT=y gives mvebu-edge the same “unprivileged BPF default‑off” behavior as other families, matching the PR’s objective. Since this is an autogenerated Armbian defconfig overlay, ensure the corresponding armbian-kernel.sh logic is treated as the canonical source and check after running rewrite-kernel-config that this setting is preserved (or made redundant) as expected. Based on learnings, these overlays are periodically regenerated.

config/kernel/linux-bcm2711-legacy.config (1)

10-10: Configuration change is consistent across files.

The change matches the pattern applied to other kernel configs in this PR. The placement after CONFIG_BPF_JIT=y is appropriate and consistent with the BPF configuration grouping.

Please see the verification request in the review of linux-sunxi-legacy.config regarding the persistence of manual config file changes versus implementing this in armbian-kernel.sh.

config/kernel/linux-odroidxu4-edge.config (1)

9-9: Configuration change is consistent across kernel variants.

The change is correctly placed in the BPF configuration section and follows the same pattern as other kernel configs in this PR. The syntax is correct and aligns with the security objective to disable unprivileged BPF by default.

Please refer to the verification request and discussion in the review of linux-sunxi-legacy.config regarding the optimal approach for ensuring this change persists through Armbian's automated kernel configuration regeneration process.

config/kernel/linux-sunxi-legacy.config (1)

9-9: Remove manual CONFIG_BPF_UNPRIV_DEFAULT_OFF additions from config files.

CONFIG_BPF_UNPRIV_DEFAULT_OFF is already being set via lib/functions/compilation/armbian-kernel.sh in the armbian_kernel_config__600_enable_ebpf_and_btf_info() function (line 123, within the opts_y array). Manual additions of this option to kernel config files are redundant and will be overwritten during Armbian's automated config regeneration process.

Remove CONFIG_BPF_UNPRIV_DEFAULT_OFF=y from all config files affected by this PR. The setting is already properly enforced through the automated tooling.

⛔ Skipped due to learnings

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-199
Timestamp: 2025-09-25T18:37:00.330Z
Learning: In PR armbian/build#8661, line 235 of lib/functions/compilation/armbian-kernel.sh already contains the corrected comment "BPF link support for netfilter hooks" for NETFILTER_BPF_LINK, not the misleading "BPF_SYSCALL" comment that was flagged during review.

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-199
Timestamp: 2025-09-25T18:37:00.330Z
Learning: In PR armbian/build#8661, line 235 of lib/functions/compilation/armbian-kernel.sh already contains the corrected comment "BPF link support for netfilter hooks" for NETFILTER_BPF_LINK, not the misleading "BPF_SYSCALL" comment that was flagged during review.

Learnt from: EvilOlaf
Repo: armbian/build PR: 8428
File: config/boards/lckfb-taishanpi.csc:5-9
Timestamp: 2025-07-25T03:51:50.830Z
Learning: When reviewing PRs in the Armbian build system, U-Boot defconfig files and patches may be added as part of the PR changes but might not be visible in the current repository clone state during review. It's important to check the actual PR file changes directly via GitHub or the PR API to get the complete picture of what files are being added or modified.

Learnt from: libiunc
Repo: armbian/build PR: 8033
File: config/kernel/linux-starfive2-vendor.config:43-43
Timestamp: 2025-03-31T12:57:13.880Z
Learning: For StarFive2 platform kernel configurations, maintain alignment with vendor-provided configurations rather than modifying security settings like SECCOMP. This ensures hardware compatibility as intended by the manufacturer.

Learnt from: EvilOlaf
Repo: armbian/build PR: 8428
File: config/boards/lckfb-taishanpi.csc:5-9
Timestamp: 2025-07-25T03:51:50.830Z
Learning: When reviewing PRs in the Armbian build system, U-Boot defconfig files and patches may be added as part of the PR changes but might not be visible in the current repository clone state during review. It's important to check the actual PR file changes directly via GitHub API (https://api.github.com/repos/armbian/build/pulls/{pr_number}/files) to get the complete picture of what files are being added or modified, especially for U-Boot patches that will be applied during the build process.

Learnt from: igorpecovnik
Repo: armbian/build PR: 8849
File: config/boards/radxa-e54c.csc:14-28
Timestamp: 2025-11-02T20:49:56.719Z
Learning: In Armbian board configuration files (config/boards/*.conf, *.csc, etc.), do not use kernel_config_set, kernel_config_set_m, kernel_config_set_y, or custom_kernel_config__* functions to modify kernel configuration. Kernel configuration is associated with LINUXFAMILY/BOARDFAMILY, not individual BOARD. Board-specific kernel modifications cause inconsistency in kernel packages published to the apt repository because boards within a family share the same kernel packages. Kernel configuration changes must be made in the appropriate kernel config file (e.g., config/kernel/linux-*-*.config) or in family configuration files (config/sources/families/*.conf, *.inc) instead.

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-sunxi64-current.config:94-94
Timestamp: 2025-09-27T21:50:15.915Z
Learning: When kernel config files are generated through Armbian's automated process (previous config → armbian-kernel.sh changes → make oldconfig → Armbian machinery processing), manual config file edits are not appropriate since they would be overwritten. Deprecated option handling should be implemented in the automated tooling instead.

Learnt from: EvilOlaf
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-12-19T13:56:45.124Z
Learning: When reviewing kernel or u-boot version bump PRs in the Armbian build system, check if patches existed in previous kernel version directories (e.g., sunxi-6.12, sunxi-6.13) before describing them as new features. If a patch and the majority of its contents existed previously with no major functionality changes, focus the review on the actual changes: the version bump itself and patch compatibility adjustments. Don't describe existing patches being ported/maintained across versions as new features or drivers—this is misleading. The patches are existing code being re-aligned to work with the new upstream version.

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: In lib/functions/compilation/armbian-kernel.sh, the kernel_config_modifying_hashes array is not universally required for all kernel configuration functions - some functions like armbian_kernel_config__netkit() operate without it, and adding entries with '=m' would be incorrect when the actual result might be '=y' for options already built-in.

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: In lib/functions/compilation/armbian-kernel.sh, the kernel_config_modifying_hashes array is not universally required for all kernel configuration functions - some functions like armbian_kernel_config__netkit() operate without it, and adding entries with '=m' would be incorrect when the actual result might be '=y' for options already built-in.

Learnt from: lanefu
Repo: armbian/build PR: 8377
File: config/kernel/linux-uefi-arm64-cloud.config:165-170
Timestamp: 2025-07-19T00:03:42.995Z
Learning: CONFIG_NETKIT was introduced in Linux kernel 4.14.330 (November 2023) and enables BPF-programmable network devices that can operate in Layer 3 or Layer 2 mode. It's a valid configuration option in modern kernels including 6.12.

Learnt from: pyavitz
Repo: armbian/build PR: 8421
File: config/kernel/linux-sunxi64-edge.config:438-439
Timestamp: 2025-07-27T15:56:34.414Z
Learning: CONFIG_NET_SCH_DEFAULT is a boolean kernel configuration option (=y or =n) that enables/disables the ability to override the default network queueing discipline at runtime. When set to 'y', it allows setting the actual qdisc name via /proc/sys/net/core/default_qdisc at runtime, not in the kernel config file itself.

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T06:56:33.372Z
Learning: In Armbian kernel configuration, the BTRFS configuration logic preserves existing settings (whether built-in 'y' or module 'm') and only sets BTRFS_FS to module when it was previously disabled or not set, achieving "allow but not require" flexibility while maintaining backward compatibility.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (2)

config/kernel/linux-mvebu64-current.config (1)

11-11: Consider centralizing this change in armbian-kernel.sh instead of editing config files directly.

The change itself is correct and addresses the security posture issue. However, based on the PR discussion and Armbian's kernel config generation workflow, modifying lib/functions/compilation/armbian-kernel.sh (function armbian_kernel_config__600_enable_ebpf_and_btf_info) would be the preferred approach:

• Config files in config/kernel/ are autogenerated overlays that can be overwritten by periodic rewrite-kernel-config jobs
• Adding BPF_UNPRIV_DEFAULT_OFF to the opts_y array in the script ensures the change propagates to all generated configs
• This reduces file churn and avoids potential conflicts during config regeneration

Based on learnings, Armbian kernel configuration files are overlays maintained through generation scripts, and manual edits may not persist.

Example implementation in armbian-kernel.sh

In lib/functions/compilation/armbian-kernel.sh, within the armbian_kernel_config__600_enable_ebpf_and_btf_info function, add:

 opts_y+=(
   "BPF_SYSCALL" # eBPF
   "BPF_JIT"
+  "BPF_UNPRIV_DEFAULT_OFF" # Disable unprivileged eBPF by default
   # ... other options
 )

Then run rewrite-kernel-config to regenerate all config files with this change applied consistently.

lib/functions/compilation/armbian-kernel.sh (1)

119-125: Good: centralizing BPF_UNPRIV_DEFAULT_OFF in the eBPF/BTF helper.

Adding "BPF_UNPRIV_DEFAULT_OFF" to opts_y here makes the unprivileged‑BPF default‑off behavior part of the scripted kernel config pipeline, so rewrite‑kernel‑config will preserve it. If you ever want this enforced even when KERNEL_BTF="no", you could set it outside the BTF RAM check, but that’s an optional follow‑up rather than a blocker.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between b02f95c and de1f9ee.

📒 Files selected for processing (33)

• config/kernel/linux-bcm2711-current.config (1 hunks)
• config/kernel/linux-bcm2711-edge.config (1 hunks)
• config/kernel/linux-bcm2711-legacy.config (1 hunks)
• config/kernel/linux-imx6-current.config (1 hunks)
• config/kernel/linux-imx6-edge.config (1 hunks)
• config/kernel/linux-imx6-legacy.config (1 hunks)
• config/kernel/linux-meson64-current.config (1 hunks)
• config/kernel/linux-meson64-edge.config (1 hunks)
• config/kernel/linux-mvebu-current.config (1 hunks)
• config/kernel/linux-mvebu-edge.config (1 hunks)
• config/kernel/linux-mvebu-legacy.config (1 hunks)
• config/kernel/linux-mvebu64-current.config (1 hunks)
• config/kernel/linux-mvebu64-edge.config (1 hunks)
• config/kernel/linux-mvebu64-legacy.config (1 hunks)
• config/kernel/linux-odroidxu4-current.config (1 hunks)
• config/kernel/linux-odroidxu4-edge.config (1 hunks)
• config/kernel/linux-rk322x-current.config (1 hunks)
• config/kernel/linux-rk322x-edge.config (1 hunks)
• config/kernel/linux-rk35xx-vendor.config (1 hunks)
• config/kernel/linux-rockchip-current.config (1 hunks)
• config/kernel/linux-rockchip-edge.config (1 hunks)
• config/kernel/linux-rockchip-rk3588-edge.config (1 hunks)
• config/kernel/linux-rockchip64-current.config (1 hunks)
• config/kernel/linux-rockchip64-edge.config (1 hunks)
• config/kernel/linux-sunxi-current.config (1 hunks)
• config/kernel/linux-sunxi-edge.config (1 hunks)
• config/kernel/linux-sunxi-legacy.config (1 hunks)
• config/kernel/linux-sunxi64-current.config (1 hunks)
• config/kernel/linux-sunxi64-edge.config (1 hunks)
• config/kernel/linux-sunxi64-legacy.config (1 hunks)
• config/kernel/linux-thead-legacy.config (1 hunks)
• config/kernel/linux-virtual-current.config (1 hunks)
• lib/functions/compilation/armbian-kernel.sh (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (20)

• config/kernel/linux-rockchip64-edge.config
• config/kernel/linux-sunxi64-legacy.config
• config/kernel/linux-odroidxu4-current.config
• config/kernel/linux-sunxi-edge.config
• config/kernel/linux-bcm2711-current.config
• config/kernel/linux-virtual-current.config
• config/kernel/linux-odroidxu4-edge.config
• config/kernel/linux-imx6-current.config
• config/kernel/linux-rk35xx-vendor.config
• config/kernel/linux-rockchip-current.config
• config/kernel/linux-bcm2711-edge.config
• config/kernel/linux-meson64-current.config
• config/kernel/linux-mvebu-current.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-mvebu64-edge.config
• config/kernel/linux-thead-legacy.config
• config/kernel/linux-imx6-legacy.config
• config/kernel/linux-rockchip-rk3588-edge.config
• config/kernel/linux-rk322x-edge.config
• config/kernel/linux-mvebu-legacy.config

🧰 Additional context used

🧠 Learnings (33)

📓 Common learnings

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-199
Timestamp: 2025-09-25T18:37:00.330Z
Learning: In PR armbian/build#8661, line 235 of lib/functions/compilation/armbian-kernel.sh already contains the corrected comment "BPF link support for netfilter hooks" for NETFILTER_BPF_LINK, not the misleading "BPF_SYSCALL" comment that was flagged during review.

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-199
Timestamp: 2025-09-25T18:37:00.330Z
Learning: In PR armbian/build#8661, line 235 of lib/functions/compilation/armbian-kernel.sh already contains the corrected comment "BPF link support for netfilter hooks" for NETFILTER_BPF_LINK, not the misleading "BPF_SYSCALL" comment that was flagged during review.

Learnt from: EvilOlaf
Repo: armbian/build PR: 8428
File: config/boards/lckfb-taishanpi.csc:5-9
Timestamp: 2025-07-25T03:51:50.830Z
Learning: When reviewing PRs in the Armbian build system, U-Boot defconfig files and patches may be added as part of the PR changes but might not be visible in the current repository clone state during review. It's important to check the actual PR file changes directly via GitHub or the PR API to get the complete picture of what files are being added or modified.

Learnt from: EvilOlaf
Repo: armbian/build PR: 8428
File: config/boards/lckfb-taishanpi.csc:5-9
Timestamp: 2025-07-25T03:51:50.830Z
Learning: When reviewing PRs in the Armbian build system, U-Boot defconfig files and patches may be added as part of the PR changes but might not be visible in the current repository clone state during review. It's important to check the actual PR file changes directly via GitHub API (https://api.github.com/repos/armbian/build/pulls/{pr_number}/files) to get the complete picture of what files are being added or modified, especially for U-Boot patches that will be applied during the build process.

Learnt from: igorpecovnik
Repo: armbian/build PR: 9087
File: .github/workflows/pr-check-pictures.yml:138-146
Timestamp: 2025-12-16T13:40:07.649Z
Learning: In the Armbian build repository, when introducing new requirements or checks (like the board assets verification workflow), the project prefers an initial educational-only period where violations post helpful PR comments and warnings but don't block merges. This allows contributors to become familiar with new requirements before enforcement is enabled (typically after ~6 months).

Learnt from: EvilOlaf
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-12-19T13:56:45.124Z
Learning: When reviewing kernel or u-boot version bump PRs in the Armbian build system, check if patches existed in previous kernel version directories (e.g., sunxi-6.12, sunxi-6.13) before describing them as new features. If a patch and the majority of its contents existed previously with no major functionality changes, focus the review on the actual changes: the version bump itself and patch compatibility adjustments. Don't describe existing patches being ported/maintained across versions as new features or drivers—this is misleading. The patches are existing code being re-aligned to work with the new upstream version.

Learnt from: igorpecovnik
Repo: armbian/build PR: 8849
File: config/boards/radxa-e54c.csc:14-28
Timestamp: 2025-11-02T20:49:56.719Z
Learning: In Armbian board configuration files (config/boards/*.conf, *.csc, etc.), do not use kernel_config_set, kernel_config_set_m, kernel_config_set_y, or custom_kernel_config__* functions to modify kernel configuration. Kernel configuration is associated with LINUXFAMILY/BOARDFAMILY, not individual BOARD. Board-specific kernel modifications cause inconsistency in kernel packages published to the apt repository because boards within a family share the same kernel packages. Kernel configuration changes must be made in the appropriate kernel config file (e.g., config/kernel/linux-*-*.config) or in family configuration files (config/sources/families/*.conf, *.inc) instead.

Learnt from: EvilOlaf
Repo: armbian/build PR: 8328
File: lib/functions/compilation/patch/drivers_network.sh:542-545
Timestamp: 2025-06-24T10:08:40.313Z
Learning: In the Armbian build system, when a PR removes build support for a specific kernel version, version check issues for that removed version become practically irrelevant even if they appear incorrect in isolation. Context about which kernel versions are being deprecated/removed is important for understanding the impact of version-related code changes.

Learnt from: EvilOlaf
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-12-17T05:09:02.306Z
Learning: In the Armbian build system, kernel patches (e.g., in patch/kernel/archive/sunxi-6.18/patches.armbian/) contain device tree overlays and other code that have existed for years and are maintained/ported across kernel versions. When reviewing PRs that modify these patch files, focus on the actual changes being made (e.g., Makefile fixes, new additions) rather than reviewing the entire existing content within the patch as if it were new code. The patch file contents are existing, stable code unless explicitly modified in the PR diff.

Learnt from: EvilOlaf
Repo: armbian/build PR: 8968
File: patch/u-boot/u-boot-sunxi/arm64-dts-sun50i-h6-orangepi.dtsi-Rollback-r_rsb-to-r_i2c.patch:36-36
Timestamp: 2025-11-20T18:20:11.985Z
Learning: The rewrite-patches tool (REWRITE_PATCHES=yes) in the Armbian build system can inadvertently introduce semantic changes when the u-boot/kernel git base revision differs from expected state. The tool applies patches, commits them, and re-exports them using git format-patch, which can cause the re-exported patch to reflect the base revision's state rather than preserving the original patch intent. This is particularly problematic for device tree changes like interrupt specifications. The tool currently lacks validation mechanisms to detect such semantic drift, and affected patches must be manually corrected after rewriting.

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: The kernel_config_set_m function in lib/functions/compilation/armbian-kernel.sh preserves existing 'y' (built-in) settings and only sets options to 'm' (module) when they are not already built-in, achieving "prefer modules but allow built-ins" behavior.

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: The kernel_config_set_m function in lib/functions/compilation/armbian-kernel.sh preserves existing 'y' (built-in) settings and only sets options to 'm' (module) when they are not already built-in, achieving "prefer modules but allow built-ins" behavior.

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T06:56:33.372Z
Learning: In Armbian kernel configuration, the BTRFS configuration logic preserves existing settings (whether built-in 'y' or module 'm') and only sets BTRFS_FS to module when it was previously disabled or not set, achieving "allow but not require" flexibility while maintaining backward compatibility.

Learnt from: igorpecovnik
Repo: armbian/build PR: 8789
File: config/kernel/linux-sunxi64-edge.config:839-839
Timestamp: 2025-10-22T07:56:19.424Z
Learning: In Linux kernel configuration, some `=y` (builtin) options are infrastructure or feature flags that enable subsystems or features for modular drivers, rather than directly compiling code into the kernel. For example, in Armbian wireless configs, options like CONFIG_SPARD_WLAN_SUPPORT=y, CONFIG_SC23XX=y, CONFIG_WCN_BSP_DRIVER_BUILDIN=y, CONFIG_UNISOC_WIFI_PS=y are module infrastructure/feature enablers, while the actual drivers (CONFIG_WLAN_UWE5621=m, CONFIG_WLAN_UWE5622=m) remain as loadable modules. These infrastructure options don't cause kernel bloat.

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: In lib/functions/compilation/armbian-kernel.sh, the kernel_config_modifying_hashes array is not universally required for all kernel configuration functions - some functions like armbian_kernel_config__netkit() operate without it, and adding entries with '=m' would be incorrect when the actual result might be '=y' for options already built-in.

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: In lib/functions/compilation/armbian-kernel.sh, the kernel_config_modifying_hashes array is not universally required for all kernel configuration functions - some functions like armbian_kernel_config__netkit() operate without it, and adding entries with '=m' would be incorrect when the actual result might be '=y' for options already built-in.

Learnt from: rpardini
Repo: armbian/build PR: 8820
File: config/sources/families/include/meson64_common.inc:51-53
Timestamp: 2025-10-26T12:56:29.185Z
Learning: In the Armbian build framework, scripts/config correctly handles kernel configuration option names both with and without the CONFIG_ prefix, so opts_m+=("CONFIG_RTL8822CS") and opts_m+=("RTL8822CS") are both valid and will work correctly.

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T06:48:09.091Z
Learning: In lib/functions/compilation/armbian-kernel.sh, the user prefers flexible grep patterns over anchored ones for BTRFS configuration checks, but agrees to use quiet grep (-q) to avoid polluting build logs.

📚 Learning: 2025-08-30T04:13:16.457Z

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T04:13:16.457Z
Learning: Armbian kernel configuration files like linux-filogic-current.config are autogenerated overlays on top of arch defconfig. Comments added manually will be lost during future updates by maintainers, and explicit "CONFIG_OPTION is not set" statements aren't needed for mutually exclusive options since these are overlay configs that only specify changes from the base configuration.

Applied to files:

• config/kernel/linux-rockchip64-current.config
• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-meson64-edge.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-rockchip-edge.config
• lib/functions/compilation/armbian-kernel.sh
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-imx6-edge.config

📚 Learning: 2025-11-02T20:49:56.719Z

Learnt from: igorpecovnik
Repo: armbian/build PR: 8849
File: config/boards/radxa-e54c.csc:14-28
Timestamp: 2025-11-02T20:49:56.719Z
Learning: In Armbian board configuration files (config/boards/*.conf, *.csc, etc.), do not use kernel_config_set, kernel_config_set_m, kernel_config_set_y, or custom_kernel_config__* functions to modify kernel configuration. Kernel configuration is associated with LINUXFAMILY/BOARDFAMILY, not individual BOARD. Board-specific kernel modifications cause inconsistency in kernel packages published to the apt repository because boards within a family share the same kernel packages. Kernel configuration changes must be made in the appropriate kernel config file (e.g., config/kernel/linux-*-*.config) or in family configuration files (config/sources/families/*.conf, *.inc) instead.

Applied to files:

• config/kernel/linux-rockchip64-current.config
• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-meson64-edge.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-rockchip-edge.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-imx6-edge.config

📚 Learning: 2025-09-25T18:37:00.330Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-199
Timestamp: 2025-09-25T18:37:00.330Z
Learning: In PR armbian/build#8661, line 235 of lib/functions/compilation/armbian-kernel.sh already contains the corrected comment "BPF link support for netfilter hooks" for NETFILTER_BPF_LINK, not the misleading "BPF_SYSCALL" comment that was flagged during review.

Applied to files:

• config/kernel/linux-rockchip64-current.config
• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-meson64-edge.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-rockchip-edge.config
• lib/functions/compilation/armbian-kernel.sh
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-imx6-edge.config

📚 Learning: 2025-03-31T12:57:13.880Z

Learnt from: libiunc
Repo: armbian/build PR: 8033
File: config/kernel/linux-starfive2-vendor.config:43-43
Timestamp: 2025-03-31T12:57:13.880Z
Learning: For StarFive2 platform kernel configurations, maintain alignment with vendor-provided configurations rather than modifying security settings like SECCOMP. This ensures hardware compatibility as intended by the manufacturer.

Applied to files:

• config/kernel/linux-rockchip64-current.config
• config/kernel/linux-meson64-edge.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-rockchip-edge.config
• config/kernel/linux-imx6-edge.config

📚 Learning: 2025-08-30T06:56:33.372Z

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T06:56:33.372Z
Learning: In Armbian kernel configuration, the BTRFS configuration logic preserves existing settings (whether built-in 'y' or module 'm') and only sets BTRFS_FS to module when it was previously disabled or not set, achieving "allow but not require" flexibility while maintaining backward compatibility.

Applied to files:

• config/kernel/linux-rockchip64-current.config
• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-meson64-edge.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-rockchip-edge.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-imx6-edge.config

📚 Learning: 2025-07-27T15:56:34.414Z

Learnt from: pyavitz
Repo: armbian/build PR: 8421
File: config/kernel/linux-sunxi64-edge.config:438-439
Timestamp: 2025-07-27T15:56:34.414Z
Learning: CONFIG_NET_SCH_DEFAULT is a boolean kernel configuration option (=y or =n) that enables/disables the ability to override the default network queueing discipline at runtime. When set to 'y', it allows setting the actual qdisc name via /proc/sys/net/core/default_qdisc at runtime, not in the kernel config file itself.

Applied to files:

• config/kernel/linux-rockchip64-current.config
• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-meson64-edge.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-bcm2711-legacy.config

📚 Learning: 2025-10-22T07:56:19.424Z

Learnt from: igorpecovnik
Repo: armbian/build PR: 8789
File: config/kernel/linux-sunxi64-edge.config:839-839
Timestamp: 2025-10-22T07:56:19.424Z
Learning: In Linux kernel configuration, some `=y` (builtin) options are infrastructure or feature flags that enable subsystems or features for modular drivers, rather than directly compiling code into the kernel. For example, in Armbian wireless configs, options like CONFIG_SPARD_WLAN_SUPPORT=y, CONFIG_SC23XX=y, CONFIG_WCN_BSP_DRIVER_BUILDIN=y, CONFIG_UNISOC_WIFI_PS=y are module infrastructure/feature enablers, while the actual drivers (CONFIG_WLAN_UWE5621=m, CONFIG_WLAN_UWE5622=m) remain as loadable modules. These infrastructure options don't cause kernel bloat.

Applied to files:

• config/kernel/linux-rockchip64-current.config
• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-meson64-edge.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-rockchip-edge.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-imx6-edge.config

📚 Learning: 2025-09-22T21:52:01.225Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: The kernel_config_set_m function in lib/functions/compilation/armbian-kernel.sh preserves existing 'y' (built-in) settings and only sets options to 'm' (module) when they are not already built-in, achieving "prefer modules but allow built-ins" behavior.

Applied to files:

• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-meson64-edge.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-mvebu-edge.config
• lib/functions/compilation/armbian-kernel.sh
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-bcm2711-legacy.config

📚 Learning: 2025-09-22T21:52:01.225Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: In lib/functions/compilation/armbian-kernel.sh, the kernel_config_modifying_hashes array is not universally required for all kernel configuration functions - some functions like armbian_kernel_config__netkit() operate without it, and adding entries with '=m' would be incorrect when the actual result might be '=y' for options already built-in.

Applied to files:

• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-meson64-edge.config
• config/kernel/linux-mvebu-edge.config
• lib/functions/compilation/armbian-kernel.sh

📚 Learning: 2025-07-19T00:03:42.995Z

Learnt from: lanefu
Repo: armbian/build PR: 8377
File: config/kernel/linux-uefi-arm64-cloud.config:165-170
Timestamp: 2025-07-19T00:03:42.995Z
Learning: CONFIG_NETKIT was introduced in Linux kernel 4.14.330 (November 2023) and enables BPF-programmable network devices that can operate in Layer 3 or Layer 2 mode. It's a valid configuration option in modern kernels including 6.12.

Applied to files:

• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-meson64-edge.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-rockchip-edge.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-bcm2711-legacy.config

📚 Learning: 2025-12-19T13:56:45.124Z

Learnt from: EvilOlaf
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-12-19T13:56:45.124Z
Learning: When reviewing kernel or u-boot version bump PRs in the Armbian build system, check if patches existed in previous kernel version directories (e.g., sunxi-6.12, sunxi-6.13) before describing them as new features. If a patch and the majority of its contents existed previously with no major functionality changes, focus the review on the actual changes: the version bump itself and patch compatibility adjustments. Don't describe existing patches being ported/maintained across versions as new features or drivers—this is misleading. The patches are existing code being re-aligned to work with the new upstream version.

Applied to files:

• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-07-25T03:51:50.830Z

Learnt from: EvilOlaf
Repo: armbian/build PR: 8428
File: config/boards/lckfb-taishanpi.csc:5-9
Timestamp: 2025-07-25T03:51:50.830Z
Learning: When reviewing PRs in the Armbian build system, U-Boot defconfig files and patches may be added as part of the PR changes but might not be visible in the current repository clone state during review. It's important to check the actual PR file changes directly via GitHub or the PR API to get the complete picture of what files are being added or modified.

Applied to files:

• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-09-27T21:47:58.020Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-bcm2711-edge.config:859-861
Timestamp: 2025-09-27T21:47:58.020Z
Learning: In the Armbian build system, kernel configuration files in config/kernel/ are generated through an automated process: taking previous config → applying scripted changes from armbian-kernel.sh → running kernel's `make oldconfig` → processing by Armbian machinery back into config files. This automated process properly handles kernel configuration dependencies and reduces the likelihood of manual configuration errors.

Applied to files:

• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-imx6-edge.config

📚 Learning: 2025-09-27T21:49:55.796Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-sm8250-current.config:78-80
Timestamp: 2025-09-27T21:49:55.796Z
Learning: In the Armbian build system, kernel configuration files are generated through an automated process: taking previous config → applying scripted changes from armbian-kernel.sh → running kernel's `make oldconfig` → processing by Armbian machinery back into config files. This automated process properly handles kernel configuration dependencies and reduces the likelihood of manual configuration errors.

Applied to files:

• config/kernel/linux-sunxi64-current.config
• lib/functions/compilation/armbian-kernel.sh
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-imx6-edge.config

📚 Learning: 2025-09-27T21:50:04.845Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-sm8250-edge.config:80-82
Timestamp: 2025-09-27T21:50:04.845Z
Learning: In the Armbian build system, kernel configuration files are generated through this automated process: taking previous config → applying scripted changes from armbian-kernel.sh → running kernel's `make oldconfig` → processing by Armbian machinery back into config files. This automated process properly handles kernel configuration dependencies and reduces the likelihood of manual configuration errors.

Applied to files:

• config/kernel/linux-sunxi64-current.config
• lib/functions/compilation/armbian-kernel.sh
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-imx6-edge.config

📚 Learning: 2025-09-27T21:50:15.915Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-sunxi64-current.config:94-94
Timestamp: 2025-09-27T21:50:15.915Z
Learning: When kernel config files are generated through Armbian's automated process (previous config → armbian-kernel.sh changes → make oldconfig → Armbian machinery processing), manual config file edits are not appropriate since they would be overwritten. Deprecated option handling should be implemented in the automated tooling instead.

Applied to files:

• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-meson64-edge.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-rockchip-edge.config
• lib/functions/compilation/armbian-kernel.sh
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-imx6-edge.config

📚 Learning: 2025-08-02T05:46:10.664Z

Learnt from: EvilOlaf
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-02T05:46:10.664Z
Learning: In the Armbian build system, the KERNEL_CONFIGURE=yes switch is deprecated. The recommended approach for kernel configuration is now to use the `kernel-config` build command, which provides a more structured way to configure kernel options.

Applied to files:

• config/kernel/linux-sunxi64-current.config

📚 Learning: 2025-11-20T18:20:11.985Z

Learnt from: EvilOlaf
Repo: armbian/build PR: 8968
File: patch/u-boot/u-boot-sunxi/arm64-dts-sun50i-h6-orangepi.dtsi-Rollback-r_rsb-to-r_i2c.patch:36-36
Timestamp: 2025-11-20T18:20:11.985Z
Learning: The rewrite-patches tool (REWRITE_PATCHES=yes) in the Armbian build system can inadvertently introduce semantic changes when the u-boot/kernel git base revision differs from expected state. The tool applies patches, commits them, and re-exports them using git format-patch, which can cause the re-exported patch to reflect the base revision's state rather than preserving the original patch intent. This is particularly problematic for device tree changes like interrupt specifications. The tool currently lacks validation mechanisms to detect such semantic drift, and affected patches must be manually corrected after rewriting.

Applied to files:

• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-10-03T11:42:46.660Z

Learnt from: igorpecovnik
Repo: armbian/build PR: 8705
File: .github/workflows/rewrite-kernel-configs.yml:96-169
Timestamp: 2025-10-03T11:42:46.660Z
Learning: In the Armbian build repository's kernel config rewrite workflow (.github/workflows/rewrite-kernel-configs.yml), deletion of kernel config files does not need to be handled. The workflow intentionally only captures ACMR (added/copied/modified/renamed) changes and does not need to propagate deletions to the aggregator.

Applied to files:

• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-10-04T17:59:19.369Z

Learnt from: igorpecovnik
Repo: armbian/build PR: 8705
File: .github/workflows/rewrite-kernel-configs.yml:217-220
Timestamp: 2025-10-04T17:59:19.369Z
Learning: In the Armbian build repository's kernel config rewrite workflow (.github/workflows/rewrite-kernel-configs.yml), the workflow is designed to rewrite existing kernel configs only. New/untracked files can be safely ignored, so using `git diff --quiet` (which ignores untracked files) is the correct approach for detecting changes rather than `git status --porcelain`.

Applied to files:

• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-12-01T02:34:37.451Z

Learnt from: tabrisnet
Repo: armbian/build PR: 9000
File: config/desktop/questing/environments/xfce/debian/postinst:17-18
Timestamp: 2025-12-01T02:34:37.451Z
Learning: In the Armbian build system shell scripts, the sed pattern with -i flag placed after the script argument (e.g., `sed "s/.../.../" -i file`) is intentional and correct. While non-POSIX, this GNU sed extension is used throughout the codebase and works correctly in the Armbian build environment. This pattern should not be flagged as incorrect.

Applied to files:

• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-06-24T10:08:40.313Z

Learnt from: EvilOlaf
Repo: armbian/build PR: 8328
File: lib/functions/compilation/patch/drivers_network.sh:542-545
Timestamp: 2025-06-24T10:08:40.313Z
Learning: In the Armbian build system, when a PR removes build support for a specific kernel version, version check issues for that removed version become practically irrelevant even if they appear incorrect in isolation. Context about which kernel versions are being deprecated/removed is important for understanding the impact of version-related code changes.

Applied to files:

• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-12-17T05:09:02.306Z

Learnt from: EvilOlaf
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-12-17T05:09:02.306Z
Learning: In the Armbian build system, kernel patches (e.g., in patch/kernel/archive/sunxi-6.18/patches.armbian/) contain device tree overlays and other code that have existed for years and are maintained/ported across kernel versions. When reviewing PRs that modify these patch files, focus on the actual changes being made (e.g., Makefile fixes, new additions) rather than reviewing the entire existing content within the patch as if it were new code. The patch file contents are existing, stable code unless explicitly modified in the PR diff.

Applied to files:

• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-07-25T03:51:50.830Z

Learnt from: EvilOlaf
Repo: armbian/build PR: 8428
File: config/boards/lckfb-taishanpi.csc:5-9
Timestamp: 2025-07-25T03:51:50.830Z
Learning: When reviewing PRs in the Armbian build system, U-Boot defconfig files and patches may be added as part of the PR changes but might not be visible in the current repository clone state during review. It's important to check the actual PR file changes directly via GitHub API (https://api.github.com/repos/armbian/build/pulls/{pr_number}/files) to get the complete picture of what files are being added or modified, especially for U-Boot patches that will be applied during the build process.

Applied to files:

• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-12-16T13:40:07.649Z

Learnt from: igorpecovnik
Repo: armbian/build PR: 9087
File: .github/workflows/pr-check-pictures.yml:138-146
Timestamp: 2025-12-16T13:40:07.649Z
Learning: In the Armbian build repository, when introducing new requirements or checks (like the board assets verification workflow), the project prefers an initial educational-only period where violations post helpful PR comments and warnings but don't block merges. This allows contributors to become familiar with new requirements before enforcement is enabled (typically after ~6 months).

Applied to files:

• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-12-17T15:46:22.709Z

Learnt from: EvilOlaf
Repo: armbian/build PR: 9096
File: patch/kernel/archive/sunxi-6.18/patches.armbian/arm64-dts-sun50i-h616-add-overlays.patch:4-5
Timestamp: 2025-12-17T15:46:22.709Z
Learning: In Armbian kernel patches, when patches are renamed or reorganized, the old Subject line may be intentionally preserved in the patch header (as a second Subject line) for archival/historical purposes to document the previous patch name. This is an Armbian-specific practice for tracking patch evolution and should not be flagged as an error when the maintainer has intentionally included it for documentation.

Applied to files:

• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-03-31T22:20:48.475Z

Learnt from: rpardini
Repo: armbian/build PR: 8044
File: patch/u-boot/v2025.04/cmd-fileenv-read-string-from-file-into-env.patch:76-86
Timestamp: 2025-03-31T22:20:48.475Z
Learning: For the Armbian build project, maintaining consistency with existing patches across U-Boot versions (such as between 2025.01 and 2025.04) is prioritized over refactoring individual patches for code improvements.

Applied to files:

• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-11-11T20:56:20.303Z

Learnt from: glneo
Repo: armbian/build PR: 8913
File: config/sources/families/include/k3_common.inc:57-60
Timestamp: 2025-11-11T20:56:20.303Z
Learning: In config/sources/families/include/k3_common.inc, the OP-TEE build command at line 59 should be updated in a future PR to explicitly set CROSS_COMPILE64=aarch64-linux-gnu- and CROSS_COMPILE32=arm-linux-gnueabihf- instead of relying on OP-TEE's internal defaults, for better clarity and maintainability. User glneo agreed to address this in a separate PR.

Applied to files:

• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-07-15T21:09:23.252Z

Learnt from: pyavitz
Repo: armbian/build PR: 8383
File: config/kernel/linux-sunxi64-edge.config:57-64
Timestamp: 2025-07-15T21:09:23.252Z
Learning: In Linux kernel configuration, when CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND=y is set, the ondemand governor is implicitly enabled by default, making the explicit CONFIG_CPU_FREQ_GOV_ONDEMAND=y line redundant. The make menuconfig tool automatically removes such redundant lines. This behavior applies to CPU frequency governor configurations in general - setting a default governor automatically enables that governor.

Applied to files:

• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-sunxi-current.config

📚 Learning: 2025-10-26T10:41:35.118Z

Learnt from: HackingGate
Repo: armbian/build PR: 8665
File: config/boards/photonicat2.csc:4-4
Timestamp: 2025-10-26T10:41:35.118Z
Learning: In the Armbian build system, rk3576 boards consistently use BOARDFAMILY="rk35xx" for both vendor and edge kernel targets. The rk35xx family configuration sources rockchip64_common.inc, which provides edge and current kernel branch definitions, making these branches available even though they're not defined directly in rk35xx.conf.

Applied to files:

• config/kernel/linux-rockchip-edge.config

📚 Learning: 2025-10-26T12:56:29.185Z

Learnt from: rpardini
Repo: armbian/build PR: 8820
File: config/sources/families/include/meson64_common.inc:51-53
Timestamp: 2025-10-26T12:56:29.185Z
Learning: In the Armbian build framework, scripts/config correctly handles kernel configuration option names both with and without the CONFIG_ prefix, so opts_m+=("CONFIG_RTL8822CS") and opts_m+=("RTL8822CS") are both valid and will work correctly.

Applied to files:

• lib/functions/compilation/armbian-kernel.sh
• config/kernel/linux-rk322x-current.config

📚 Learning: 2025-12-18T23:40:41.627Z

Learnt from: rpardini
Repo: armbian/build PR: 9101
File: lib/functions/image/compress-checksum.sh:44-48
Timestamp: 2025-12-18T23:40:41.627Z
Learning: In the Armbian build framework, scripts run with set -e, so a non-zero exit status will abort the script. During reviews, assume failures will stop execution unless explicitly handled. Verify that commands that must fail are checked, errors are propagated, and any critical steps have proper error handling (e.g., using pipefail where appropriate, checking exit codes, and not masking failures).

Applied to files:

• lib/functions/compilation/armbian-kernel.sh

🔇 Additional comments (8)

config/kernel/linux-sunxi-current.config (1)

9-9: Remove manual config edit; BPF_UNPRIV_DEFAULT_OFF is already handled centrally.

The security improvement is correct, but the manual config file edit is redundant. The armbian_kernel_config__600_enable_ebpf_and_btf_info function already sets BPF_UNPRIV_DEFAULT_OFF in its opts_y array (line 123 of lib/functions/compilation/armbian-kernel.sh). This setting is applied automatically during kernel compilation, making the manual edit to the config file unnecessary.

Remove this change from the config file and rely on the existing central function to apply the setting consistently across all configurations.

Likely an incorrect or invalid review comment.

config/kernel/linux-mvebu-edge.config (1)

9-12: Unprivileged BPF default-off correctly enabled for mvebu

Setting CONFIG_BPF_UNPRIV_DEFAULT_OFF=y here is consistent with the existing BPF enablement and matches the PR goal of disabling unprivileged eBPF by default while preserving privileged BPF use. No conflicts apparent in this defconfig overlay.

config/kernel/linux-rockchip64-current.config (1)

9-13: Rockchip64: BPF_UNPRIV_DEFAULT_OFF aligns with existing BPF stack

With CONFIG_BPF_SYSCALL=y, CONFIG_BPF_JIT=y and CONFIG_BPF_LSM=y already enabled, adding CONFIG_BPF_UNPRIV_DEFAULT_OFF=y gives the intended “BPF available but unprivileged disabled by default” behavior and should clean up the Spectre v2 vulnerability reporting. Looks coherent for this family.

config/kernel/linux-imx6-edge.config (1)

10-14: i.MX6 edge: consistent unprivileged BPF default-off

Adding CONFIG_BPF_UNPRIV_DEFAULT_OFF=y next to the existing BPF JIT options consistently applies the “unprivileged BPF disabled by default” policy here as well, matching the other families and the PR’s security objective.

config/kernel/linux-rk322x-current.config (1)

95-106: Enable CONFIG_BPF_UNPRIV_DEFAULT_OFF for correct unprivileged eBPF state

Setting CONFIG_BPF_UNPRIV_DEFAULT_OFF=y here is consistent with the existing BPF settings and with the PR goal of having unprivileged eBPF disabled by default and properly reflected in the Spectre v2 vulnerability output. No issues spotted.

config/kernel/linux-rockchip-edge.config (1)

8-12: Rockchip edge: unprivileged eBPF default‑off is correctly enabled

CONFIG_BPF_UNPRIV_DEFAULT_OFF=y complements CONFIG_BPF_SYSCALL/CONFIG_BPF_JIT and aligns this defconfig with the intended “unprivileged eBPF disabled by default” behavior and reporting. Looks good.

config/kernel/linux-meson64-edge.config (1)

7-11: Enabling CONFIG_BPF_UNPRIV_DEFAULT_OFF here is correct and consistent.

Placed alongside the other BPF options, this ensures unprivileged BPF is default‑off for meson64 edge and matches the central armbian‑kernel.sh logic.

config/kernel/linux-sunxi64-edge.config (1)

7-9: Sunxi64 edge config correctly enables CONFIG_BPF_UNPRIV_DEFAULT_OFF.

The new line sits with the other BPF knobs and matches the intended “unprivileged BPF default‑off” behavior across ARM64 kernels.

[tabrisnet]

Have you looked into running [a few sample jobs] manually on your machine?Each individual run shouldn't take more than a few minutes. basically ./compile.sh rewrite-kernel-config BOARD=foo BRANCH=current That's what the workflow does, but once for every board family. The goal would, roughly, be to run for a sunxi64 board, a meson64 board & a rockchip64 board. See the results. Did it elide the line? Sent from myPhone.

[tabrisnet]

I fetched/cherry-picked your commit de1f9ee, then did a rewrite for rockchip64
time ./compile.sh rewrite-kernel-config BOARD=orangepi5 BRANCH=current & also for sunxi64

As I expected [ignore R8712U, that's not relevant]
It deletes the line CONFIG_BPF_UNPRIV_DEFAULT_OFF=y b/c it's redundant/default.
@coderabbitai

tabris@brunnt:~/build/armbian-build$ git diff config/
diff --git a/config/kernel/linux-rockchip64-current.config b/config/kernel/linux-rockchip64-current.config
index 939cd4a56..f4aef810a 100644
--- a/config/kernel/linux-rockchip64-current.config
+++ b/config/kernel/linux-rockchip64-current.config
@@ -8,7 +8,6 @@ CONFIG_NO_HZ=y
 CONFIG_HIGH_RES_TIMERS=y
 CONFIG_BPF_SYSCALL=y
 CONFIG_BPF_JIT=y
-CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
 CONFIG_BPF_LSM=y
 CONFIG_PREEMPT=y
 CONFIG_SCHED_CORE=y
@@ -2801,7 +2800,6 @@ CONFIG_STAGING=y
 CONFIG_RTLLIB=m
 CONFIG_RTL8192E=m
 CONFIG_RTL8723BS=m
-CONFIG_R8712U=m
 CONFIG_RTS5208=m
 CONFIG_VT6655=m
 CONFIG_VT6656=m
diff --git a/config/kernel/linux-sunxi64-current.config b/config/kernel/linux-sunxi64-current.config
index ce6232667..47ea4d81c 100644
--- a/config/kernel/linux-sunxi64-current.config
+++ b/config/kernel/linux-sunxi64-current.config
@@ -6,7 +6,6 @@ CONFIG_NO_HZ=y
 CONFIG_HIGH_RES_TIMERS=y
 CONFIG_BPF_SYSCALL=y
 CONFIG_BPF_JIT=y
-CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
 CONFIG_BSD_PROCESS_ACCT=y
 CONFIG_BSD_PROCESS_ACCT_V3=y
 CONFIG_TASKSTATS=y
@@ -2335,7 +2334,6 @@ CONFIG_VIRTIO_MMIO=y
 CONFIG_VHOST_SCSI=m
 CONFIG_STAGING=y
 CONFIG_RTL8723BS=m
-CONFIG_R8712U=m
 CONFIG_AD9832=m
 CONFIG_AD9834=m
 CONFIG_STAGING_MEDIA=y

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@tabrisnet: Thank you for testing this! Your results confirm the overlay config behavior and reveal an important insight.

What the test results mean:

The fact that rewrite-kernel-config removes CONFIG_BPF_UNPRIV_DEFAULT_OFF=y tells us that =y is already the kernel's default value for kernels 5.16+. Armbian's overlay configs use savedefconfig, which only keeps non-default options—that's why the line disappears.

The original problem:

The configs had explicit # CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set comments, which were overriding the kernel default and forcing the option to be disabled. This caused unprivileged BPF to remain enabled, triggering the vulnerability warning.

What this means for the PR:

The current PR has two types of changes:

1. ✅ armbian-kernel.sh modification (adding BPF_UNPRIV_DEFAULT_OFF to opts_y) - This is correct and should be kept
2. ⚠️ Manual config file edits - These will be reverted by the weekly rewrite job, causing churn

Recommended next steps:

Since the armbian-kernel.sh change ensures the option is properly set during config generation (even though it won't appear in the final overlay), the PR should:

1. Keep the lib/functions/compilation/armbian-kernel.sh change
2. Revert all the manual config/kernel/*.config edits
3. Run a full rewrite-kernel-config pass for all boards to properly update the configs (removing the old "is not set" comments)

This approach:

• Documents the intent in armbian-kernel.sh
• Avoids churn with the weekly rewrite job
• Properly removes the problematic "is not set" overrides
• Accepts that the line won't appear in overlay configs (because it's redundant with the kernel default)

@neheb: Would you like to run the full rewrite-kernel-config workflow, or should the maintainers handle that separately? The key fix (armbian-kernel.sh change) is already in place.

---

🧠 Learnings used

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T04:13:16.457Z
Learning: Armbian kernel configuration files like linux-filogic-current.config are autogenerated overlays on top of arch defconfig. Comments added manually will be lost during future updates by maintainers, and explicit "CONFIG_OPTION is not set" statements aren't needed for mutually exclusive options since these are overlay configs that only specify changes from the base configuration.

---

Learnt from: igorpecovnik
Repo: armbian/build PR: 8705
File: .github/workflows/rewrite-kernel-configs.yml:96-169
Timestamp: 2025-10-03T11:42:46.660Z
Learning: In the Armbian build repository's kernel config rewrite workflow (.github/workflows/rewrite-kernel-configs.yml), deletion of kernel config files does not need to be handled. The workflow intentionally only captures ACMR (added/copied/modified/renamed) changes and does not need to propagate deletions to the aggregator.

---

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-sunxi64-current.config:94-94
Timestamp: 2025-09-27T21:50:15.915Z
Learning: When kernel config files are generated through Armbian's automated process (previous config → armbian-kernel.sh changes → make oldconfig → Armbian machinery processing), manual config file edits are not appropriate since they would be overwritten. Deprecated option handling should be implemented in the automated tooling instead.

---

Learnt from: igorpecovnik
Repo: armbian/build PR: 8705
File: .github/workflows/rewrite-kernel-configs.yml:217-220
Timestamp: 2025-10-04T17:59:19.369Z
Learning: In the Armbian build repository's kernel config rewrite workflow (.github/workflows/rewrite-kernel-configs.yml), the workflow is designed to rewrite existing kernel configs only. New/untracked files can be safely ignored, so using `git diff --quiet` (which ignores untracked files) is the correct approach for detecting changes rather than `git status --porcelain`.

---

Learnt from: igorpecovnik
Repo: armbian/build PR: 8849
File: config/boards/radxa-e54c.csc:14-28
Timestamp: 2025-11-02T20:49:56.719Z
Learning: In Armbian board configuration files (config/boards/*.conf, *.csc, etc.), do not use kernel_config_set, kernel_config_set_m, kernel_config_set_y, or custom_kernel_config__* functions to modify kernel configuration. Kernel configuration is associated with LINUXFAMILY/BOARDFAMILY, not individual BOARD. Board-specific kernel modifications cause inconsistency in kernel packages published to the apt repository because boards within a family share the same kernel packages. Kernel configuration changes must be made in the appropriate kernel config file (e.g., config/kernel/linux-*-*.config) or in family configuration files (config/sources/families/*.conf, *.inc) instead.

---

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: In lib/functions/compilation/armbian-kernel.sh, the kernel_config_modifying_hashes array is not universally required for all kernel configuration functions - some functions like armbian_kernel_config__netkit() operate without it, and adding entries with '=m' would be incorrect when the actual result might be '=y' for options already built-in.

---

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: In lib/functions/compilation/armbian-kernel.sh, the kernel_config_modifying_hashes array is not universally required for all kernel configuration functions - some functions like armbian_kernel_config__netkit() operate without it, and adding entries with '=m' would be incorrect when the actual result might be '=y' for options already built-in.

---

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-sm8250-current.config:78-80
Timestamp: 2025-09-27T21:49:55.796Z
Learning: In the Armbian build system, kernel configuration files are generated through an automated process: taking previous config → applying scripted changes from armbian-kernel.sh → running kernel's `make oldconfig` → processing by Armbian machinery back into config files. This automated process properly handles kernel configuration dependencies and reduces the likelihood of manual configuration errors.

---

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-sm8250-edge.config:80-82
Timestamp: 2025-09-27T21:50:04.845Z
Learning: In the Armbian build system, kernel configuration files are generated through this automated process: taking previous config → applying scripted changes from armbian-kernel.sh → running kernel's `make oldconfig` → processing by Armbian machinery back into config files. This automated process properly handles kernel configuration dependencies and reduces the likelihood of manual configuration errors.

---

Learnt from: EvilOlaf
Repo: armbian/build PR: 8968
File: patch/u-boot/u-boot-sunxi/arm64-dts-sun50i-h6-orangepi.dtsi-Rollback-r_rsb-to-r_i2c.patch:36-36
Timestamp: 2025-11-20T18:20:11.985Z
Learning: The rewrite-patches tool (REWRITE_PATCHES=yes) in the Armbian build system can inadvertently introduce semantic changes when the u-boot/kernel git base revision differs from expected state. The tool applies patches, commits them, and re-exports them using git format-patch, which can cause the re-exported patch to reflect the base revision's state rather than preserving the original patch intent. This is particularly problematic for device tree changes like interrupt specifications. The tool currently lacks validation mechanisms to detect such semantic drift, and affected patches must be manually corrected after rewriting.

---

Learnt from: EvilOlaf
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-02T05:46:10.664Z
Learning: In the Armbian build system, the modern recommended approach for kernel configuration is to use the kernel-config command via "./compile.sh BOARD=boardname BRANCH=branchname kernel-config" instead of the deprecated KERNEL_CONFIGURE=yes flag. This provides a two-step workflow: configure using menuconfig, then build, with better transparency and control over configuration changes.

---

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-bcm2711-edge.config:859-861
Timestamp: 2025-09-27T21:47:58.020Z
Learning: In the Armbian build system, kernel configuration files in config/kernel/ are generated through an automated process: taking previous config → applying scripted changes from armbian-kernel.sh → running kernel's `make oldconfig` → processing by Armbian machinery back into config files. This automated process properly handles kernel configuration dependencies and reduces the likelihood of manual configuration errors.

---

Learnt from: igorpecovnik
Repo: armbian/build PR: 8789
File: config/kernel/linux-sunxi64-edge.config:839-839
Timestamp: 2025-10-22T07:51:53.015Z
Learning: In Armbian's wireless driver configuration, CONFIG_RK_WIFI_DEVICE_* options are Rockchip-specific device registration settings, while CONFIG_WLAN_UWE* are the actual cross-platform driver modules for UWE5622 wireless chips. The UWE5622 chip (manufactured by Unisoc/Spreadtrum) is used on multiple Allwinner boards including Orange Pi Zero 2/2W/3 and Orange Pi 3 LTS, so CONFIG_WLAN_UWE5621/5622 along with Unisoc infrastructure options (CONFIG_SPARD_WLAN_SUPPORT, CONFIG_SC23XX, CONFIG_UNISOC_WIFI_PS, CONFIG_WCN_BSP_DRIVER_BUILDIN) are correct in sunxi64 kernel configs.

---

Learnt from: rpardini
Repo: armbian/build PR: 8820
File: config/sources/families/include/meson64_common.inc:51-53
Timestamp: 2025-10-26T12:56:29.185Z
Learning: In the Armbian build framework, scripts/config correctly handles kernel configuration option names both with and without the CONFIG_ prefix, so opts_m+=("CONFIG_RTL8822CS") and opts_m+=("RTL8822CS") are both valid and will work correctly.

---

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-199
Timestamp: 2025-09-25T18:37:00.330Z
Learning: In PR armbian/build#8661, line 235 of lib/functions/compilation/armbian-kernel.sh already contains the corrected comment "BPF link support for netfilter hooks" for NETFILTER_BPF_LINK, not the misleading "BPF_SYSCALL" comment that was flagged during review.

---

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-199
Timestamp: 2025-09-25T18:37:00.330Z
Learning: In PR armbian/build#8661, line 235 of lib/functions/compilation/armbian-kernel.sh already contains the corrected comment "BPF link support for netfilter hooks" for NETFILTER_BPF_LINK, not the misleading "BPF_SYSCALL" comment that was flagged during review.

---

Learnt from: EvilOlaf
Repo: armbian/build PR: 8428
File: config/boards/lckfb-taishanpi.csc:5-9
Timestamp: 2025-07-25T03:51:50.830Z
Learning: When reviewing PRs in the Armbian build system, U-Boot defconfig files and patches may be added as part of the PR changes but might not be visible in the current repository clone state during review. It's important to check the actual PR file changes directly via GitHub or the PR API to get the complete picture of what files are being added or modified.

---

Learnt from: EvilOlaf
Repo: armbian/build PR: 8428
File: config/boards/lckfb-taishanpi.csc:5-9
Timestamp: 2025-07-25T03:51:50.830Z
Learning: When reviewing PRs in the Armbian build system, U-Boot defconfig files and patches may be added as part of the PR changes but might not be visible in the current repository clone state during review. It's important to check the actual PR file changes directly via GitHub API (https://api.github.com/repos/armbian/build/pulls/{pr_number}/files) to get the complete picture of what files are being added or modified, especially for U-Boot patches that will be applied during the build process.

---

Learnt from: igorpecovnik
Repo: armbian/build PR: 9087
File: .github/workflows/pr-check-pictures.yml:138-146
Timestamp: 2025-12-16T13:40:07.649Z
Learning: In the Armbian build repository, when introducing new requirements or checks (like the board assets verification workflow), the project prefers an initial educational-only period where violations post helpful PR comments and warnings but don't block merges. This allows contributors to become familiar with new requirements before enforcement is enabled (typically after ~6 months).

---

Learnt from: EvilOlaf
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-12-19T13:56:45.124Z
Learning: When reviewing kernel or u-boot version bump PRs in the Armbian build system, check if patches existed in previous kernel version directories (e.g., sunxi-6.12, sunxi-6.13) before describing them as new features. If a patch and the majority of its contents existed previously with no major functionality changes, focus the review on the actual changes: the version bump itself and patch compatibility adjustments. Don't describe existing patches being ported/maintained across versions as new features or drivers—this is misleading. The patches are existing code being re-aligned to work with the new upstream version.

---

Learnt from: EvilOlaf
Repo: armbian/build PR: 8328
File: lib/functions/compilation/patch/drivers_network.sh:542-545
Timestamp: 2025-06-24T10:08:40.313Z
Learning: In the Armbian build system, when a PR removes build support for a specific kernel version, version check issues for that removed version become practically irrelevant even if they appear incorrect in isolation. Context about which kernel versions are being deprecated/removed is important for understanding the impact of version-related code changes.

---

Learnt from: EvilOlaf
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-12-17T05:09:02.306Z
Learning: In the Armbian build system, kernel patches (e.g., in patch/kernel/archive/sunxi-6.18/patches.armbian/) contain device tree overlays and other code that have existed for years and are maintained/ported across kernel versions. When reviewing PRs that modify these patch files, focus on the actual changes being made (e.g., Makefile fixes, new additions) rather than reviewing the entire existing content within the patch as if it were new code. The patch file contents are existing, stable code unless explicitly modified in the PR diff.

[tabrisnet]

Unlike the 🐰 suggestion, I'd say either revert the config/ changes OR delete the line. we know the most probable results, so no strict need for you to run all the rewrite jobs.

[neheb]

Deleted the line.

[coderabbitai]

Actionable comments posted: 3

♻️ Duplicate comments (1)

config/kernel/linux-sunxi64-current.config (1)

7-9: Align with generator workflow: remove explicit CONFIG_BPF_UNPRIV_DEFAULT_OFF from this overlay

This line achieves the desired mitigation, but config/kernel/linux-sunxi64-current.config is a generated overlay. The agreed approach in this PR is to set CONFIG_BPF_UNPRIV_DEFAULT_OFF in armbian-kernel.sh and let rewrite-kernel-config regenerate overlays; leaving the explicit =y here is redundant and will be dropped or rewritten later. Please rely on the central generator and keep this overlay minimal. Based on learnings, manual edits in these files tend not to persist.

Proposed cleanup

-CONFIG_BPF_UNPRIV_DEFAULT_OFF=y

🧹 Nitpick comments (5)

config/kernel/linux-imx6-legacy.config (1)

98-111: Avoid persisting manual edits in autogenerated kernel configs

CONFIG_BPF_UNPRIV_DEFAULT_OFF=y is a valid choice here (it makes unprivileged eBPF disabled by default and matches the PR’s security goal), but this file is tagged “Automatically generated; DO NOT EDIT” and Armbian’s workflow rewrites these overlays from defconfig + armbian-kernel.sh. That rewrite will likely drop this line again if it matches the kernel default, causing pointless churn across many .config files.

Prefer enforcing BPF_UNPRIV_DEFAULT_OFF in the central kernel-config machinery (e.g. armbian_kernel_config__600_enable_ebpf_and_btf_info in lib/functions/compilation/armbian-kernel.sh) and let rewrite-kernel-config regenerate overlays, rather than carrying this explicit =y in each overlay file. Once the central change is in place, this line can be safely removed and left to the rewrite job.
Based on learnings, manual edits to autogenerated overlays are discouraged and non-persistent.

config/kernel/linux-sunxi64-legacy.config (1)

7-9: Avoid hard‑coding CONFIG_BPF_UNPRIV_DEFAULT_OFF in this autogenerated overlay

These config/kernel/*.config files are generated overlays; explicit defaults like CONFIG_BPF_UNPRIV_DEFAULT_OFF=y will be elided by rewrite-kernel-config and cause churn. With the option handled centrally in lib/functions/compilation/armbian-kernel.sh, this line is redundant here and can be dropped so the overlay only captures deviations from the base defconfig. Based on learnings, Armbian prefers generator‑driven changes over manual edits in these files.

Proposed cleanup

-CONFIG_BPF_UNPRIV_DEFAULT_OFF=y

config/kernel/linux-mvebu-current.config (1)

9-10: Keep unprivileged BPF default‑off, but drive it from armbian-kernel.sh, not this overlay

The value CONFIG_BPF_UNPRIV_DEFAULT_OFF=y is correct for security, but this file is an autogenerated overlay. Per the Armbian workflow and previous discussion on this PR, the persistent source of truth should be lib/functions/compilation/armbian-kernel.sh plus rewrite-kernel-config; keeping the explicit line here is redundant and will be stripped or rewritten later. Consider dropping it and relying on the generator’s BPF section instead. Based on learnings, autogenerated overlays should stay minimal.

Proposed cleanup

-CONFIG_BPF_UNPRIV_DEFAULT_OFF=y

config/kernel/linux-mvebu-legacy.config (1)

94-105: Correct option, but prefer setting it via armbian-kernel.sh instead of this generated config

Enabling CONFIG_BPF_UNPRIV_DEFAULT_OFF=y here does achieve the desired security behavior (disabling unprivileged eBPF by default), but this file is an auto‑generated kernel config overlay and is subject to rewrite-kernel-config. As discussed in the PR and past learnings, the preferred pattern is:

• Add BPF_UNPRIV_DEFAULT_OFF to the appropriate opts_y+=() in lib/functions/compilation/armbian-kernel.sh (e.g. in armbian_kernel_config__600_enable_ebpf_and_btf_info), and
• Let the rewrite workflow regenerate overlays, omitting redundant lines if the option matches the kernel default.

Once the central script change is in place, this explicit line in the overlay can be dropped to avoid churn when rewrite-kernel-config runs. Based on learnings, Armbian kernel overlays should not be manually maintained where the generator can express the intent.

config/kernel/linux-sunxi-legacy.config (1)

8-12: Functionally good, but should rely on the central kernel-config generator rather than this overlay

CONFIG_BPF_UNPRIV_DEFAULT_OFF=y here is the correct knob to turn off unprivileged eBPF by default and addresses the reported vuln output. However, this linux-sunxi-legacy.config file is an autogenerated Armbian overlay; per the agreed PR direction and existing workflow, this option should be set via lib/functions/compilation/armbian-kernel.sh and then propagated by rewrite-kernel-config, not by hand in the overlay.

Once the generator is updated, consider removing this explicit line from the overlay so that future rewrite runs don’t drop it as redundant or reformat it, avoiding unnecessary config churn. Based on learnings, overlay configs should remain as thin deltas over the base defconfig.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between de1f9ee and 66f25c6.

📒 Files selected for processing (32)

• config/kernel/linux-bcm2711-current.config (1 hunks)
• config/kernel/linux-bcm2711-edge.config (1 hunks)
• config/kernel/linux-bcm2711-legacy.config (1 hunks)
• config/kernel/linux-imx6-current.config (1 hunks)
• config/kernel/linux-imx6-edge.config (1 hunks)
• config/kernel/linux-imx6-legacy.config (1 hunks)
• config/kernel/linux-meson64-current.config (1 hunks)
• config/kernel/linux-meson64-edge.config (1 hunks)
• config/kernel/linux-mvebu-current.config (1 hunks)
• config/kernel/linux-mvebu-edge.config (1 hunks)
• config/kernel/linux-mvebu-legacy.config (1 hunks)
• config/kernel/linux-mvebu64-current.config (1 hunks)
• config/kernel/linux-mvebu64-edge.config (1 hunks)
• config/kernel/linux-mvebu64-legacy.config (1 hunks)
• config/kernel/linux-odroidxu4-current.config (1 hunks)
• config/kernel/linux-odroidxu4-edge.config (1 hunks)
• config/kernel/linux-rk322x-current.config (1 hunks)
• config/kernel/linux-rk322x-edge.config (1 hunks)
• config/kernel/linux-rk35xx-vendor.config (1 hunks)
• config/kernel/linux-rockchip-current.config (1 hunks)
• config/kernel/linux-rockchip-edge.config (1 hunks)
• config/kernel/linux-rockchip-rk3588-edge.config (1 hunks)
• config/kernel/linux-rockchip64-current.config (1 hunks)
• config/kernel/linux-rockchip64-edge.config (1 hunks)
• config/kernel/linux-sunxi-current.config (1 hunks)
• config/kernel/linux-sunxi-edge.config (1 hunks)
• config/kernel/linux-sunxi-legacy.config (1 hunks)
• config/kernel/linux-sunxi64-current.config (1 hunks)
• config/kernel/linux-sunxi64-edge.config (1 hunks)
• config/kernel/linux-sunxi64-legacy.config (1 hunks)
• config/kernel/linux-thead-legacy.config (1 hunks)
• config/kernel/linux-virtual-current.config (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (22)

• config/kernel/linux-rockchip-current.config
• config/kernel/linux-sunxi-edge.config
• config/kernel/linux-sunxi-current.config
• config/kernel/linux-rockchip64-edge.config
• config/kernel/linux-imx6-current.config
• config/kernel/linux-sunxi64-edge.config
• config/kernel/linux-bcm2711-edge.config
• config/kernel/linux-rockchip64-current.config
• config/kernel/linux-rockchip-rk3588-edge.config
• config/kernel/linux-odroidxu4-edge.config
• config/kernel/linux-bcm2711-current.config
• config/kernel/linux-mvebu64-legacy.config
• config/kernel/linux-rk322x-current.config
• config/kernel/linux-meson64-current.config
• config/kernel/linux-rk322x-edge.config
• config/kernel/linux-bcm2711-legacy.config
• config/kernel/linux-rockchip-edge.config
• config/kernel/linux-rk35xx-vendor.config
• config/kernel/linux-odroidxu4-current.config
• config/kernel/linux-virtual-current.config
• config/kernel/linux-mvebu-edge.config
• config/kernel/linux-mvebu64-edge.config

🧰 Additional context used

🧠 Learnings (32)

📓 Common learnings

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-199
Timestamp: 2025-09-25T18:37:00.330Z
Learning: In PR armbian/build#8661, line 235 of lib/functions/compilation/armbian-kernel.sh already contains the corrected comment "BPF link support for netfilter hooks" for NETFILTER_BPF_LINK, not the misleading "BPF_SYSCALL" comment that was flagged during review.

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-199
Timestamp: 2025-09-25T18:37:00.330Z
Learning: In PR armbian/build#8661, line 235 of lib/functions/compilation/armbian-kernel.sh already contains the corrected comment "BPF link support for netfilter hooks" for NETFILTER_BPF_LINK, not the misleading "BPF_SYSCALL" comment that was flagged during review.

Learnt from: EvilOlaf
Repo: armbian/build PR: 8428
File: config/boards/lckfb-taishanpi.csc:5-9
Timestamp: 2025-07-25T03:51:50.830Z
Learning: When reviewing PRs in the Armbian build system, U-Boot defconfig files and patches may be added as part of the PR changes but might not be visible in the current repository clone state during review. It's important to check the actual PR file changes directly via GitHub or the PR API to get the complete picture of what files are being added or modified.

Learnt from: EvilOlaf
Repo: armbian/build PR: 8428
File: config/boards/lckfb-taishanpi.csc:5-9
Timestamp: 2025-07-25T03:51:50.830Z
Learning: When reviewing PRs in the Armbian build system, U-Boot defconfig files and patches may be added as part of the PR changes but might not be visible in the current repository clone state during review. It's important to check the actual PR file changes directly via GitHub API (https://api.github.com/repos/armbian/build/pulls/{pr_number}/files) to get the complete picture of what files are being added or modified, especially for U-Boot patches that will be applied during the build process.

Learnt from: igorpecovnik
Repo: armbian/build PR: 9087
File: .github/workflows/pr-check-pictures.yml:138-146
Timestamp: 2025-12-16T13:40:07.649Z
Learning: In the Armbian build repository, when introducing new requirements or checks (like the board assets verification workflow), the project prefers an initial educational-only period where violations post helpful PR comments and warnings but don't block merges. This allows contributors to become familiar with new requirements before enforcement is enabled (typically after ~6 months).

Learnt from: igorpecovnik
Repo: armbian/build PR: 8705
File: .github/workflows/rewrite-kernel-configs.yml:96-169
Timestamp: 2025-10-03T11:42:46.660Z
Learning: In the Armbian build repository's kernel config rewrite workflow (.github/workflows/rewrite-kernel-configs.yml), deletion of kernel config files does not need to be handled. The workflow intentionally only captures ACMR (added/copied/modified/renamed) changes and does not need to propagate deletions to the aggregator.

Learnt from: EvilOlaf
Repo: armbian/build PR: 8968
File: patch/u-boot/u-boot-sunxi/arm64-dts-sun50i-h6-orangepi.dtsi-Rollback-r_rsb-to-r_i2c.patch:36-36
Timestamp: 2025-11-20T18:20:11.985Z
Learning: The rewrite-patches tool (REWRITE_PATCHES=yes) in the Armbian build system can inadvertently introduce semantic changes when the u-boot/kernel git base revision differs from expected state. The tool applies patches, commits them, and re-exports them using git format-patch, which can cause the re-exported patch to reflect the base revision's state rather than preserving the original patch intent. This is particularly problematic for device tree changes like interrupt specifications. The tool currently lacks validation mechanisms to detect such semantic drift, and affected patches must be manually corrected after rewriting.

Learnt from: EvilOlaf
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-12-19T13:56:45.124Z
Learning: When reviewing kernel or u-boot version bump PRs in the Armbian build system, check if patches existed in previous kernel version directories (e.g., sunxi-6.12, sunxi-6.13) before describing them as new features. If a patch and the majority of its contents existed previously with no major functionality changes, focus the review on the actual changes: the version bump itself and patch compatibility adjustments. Don't describe existing patches being ported/maintained across versions as new features or drivers—this is misleading. The patches are existing code being re-aligned to work with the new upstream version.

Learnt from: EvilOlaf
Repo: armbian/build PR: 8328
File: lib/functions/compilation/patch/drivers_network.sh:542-545
Timestamp: 2025-06-24T10:08:40.313Z
Learning: In the Armbian build system, when a PR removes build support for a specific kernel version, version check issues for that removed version become practically irrelevant even if they appear incorrect in isolation. Context about which kernel versions are being deprecated/removed is important for understanding the impact of version-related code changes.

Learnt from: EvilOlaf
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-12-17T05:09:02.306Z
Learning: In the Armbian build system, kernel patches (e.g., in patch/kernel/archive/sunxi-6.18/patches.armbian/) contain device tree overlays and other code that have existed for years and are maintained/ported across kernel versions. When reviewing PRs that modify these patch files, focus on the actual changes being made (e.g., Makefile fixes, new additions) rather than reviewing the entire existing content within the patch as if it were new code. The patch file contents are existing, stable code unless explicitly modified in the PR diff.

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T06:56:33.372Z
Learning: In Armbian kernel configuration, the BTRFS configuration logic preserves existing settings (whether built-in 'y' or module 'm') and only sets BTRFS_FS to module when it was previously disabled or not set, achieving "allow but not require" flexibility while maintaining backward compatibility.

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: The kernel_config_set_m function in lib/functions/compilation/armbian-kernel.sh preserves existing 'y' (built-in) settings and only sets options to 'm' (module) when they are not already built-in, achieving "prefer modules but allow built-ins" behavior.

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: The kernel_config_set_m function in lib/functions/compilation/armbian-kernel.sh preserves existing 'y' (built-in) settings and only sets options to 'm' (module) when they are not already built-in, achieving "prefer modules but allow built-ins" behavior.

Learnt from: rpardini
Repo: armbian/build PR: 8820
File: config/sources/families/include/meson64_common.inc:51-53
Timestamp: 2025-10-26T12:56:29.185Z
Learning: In the Armbian build framework, scripts/config correctly handles kernel configuration option names both with and without the CONFIG_ prefix, so opts_m+=("CONFIG_RTL8822CS") and opts_m+=("RTL8822CS") are both valid and will work correctly.

Learnt from: igorpecovnik
Repo: armbian/build PR: 8789
File: config/kernel/linux-sunxi64-edge.config:839-839
Timestamp: 2025-10-22T07:56:19.424Z
Learning: In Linux kernel configuration, some `=y` (builtin) options are infrastructure or feature flags that enable subsystems or features for modular drivers, rather than directly compiling code into the kernel. For example, in Armbian wireless configs, options like CONFIG_SPARD_WLAN_SUPPORT=y, CONFIG_SC23XX=y, CONFIG_WCN_BSP_DRIVER_BUILDIN=y, CONFIG_UNISOC_WIFI_PS=y are module infrastructure/feature enablers, while the actual drivers (CONFIG_WLAN_UWE5621=m, CONFIG_WLAN_UWE5622=m) remain as loadable modules. These infrastructure options don't cause kernel bloat.

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T04:13:16.457Z
Learning: Armbian kernel configuration files like linux-filogic-current.config are autogenerated overlays on top of arch defconfig. Comments added manually will be lost during future updates by maintainers, and explicit "CONFIG_OPTION is not set" statements aren't needed for mutually exclusive options since these are overlay configs that only specify changes from the base configuration.

Learnt from: libiunc
Repo: armbian/build PR: 8033
File: config/kernel/linux-starfive2-vendor.config:43-43
Timestamp: 2025-03-31T12:57:13.880Z
Learning: For StarFive2 platform kernel configurations, maintain alignment with vendor-provided configurations rather than modifying security settings like SECCOMP. This ensures hardware compatibility as intended by the manufacturer.

Learnt from: igorpecovnik
Repo: armbian/build PR: 8849
File: config/boards/radxa-e54c.csc:14-28
Timestamp: 2025-11-02T20:49:56.719Z
Learning: In Armbian board configuration files (config/boards/*.conf, *.csc, etc.), do not use kernel_config_set, kernel_config_set_m, kernel_config_set_y, or custom_kernel_config__* functions to modify kernel configuration. Kernel configuration is associated with LINUXFAMILY/BOARDFAMILY, not individual BOARD. Board-specific kernel modifications cause inconsistency in kernel packages published to the apt repository because boards within a family share the same kernel packages. Kernel configuration changes must be made in the appropriate kernel config file (e.g., config/kernel/linux-*-*.config) or in family configuration files (config/sources/families/*.conf, *.inc) instead.

📚 Learning: 2025-08-30T04:13:16.457Z

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T04:13:16.457Z
Learning: Armbian kernel configuration files like linux-filogic-current.config are autogenerated overlays on top of arch defconfig. Comments added manually will be lost during future updates by maintainers, and explicit "CONFIG_OPTION is not set" statements aren't needed for mutually exclusive options since these are overlay configs that only specify changes from the base configuration.

Applied to files:

• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-mvebu-current.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-meson64-edge.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-imx6-edge.config
• config/kernel/linux-imx6-legacy.config
• config/kernel/linux-sunxi64-legacy.config
• config/kernel/linux-mvebu-legacy.config

📚 Learning: 2025-11-02T20:49:56.719Z

Learnt from: igorpecovnik
Repo: armbian/build PR: 8849
File: config/boards/radxa-e54c.csc:14-28
Timestamp: 2025-11-02T20:49:56.719Z
Learning: In Armbian board configuration files (config/boards/*.conf, *.csc, etc.), do not use kernel_config_set, kernel_config_set_m, kernel_config_set_y, or custom_kernel_config__* functions to modify kernel configuration. Kernel configuration is associated with LINUXFAMILY/BOARDFAMILY, not individual BOARD. Board-specific kernel modifications cause inconsistency in kernel packages published to the apt repository because boards within a family share the same kernel packages. Kernel configuration changes must be made in the appropriate kernel config file (e.g., config/kernel/linux-*-*.config) or in family configuration files (config/sources/families/*.conf, *.inc) instead.

Applied to files:

• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-mvebu-current.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-meson64-edge.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-imx6-edge.config
• config/kernel/linux-imx6-legacy.config
• config/kernel/linux-sunxi64-legacy.config
• config/kernel/linux-mvebu-legacy.config

📚 Learning: 2025-09-27T21:47:58.020Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-bcm2711-edge.config:859-861
Timestamp: 2025-09-27T21:47:58.020Z
Learning: In the Armbian build system, kernel configuration files in config/kernel/ are generated through an automated process: taking previous config → applying scripted changes from armbian-kernel.sh → running kernel's `make oldconfig` → processing by Armbian machinery back into config files. This automated process properly handles kernel configuration dependencies and reduces the likelihood of manual configuration errors.

Applied to files:

• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-sunxi64-current.config

📚 Learning: 2025-09-22T21:52:01.225Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: In lib/functions/compilation/armbian-kernel.sh, the kernel_config_modifying_hashes array is not universally required for all kernel configuration functions - some functions like armbian_kernel_config__netkit() operate without it, and adding entries with '=m' would be incorrect when the actual result might be '=y' for options already built-in.

Applied to files:

• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-meson64-edge.config
• config/kernel/linux-sunxi64-current.config

📚 Learning: 2025-09-27T21:49:55.796Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-sm8250-current.config:78-80
Timestamp: 2025-09-27T21:49:55.796Z
Learning: In the Armbian build system, kernel configuration files are generated through an automated process: taking previous config → applying scripted changes from armbian-kernel.sh → running kernel's `make oldconfig` → processing by Armbian machinery back into config files. This automated process properly handles kernel configuration dependencies and reduces the likelihood of manual configuration errors.

Applied to files:

• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-sunxi64-current.config

📚 Learning: 2025-09-25T18:37:00.330Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-199
Timestamp: 2025-09-25T18:37:00.330Z
Learning: In PR armbian/build#8661, line 235 of lib/functions/compilation/armbian-kernel.sh already contains the corrected comment "BPF link support for netfilter hooks" for NETFILTER_BPF_LINK, not the misleading "BPF_SYSCALL" comment that was flagged during review.

Applied to files:

• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-thead-legacy.config
• config/kernel/linux-mvebu-current.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-meson64-edge.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-imx6-edge.config
• config/kernel/linux-imx6-legacy.config
• config/kernel/linux-sunxi64-legacy.config
• config/kernel/linux-mvebu-legacy.config

📚 Learning: 2025-09-27T21:50:04.845Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-sm8250-edge.config:80-82
Timestamp: 2025-09-27T21:50:04.845Z
Learning: In the Armbian build system, kernel configuration files are generated through this automated process: taking previous config → applying scripted changes from armbian-kernel.sh → running kernel's `make oldconfig` → processing by Armbian machinery back into config files. This automated process properly handles kernel configuration dependencies and reduces the likelihood of manual configuration errors.

Applied to files:

• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-sunxi64-current.config

📚 Learning: 2025-09-22T21:52:01.225Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: The kernel_config_set_m function in lib/functions/compilation/armbian-kernel.sh preserves existing 'y' (built-in) settings and only sets options to 'm' (module) when they are not already built-in, achieving "prefer modules but allow built-ins" behavior.

Applied to files:

• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-thead-legacy.config
• config/kernel/linux-mvebu-current.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-imx6-legacy.config
• config/kernel/linux-sunxi64-legacy.config
• config/kernel/linux-mvebu-legacy.config

📚 Learning: 2025-10-22T07:56:19.424Z

Learnt from: igorpecovnik
Repo: armbian/build PR: 8789
File: config/kernel/linux-sunxi64-edge.config:839-839
Timestamp: 2025-10-22T07:56:19.424Z
Learning: In Linux kernel configuration, some `=y` (builtin) options are infrastructure or feature flags that enable subsystems or features for modular drivers, rather than directly compiling code into the kernel. For example, in Armbian wireless configs, options like CONFIG_SPARD_WLAN_SUPPORT=y, CONFIG_SC23XX=y, CONFIG_WCN_BSP_DRIVER_BUILDIN=y, CONFIG_UNISOC_WIFI_PS=y are module infrastructure/feature enablers, while the actual drivers (CONFIG_WLAN_UWE5621=m, CONFIG_WLAN_UWE5622=m) remain as loadable modules. These infrastructure options don't cause kernel bloat.

Applied to files:

• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-thead-legacy.config
• config/kernel/linux-mvebu-current.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-meson64-edge.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-imx6-edge.config
• config/kernel/linux-sunxi64-legacy.config
• config/kernel/linux-mvebu-legacy.config

📚 Learning: 2025-07-27T15:56:34.414Z

Learnt from: pyavitz
Repo: armbian/build PR: 8421
File: config/kernel/linux-sunxi64-edge.config:438-439
Timestamp: 2025-07-27T15:56:34.414Z
Learning: CONFIG_NET_SCH_DEFAULT is a boolean kernel configuration option (=y or =n) that enables/disables the ability to override the default network queueing discipline at runtime. When set to 'y', it allows setting the actual qdisc name via /proc/sys/net/core/default_qdisc at runtime, not in the kernel config file itself.

Applied to files:

• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-mvebu-current.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-meson64-edge.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-sunxi64-legacy.config

📚 Learning: 2025-08-30T06:56:33.372Z

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T06:56:33.372Z
Learning: In Armbian kernel configuration, the BTRFS configuration logic preserves existing settings (whether built-in 'y' or module 'm') and only sets BTRFS_FS to module when it was previously disabled or not set, achieving "allow but not require" flexibility while maintaining backward compatibility.

Applied to files:

• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-thead-legacy.config
• config/kernel/linux-mvebu-current.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-meson64-edge.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-imx6-edge.config
• config/kernel/linux-imx6-legacy.config
• config/kernel/linux-sunxi64-legacy.config
• config/kernel/linux-mvebu-legacy.config

📚 Learning: 2025-07-19T00:03:42.995Z

Learnt from: lanefu
Repo: armbian/build PR: 8377
File: config/kernel/linux-uefi-arm64-cloud.config:165-170
Timestamp: 2025-07-19T00:03:42.995Z
Learning: CONFIG_NETKIT was introduced in Linux kernel 4.14.330 (November 2023) and enables BPF-programmable network devices that can operate in Layer 3 or Layer 2 mode. It's a valid configuration option in modern kernels including 6.12.

Applied to files:

• config/kernel/linux-mvebu64-current.config
• config/kernel/linux-mvebu-current.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-meson64-edge.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-imx6-legacy.config
• config/kernel/linux-sunxi64-legacy.config
• config/kernel/linux-mvebu-legacy.config

📚 Learning: 2025-03-31T12:57:13.880Z

Learnt from: libiunc
Repo: armbian/build PR: 8033
File: config/kernel/linux-starfive2-vendor.config:43-43
Timestamp: 2025-03-31T12:57:13.880Z
Learning: For StarFive2 platform kernel configurations, maintain alignment with vendor-provided configurations rather than modifying security settings like SECCOMP. This ensures hardware compatibility as intended by the manufacturer.

Applied to files:

• config/kernel/linux-thead-legacy.config
• config/kernel/linux-meson64-edge.config
• config/kernel/linux-imx6-edge.config
• config/kernel/linux-mvebu-legacy.config

📚 Learning: 2025-09-27T21:50:15.915Z

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-sunxi64-current.config:94-94
Timestamp: 2025-09-27T21:50:15.915Z
Learning: When kernel config files are generated through Armbian's automated process (previous config → armbian-kernel.sh changes → make oldconfig → Armbian machinery processing), manual config file edits are not appropriate since they would be overwritten. Deprecated option handling should be implemented in the automated tooling instead.

Applied to files:

• config/kernel/linux-mvebu-current.config
• config/kernel/linux-sunxi-legacy.config
• config/kernel/linux-meson64-edge.config
• config/kernel/linux-sunxi64-current.config
• config/kernel/linux-sunxi64-legacy.config

📚 Learning: 2025-08-02T05:46:10.664Z

Learnt from: EvilOlaf
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-02T05:46:10.664Z
Learning: In the Armbian build system, the KERNEL_CONFIGURE=yes switch is deprecated. The recommended approach for kernel configuration is now to use the `kernel-config` build command, which provides a more structured way to configure kernel options.

Applied to files:

• config/kernel/linux-sunxi-legacy.config

📚 Learning: 2025-07-15T21:09:23.252Z

Learnt from: pyavitz
Repo: armbian/build PR: 8383
File: config/kernel/linux-sunxi64-edge.config:57-64
Timestamp: 2025-07-15T21:09:23.252Z
Learning: In Linux kernel configuration, when CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND=y is set, the ondemand governor is implicitly enabled by default, making the explicit CONFIG_CPU_FREQ_GOV_ONDEMAND=y line redundant. The make menuconfig tool automatically removes such redundant lines. This behavior applies to CPU frequency governor configurations in general - setting a default governor automatically enables that governor.

Applied to files:

• config/kernel/linux-sunxi-legacy.config

📚 Learning: 2025-11-20T18:20:11.985Z

Learnt from: EvilOlaf
Repo: armbian/build PR: 8968
File: patch/u-boot/u-boot-sunxi/arm64-dts-sun50i-h6-orangepi.dtsi-Rollback-r_rsb-to-r_i2c.patch:36-36
Timestamp: 2025-11-20T18:20:11.985Z
Learning: The rewrite-patches tool (REWRITE_PATCHES=yes) in the Armbian build system can inadvertently introduce semantic changes when the u-boot/kernel git base revision differs from expected state. The tool applies patches, commits them, and re-exports them using git format-patch, which can cause the re-exported patch to reflect the base revision's state rather than preserving the original patch intent. This is particularly problematic for device tree changes like interrupt specifications. The tool currently lacks validation mechanisms to detect such semantic drift, and affected patches must be manually corrected after rewriting.

Applied to files:

• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-10-03T11:42:46.660Z

Learnt from: igorpecovnik
Repo: armbian/build PR: 8705
File: .github/workflows/rewrite-kernel-configs.yml:96-169
Timestamp: 2025-10-03T11:42:46.660Z
Learning: In the Armbian build repository's kernel config rewrite workflow (.github/workflows/rewrite-kernel-configs.yml), deletion of kernel config files does not need to be handled. The workflow intentionally only captures ACMR (added/copied/modified/renamed) changes and does not need to propagate deletions to the aggregator.

Applied to files:

• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-10-04T17:59:19.369Z

Learnt from: igorpecovnik
Repo: armbian/build PR: 8705
File: .github/workflows/rewrite-kernel-configs.yml:217-220
Timestamp: 2025-10-04T17:59:19.369Z
Learning: In the Armbian build repository's kernel config rewrite workflow (.github/workflows/rewrite-kernel-configs.yml), the workflow is designed to rewrite existing kernel configs only. New/untracked files can be safely ignored, so using `git diff --quiet` (which ignores untracked files) is the correct approach for detecting changes rather than `git status --porcelain`.

Applied to files:

• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-12-01T02:34:37.451Z

Learnt from: tabrisnet
Repo: armbian/build PR: 9000
File: config/desktop/questing/environments/xfce/debian/postinst:17-18
Timestamp: 2025-12-01T02:34:37.451Z
Learning: In the Armbian build system shell scripts, the sed pattern with -i flag placed after the script argument (e.g., `sed "s/.../.../" -i file`) is intentional and correct. While non-POSIX, this GNU sed extension is used throughout the codebase and works correctly in the Armbian build environment. This pattern should not be flagged as incorrect.

Applied to files:

• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-06-24T10:08:40.313Z

Learnt from: EvilOlaf
Repo: armbian/build PR: 8328
File: lib/functions/compilation/patch/drivers_network.sh:542-545
Timestamp: 2025-06-24T10:08:40.313Z
Learning: In the Armbian build system, when a PR removes build support for a specific kernel version, version check issues for that removed version become practically irrelevant even if they appear incorrect in isolation. Context about which kernel versions are being deprecated/removed is important for understanding the impact of version-related code changes.

Applied to files:

• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-12-19T13:56:45.124Z

Learnt from: EvilOlaf
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-12-19T13:56:45.124Z
Learning: When reviewing kernel or u-boot version bump PRs in the Armbian build system, check if patches existed in previous kernel version directories (e.g., sunxi-6.12, sunxi-6.13) before describing them as new features. If a patch and the majority of its contents existed previously with no major functionality changes, focus the review on the actual changes: the version bump itself and patch compatibility adjustments. Don't describe existing patches being ported/maintained across versions as new features or drivers—this is misleading. The patches are existing code being re-aligned to work with the new upstream version.

Applied to files:

• config/kernel/linux-meson64-edge.config
• config/kernel/linux-sunxi64-current.config

📚 Learning: 2025-12-17T05:09:02.306Z

Learnt from: EvilOlaf
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-12-17T05:09:02.306Z
Learning: In the Armbian build system, kernel patches (e.g., in patch/kernel/archive/sunxi-6.18/patches.armbian/) contain device tree overlays and other code that have existed for years and are maintained/ported across kernel versions. When reviewing PRs that modify these patch files, focus on the actual changes being made (e.g., Makefile fixes, new additions) rather than reviewing the entire existing content within the patch as if it were new code. The patch file contents are existing, stable code unless explicitly modified in the PR diff.

Applied to files:

• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-07-25T03:51:50.830Z

Learnt from: EvilOlaf
Repo: armbian/build PR: 8428
File: config/boards/lckfb-taishanpi.csc:5-9
Timestamp: 2025-07-25T03:51:50.830Z
Learning: When reviewing PRs in the Armbian build system, U-Boot defconfig files and patches may be added as part of the PR changes but might not be visible in the current repository clone state during review. It's important to check the actual PR file changes directly via GitHub API (https://api.github.com/repos/armbian/build/pulls/{pr_number}/files) to get the complete picture of what files are being added or modified, especially for U-Boot patches that will be applied during the build process.

Applied to files:

• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-07-25T03:51:50.830Z

Learnt from: EvilOlaf
Repo: armbian/build PR: 8428
File: config/boards/lckfb-taishanpi.csc:5-9
Timestamp: 2025-07-25T03:51:50.830Z
Learning: When reviewing PRs in the Armbian build system, U-Boot defconfig files and patches may be added as part of the PR changes but might not be visible in the current repository clone state during review. It's important to check the actual PR file changes directly via GitHub or the PR API to get the complete picture of what files are being added or modified.

Applied to files:

• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-12-16T13:40:07.649Z

Learnt from: igorpecovnik
Repo: armbian/build PR: 9087
File: .github/workflows/pr-check-pictures.yml:138-146
Timestamp: 2025-12-16T13:40:07.649Z
Learning: In the Armbian build repository, when introducing new requirements or checks (like the board assets verification workflow), the project prefers an initial educational-only period where violations post helpful PR comments and warnings but don't block merges. This allows contributors to become familiar with new requirements before enforcement is enabled (typically after ~6 months).

Applied to files:

• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-12-17T15:46:22.709Z

Learnt from: EvilOlaf
Repo: armbian/build PR: 9096
File: patch/kernel/archive/sunxi-6.18/patches.armbian/arm64-dts-sun50i-h616-add-overlays.patch:4-5
Timestamp: 2025-12-17T15:46:22.709Z
Learning: In Armbian kernel patches, when patches are renamed or reorganized, the old Subject line may be intentionally preserved in the patch header (as a second Subject line) for archival/historical purposes to document the previous patch name. This is an Armbian-specific practice for tracking patch evolution and should not be flagged as an error when the maintainer has intentionally included it for documentation.

Applied to files:

• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-03-31T22:20:48.475Z

Learnt from: rpardini
Repo: armbian/build PR: 8044
File: patch/u-boot/v2025.04/cmd-fileenv-read-string-from-file-into-env.patch:76-86
Timestamp: 2025-03-31T22:20:48.475Z
Learning: For the Armbian build project, maintaining consistency with existing patches across U-Boot versions (such as between 2025.01 and 2025.04) is prioritized over refactoring individual patches for code improvements.

Applied to files:

• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-11-11T20:56:20.303Z

Learnt from: glneo
Repo: armbian/build PR: 8913
File: config/sources/families/include/k3_common.inc:57-60
Timestamp: 2025-11-11T20:56:20.303Z
Learning: In config/sources/families/include/k3_common.inc, the OP-TEE build command at line 59 should be updated in a future PR to explicitly set CROSS_COMPILE64=aarch64-linux-gnu- and CROSS_COMPILE32=arm-linux-gnueabihf- instead of relying on OP-TEE's internal defaults, for better clarity and maintainability. User glneo agreed to address this in a separate PR.

Applied to files:

• config/kernel/linux-meson64-edge.config

📚 Learning: 2025-08-02T05:46:10.664Z

Learnt from: EvilOlaf
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-02T05:46:10.664Z
Learning: In the Armbian build system, the modern recommended approach for kernel configuration is to use the kernel-config command via "./compile.sh BOARD=boardname BRANCH=branchname kernel-config" instead of the deprecated KERNEL_CONFIGURE=yes flag. This provides a two-step workflow: configure using menuconfig, then build, with better transparency and control over configuration changes.

Applied to files:

• config/kernel/linux-sunxi64-current.config

📚 Learning: 2025-09-22T22:08:54.273Z

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-09-22T22:08:54.273Z
Learning: When extracting comments from Linux Kconfig files, def_bool and def_tristate entries use their parameter as a dependency/default condition, not as a feature description. Comments should be generated differently for these entry types to avoid misleading inline documentation.

Applied to files:

• config/kernel/linux-sunxi64-legacy.config

🔇 Additional comments (1)

config/kernel/linux-meson64-edge.config (1)

10-10: Technical change is correct.

The addition of CONFIG_BPF_UNPRIV_DEFAULT_OFF=y properly addresses the PR objective to disable unprivileged BPF and fix the CPU vulnerability warning. The setting is placed logically within the BPF configuration group.

As discussed in previous review comments, the workflow approach (manual config edits + armbian-kernel.sh change) has been accepted by the maintainer for immediate availability, despite being non-standard.

[tabrisnet]

Deleted the line.

I didn't mean to remove it from lib/functions/compilation/armbian-kernel.sh
but rather to delete from config/kernel/*.config
You did this big sed -e 's/# CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set/CONFIG_BPF_UNPRIV_DEFAULT_OFF=y/' config/kernel/*{current,edge}.config
And I'm saying to rather sed '/# CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set/d'

[tabrisnet]

ok, and bring back the armbian-kernel.sh change

[rpardini]

Please drop the changes to .config files and keep only the hook. It will take effect immediately and rewrite job will do, well, it's job, eventually.

I cannot say the actual change is good or bad, though.

[tabrisnet]

I'm not gonna say whether this is good/bad, but I did some digging into this option.
the name feels a hair misleading: it initially suggested to me that there was a subset of eBPF that is unprivileged, that has lower security implications, and this option gets rid of that or the checking for it.
But that's not the case, rather this option further restricts what uid/privileges is required to upload eBPF. In that sense, this is probably a good thing. But it also makes potential users need more permissions [thus changing what "minimum privilege" roles/permissions these programs require].
BUT: I don't know what programs use this or what use-cases this breaks.
It would be good to have an idea thereof.

https://lwn.net/Articles/660331/
https://lwn.net/Articles/796328/
@coderabbitai let's see if the bot has any potential insight.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🌐 Web query:

CONFIG_BPF_UNPRIV_DEFAULT_OFF security implications unprivileged eBPF

💡 Result:

CONFIG_BPF_UNPRIV_DEFAULT_OFF is a Linux kernel build-time hardening option that disables unprivileged use of the bpf() syscall (and thus unprivileged eBPF loading) by default by setting kernel.unprivileged_bpf_disabled=2 at boot. With this default, only privileged processes (e.g., with CAP_SYS_ADMIN / CAP_BPF, depending on kernel) can load eBPF unless an administrator explicitly relaxes it. [1], [2]

Why it matters (security implications)

• Reduces local kernel attack surface / LPE risk: Unprivileged eBPF has historically been a frequent source of local privilege escalation via verifier/JIT bugs; a common mitigation for such issues is setting kernel.unprivileged_bpf_disabled=1 (deny unprivileged bpf() entirely). [3]
• Mitigates some speculative-execution side-channel exposure: The Kconfig help text explicitly calls out that unprivileged BPF “could be used to exploit certain potential speculative execution side-channel vulnerabilities” on affected/unmitigated hardware. [1]

Operational behavior you should know

kernel.unprivileged_bpf_disabled semantics (as documented in the kernel sysctl docs/patch):

• 0: unprivileged bpf() allowed
• 1: unprivileged bpf() blocked and cannot be re-enabled until reboot (no transition back to 0 while running)
• 2: unprivileged bpf() blocked but admin can later switch to 0 or 1 if needed
  If CONFIG_BPF_UNPRIV_DEFAULT_OFF=y, the default becomes 2 instead of 0. [2]

Practical impact

• Breaks/limits unprivileged observability tooling (e.g., non-root BPF-based tracing/monitoring) unless you grant privileges or change the sysctl.
• Aligns with common hardening guidance that treats unprivileged BPF as an unnecessary capability and recommends disabling it to reduce attack vectors. [4]

Sources:
[1] LKDDb entry for CONFIG_BPF_UNPRIV_DEFAULT_OFF (help text and behavior)
[2] Linux kernel docs/patch describing unprivileged_bpf_disabled values and defaulting to 2 when BPF_UNPRIV_DEFAULT_OFF is enabled
[3] Arch Linux CVE-2017-16996 notes unprivileged eBPF verifier bug leading to privilege escalation; mitigation via kernel.unprivileged_bpf_disabled=1
[4] RHEL 8 STIG item recommending kernel.unprivileged_bpf_disabled=1 to prevent privilege escalation via BPF syscall

---

🌐 Web query:

unprivileged eBPF use cases programs tools 2024 2025

💡 Result:

Reality check (kernel eBPF)

• On most hardened/distros configs, unprivileged users are expected not to load/attach in-kernel eBPF (commonly enforced via kernel.unprivileged_bpf_disabled=1). This is explicitly recommended in security baselines (e.g., RHEL STIG guidance) to reduce attack surface. [1]

Practical “unprivileged eBPF” patterns (2024–2025)

1) Privileged loader + unprivileged app (maps/FD sharing)

Use case: ship an eBPF program with a privileged component (daemon/daemonset/operator) that loads & attaches it, then let an unprivileged workload read stats / configure behavior via shared maps (FD passing, pinning, CSI mounts, etc.).

• Kubernetes / OpenShift example: bpfman (aka bpfd) loads XDP/TC programs; the application gets unprivileged access to the generated maps (e.g., via a CSI ephemeral volume) to read counters/telemetry. [2]
• Red Hat’s guidance frames it as separating privileged operations (load/attach/unload) from unprivileged operations (map interaction), often using bpfd/bpfman as the control plane. [3]
• Tooling: bpfman / bpfd (+ operator/CRDs on OpenShift) to manage lifecycle and policy around which programs get loaded. [4]

2) “Unprivileged clients” by delegating CAP_BPF to a manager

Use case: keep CAP_BPF in a single audited service, while normal users/services stay unprivileged and call it over an API.

• bpfman explicitly documents that clients don’t need CAP_BPF when the daemon performs load/unload; it also notes kernel-version details around which BPF operations require CAP_BPF. [5]

3) Run eBPF in user space (no kernel privileges)

Use case: tracing/profiling/extensions in environments where you can’t get root/CAP_BPF (dev boxes, shared hosts, locked-down containers).

• bpftime is a user-space eBPF runtime positioned to run eBPF-based tooling “in unprivileged userspace,” including running unmodified bpftrace scripts and user-space ports of common BCC/libbpf-tools in user space. [6]
• Tooling/examples mentioned by bpftime docs: bpftrace; user-space variants of tools like opensnoop, mountsnoop, syscount, etc. [6]

Representative tools/projects to look at (actively discussed/used in 2024–2025)

• bpfman / bpfd (daemon, gRPC API, Kubernetes operator/CRDs; OpenShift “eBPF manager”). [2][4]
• bpftime (userspace eBPF runtime; compatibility focus with existing eBPF tools like bpftrace). [6]

Sources:
[1] Tenable DISA STIG guidance for disabling unprivileged BPF syscall (kernel.unprivileged_bpf_disabled=1). (tenable.com)
[2] Red Hat Developer (Jun 2024) bpfman on OpenShift; unprivileged access to maps via CSI ephemeral volume. (developers.redhat.com)
[3] Red Hat Emerging Tech: separating privileged load/attach from unprivileged map interaction; bpfd as control process. (next.redhat.com)
[4] Red Hat OpenShift docs: eBPF manager operator architecture (bpfman daemon, CRDs, agent, operator). (docs.redhat.com)
[5] bpfman docs: removing CAP_BPF from clients; kernel-version notes on CAP_BPF requirements. (bpfman.io)
[6] bpftime docs: userspace runtime; run unmodified bpftrace and user-space versions of common tools. (eunomia.dev)

Citations:

• 1: https://www.tenable.com/audits/items/DISA_STIG_Red_Hat_Enterprise_Linux_8_v1r1.audit%3Ac30b46b7e518cf979469b28a4352e5fc?utm_source=openai
• 2: https://developers.redhat.com/articles/2024/06/25/get-started-bpfman-ebpf-manager-openshift-416?utm_source=openai
• 3: https://next.redhat.com/2023/07/18/using-ebpf-in-unprivileged-pods/?utm_source=openai
• 4: https://docs.redhat.com/en/documentation/openshift_container_platform/4.19/html/networking_operators/ebpf-manager-operator?utm_source=openai
• 5: https://bpfman.io/v0.5.4/developer-guide/linux-capabilities/?utm_source=openai
• 6: https://eunomia.dev/en/bpftime/documents/introduction/?utm_source=openai

---

@tabrisnet: Great question! Based on current security practices and real-world eBPF usage patterns, here's the insight:

Security Implications (TL;DR: This is a good hardening measure)

What CONFIG_BPF_UNPRIV_DEFAULT_OFF actually does:

• Sets kernel.unprivileged_bpf_disabled=2 at boot (not 1)
• Value 2 means: blocked by default, but admin can switch to 0 or 1 later if needed via sysctl
• Value 1 would be permanent until reboot (no going back)

Why it matters for security:

• Unprivileged eBPF has been a frequent source of local privilege escalation (LPE) vulnerabilities via verifier/JIT bugs
• Mitigates speculative execution side-channel attacks on affected hardware
• Explicitly recommended by security hardening guides (RHEL STIG, industry baselines)
• Reduces kernel attack surface for unprivileged users

What Use-Cases Might Break?

Short answer: Very few legitimate ones, especially on embedded ARM devices.

Modern eBPF tooling (2024-2025) has moved away from requiring unprivileged kernel BPF loading:

1. Privileged loader pattern (most common): Tools like bpfman/bpfd load eBPF as root, then unprivileged processes access shared maps for telemetry/stats (no unprivileged loading needed)

2. Userspace eBPF runtimes: Tools like bpftime run eBPF programs entirely in userspace without kernel privileges (can even run unmodified bpftrace scripts unprivileged)

3. Traditional observability tools: Most tools (bpftrace, bcc-tools, etc.) already run as root or with CAP_BPF anyway

Reality check for Armbian:

• Embedded ARM SBCs rarely run unprivileged eBPF workloads
• Most monitoring/debugging on these devices is done as root
• Container/Kubernetes eBPF patterns use privileged managers, not unprivileged loading
• If someone truly needs it, they can sysctl -w kernel.unprivileged_bpf_disabled=0 (because this sets it to 2, not 1)

Recommendation

✅ This change aligns with security best practices and is appropriate for Armbian. The security benefit (reducing LPE attack surface) significantly outweighs the minimal functionality loss. The fact that it uses =2 rather than =1 provides an escape hatch for the rare edge case where someone actually needs unprivileged eBPF.

The original bug report about the CPU vulnerability warning is a valid concern—having unprivileged eBPF enabled by default is increasingly seen as a security misconfiguration in modern systems.

---

🧠 Learnings used

Learnt from: igorpecovnik
Repo: armbian/build PR: 8705
File: .github/workflows/rewrite-kernel-configs.yml:96-169
Timestamp: 2025-10-03T11:42:46.660Z
Learning: In the Armbian build repository's kernel config rewrite workflow (.github/workflows/rewrite-kernel-configs.yml), deletion of kernel config files does not need to be handled. The workflow intentionally only captures ACMR (added/copied/modified/renamed) changes and does not need to propagate deletions to the aggregator.

---

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-sunxi64-current.config:94-94
Timestamp: 2025-09-27T21:50:15.915Z
Learning: When kernel config files are generated through Armbian's automated process (previous config → armbian-kernel.sh changes → make oldconfig → Armbian machinery processing), manual config file edits are not appropriate since they would be overwritten. Deprecated option handling should be implemented in the automated tooling instead.

---

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T04:13:16.457Z
Learning: Armbian kernel configuration files like linux-filogic-current.config are autogenerated overlays on top of arch defconfig. Comments added manually will be lost during future updates by maintainers, and explicit "CONFIG_OPTION is not set" statements aren't needed for mutually exclusive options since these are overlay configs that only specify changes from the base configuration.

---

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-sm8250-edge.config:80-82
Timestamp: 2025-09-27T21:50:04.845Z
Learning: In the Armbian build system, kernel configuration files are generated through this automated process: taking previous config → applying scripted changes from armbian-kernel.sh → running kernel's `make oldconfig` → processing by Armbian machinery back into config files. This automated process properly handles kernel configuration dependencies and reduces the likelihood of manual configuration errors.

---

Learnt from: igorpecovnik
Repo: armbian/build PR: 8705
File: .github/workflows/rewrite-kernel-configs.yml:217-220
Timestamp: 2025-10-04T17:59:19.369Z
Learning: In the Armbian build repository's kernel config rewrite workflow (.github/workflows/rewrite-kernel-configs.yml), the workflow is designed to rewrite existing kernel configs only. New/untracked files can be safely ignored, so using `git diff --quiet` (which ignores untracked files) is the correct approach for detecting changes rather than `git status --porcelain`.

---

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-sm8250-current.config:78-80
Timestamp: 2025-09-27T21:49:55.796Z
Learning: In the Armbian build system, kernel configuration files are generated through an automated process: taking previous config → applying scripted changes from armbian-kernel.sh → running kernel's `make oldconfig` → processing by Armbian machinery back into config files. This automated process properly handles kernel configuration dependencies and reduces the likelihood of manual configuration errors.

---

Learnt from: igorpecovnik
Repo: armbian/build PR: 8849
File: config/boards/radxa-e54c.csc:14-28
Timestamp: 2025-11-02T20:49:56.719Z
Learning: In Armbian board configuration files (config/boards/*.conf, *.csc, etc.), do not use kernel_config_set, kernel_config_set_m, kernel_config_set_y, or custom_kernel_config__* functions to modify kernel configuration. Kernel configuration is associated with LINUXFAMILY/BOARDFAMILY, not individual BOARD. Board-specific kernel modifications cause inconsistency in kernel packages published to the apt repository because boards within a family share the same kernel packages. Kernel configuration changes must be made in the appropriate kernel config file (e.g., config/kernel/linux-*-*.config) or in family configuration files (config/sources/families/*.conf, *.inc) instead.

---

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-bcm2711-edge.config:859-861
Timestamp: 2025-09-27T21:47:58.020Z
Learning: In the Armbian build system, kernel configuration files in config/kernel/ are generated through an automated process: taking previous config → applying scripted changes from armbian-kernel.sh → running kernel's `make oldconfig` → processing by Armbian machinery back into config files. This automated process properly handles kernel configuration dependencies and reduces the likelihood of manual configuration errors.

---

Learnt from: tabrisnet
Repo: armbian/build PR: 9136
File: lib/functions/compilation/armbian-kernel.sh:529-537
Timestamp: 2025-12-28T01:49:34.661Z
Learning: In lib/functions/compilation/armbian-kernel.sh's opts_m handling, checking .config (kernel defconfig) is problematic because savedefconfig elides options matching defconfig, making it impossible to distinguish overlay silence from defconfig agreement. The correct approach is to check only kernel_config_source_filename (the overlay) for explicit =y, otherwise default to =m, letting savedefconfig handle deduplication with defconfig automatically.

---

Learnt from: rpardini
Repo: armbian/build PR: 9159
File: patch/u-boot/u-boot-genio/0026-dts-configs-add-Grinn-GenioSBC-510.patch:161-161
Timestamp: 2026-01-03T20:46:29.189Z
Learning: For the Armbian genio family (config/sources/families/genio.conf and patch/u-boot/u-boot-genio/), when reviewing PRs that include vendor U-Boot patches from Collabora, avoid flagging potential issues in board configurations that are out of scope for the PR's primary focus (e.g., don't flag Genio 510/700 board issues when the PR is focused on radxa-nio-12l/Genio 1200). The maintainer prioritizes keeping vendor patches close to upstream for easier re-copying and maintenance, even if secondary board configs have potential mismatches.
<!-- </add_learning>

---

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-199
Timestamp: 2025-09-25T18:37:00.330Z
Learning: In PR armbian/build#8661, line 235 of lib/functions/compilation/armbian-kernel.sh already contains the corrected comment "BPF link support for netfilter hooks" for NETFILTER_BPF_LINK, not the misleading "BPF_SYSCALL" comment that was flagged during review.

---

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-199
Timestamp: 2025-09-25T18:37:00.330Z
Learning: In PR armbian/build#8661, line 235 of lib/functions/compilation/armbian-kernel.sh already contains the corrected comment "BPF link support for netfilter hooks" for NETFILTER_BPF_LINK, not the misleading "BPF_SYSCALL" comment that was flagged during review.

---

Learnt from: EvilOlaf
Repo: armbian/build PR: 8968
File: patch/u-boot/u-boot-sunxi/arm64-dts-sun50i-h6-orangepi.dtsi-Rollback-r_rsb-to-r_i2c.patch:36-36
Timestamp: 2025-11-20T18:20:11.985Z
Learning: The rewrite-patches tool (REWRITE_PATCHES=yes) in the Armbian build system can inadvertently introduce semantic changes when the u-boot/kernel git base revision differs from expected state. The tool applies patches, commits them, and re-exports them using git format-patch, which can cause the re-exported patch to reflect the base revision's state rather than preserving the original patch intent. This is particularly problematic for device tree changes like interrupt specifications. The tool currently lacks validation mechanisms to detect such semantic drift, and affected patches must be manually corrected after rewriting.

---

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T06:48:09.091Z
Learning: In lib/functions/compilation/armbian-kernel.sh, the user prefers flexible grep patterns over anchored ones for BTRFS configuration checks, but agrees to use quiet grep (-q) to avoid polluting build logs.

---

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T06:56:33.372Z
Learning: In Armbian kernel configuration, the BTRFS configuration logic preserves existing settings (whether built-in 'y' or module 'm') and only sets BTRFS_FS to module when it was previously disabled or not set, achieving "allow but not require" flexibility while maintaining backward compatibility.

---

Learnt from: EvilOlaf
Repo: armbian/build PR: 8328
File: lib/functions/compilation/patch/drivers_network.sh:542-545
Timestamp: 2025-06-24T10:08:40.313Z
Learning: In the Armbian build system, when a PR removes build support for a specific kernel version, version check issues for that removed version become practically irrelevant even if they appear incorrect in isolation. Context about which kernel versions are being deprecated/removed is important for understanding the impact of version-related code changes.

---

Learnt from: EvilOlaf
Repo: armbian/build PR: 8428
File: config/boards/lckfb-taishanpi.csc:5-9
Timestamp: 2025-07-25T03:51:50.830Z
Learning: When reviewing PRs in the Armbian build system, U-Boot defconfig files and patches may be added as part of the PR changes but might not be visible in the current repository clone state during review. It's important to check the actual PR file changes directly via GitHub or the PR API to get the complete picture of what files are being added or modified.

---

Learnt from: EvilOlaf
Repo: armbian/build PR: 8428
File: config/boards/lckfb-taishanpi.csc:5-9
Timestamp: 2025-07-25T03:51:50.830Z
Learning: When reviewing PRs in the Armbian build system, U-Boot defconfig files and patches may be added as part of the PR changes but might not be visible in the current repository clone state during review. It's important to check the actual PR file changes directly via GitHub API (https://api.github.com/repos/armbian/build/pulls/{pr_number}/files) to get the complete picture of what files are being added or modified, especially for U-Boot patches that will be applied during the build process.

---

Learnt from: igorpecovnik
Repo: armbian/build PR: 9087
File: .github/workflows/pr-check-pictures.yml:138-146
Timestamp: 2025-12-16T13:40:07.649Z
Learning: In the Armbian build repository, when introducing new requirements or checks (like the board assets verification workflow), the project prefers an initial educational-only period where violations post helpful PR comments and warnings but don't block merges. This allows contributors to become familiar with new requirements before enforcement is enabled (typically after ~6 months).

---

Learnt from: EvilOlaf
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-12-19T13:56:45.124Z
Learning: When reviewing kernel or u-boot version bump PRs in the Armbian build system, check if patches existed in previous kernel version directories (e.g., sunxi-6.12, sunxi-6.13) before describing them as new features. If a patch and the majority of its contents existed previously with no major functionality changes, focus the review on the actual changes: the version bump itself and patch compatibility adjustments. Don't describe existing patches being ported/maintained across versions as new features or drivers—this is misleading. The patches are existing code being re-aligned to work with the new upstream version.

---

Learnt from: libiunc
Repo: armbian/build PR: 8033
File: config/kernel/linux-starfive2-vendor.config:43-43
Timestamp: 2025-03-31T12:57:13.880Z
Learning: For StarFive2 platform kernel configurations, maintain alignment with vendor-provided configurations rather than modifying security settings like SECCOMP. This ensures hardware compatibility as intended by the manufacturer.

[tabrisnet]

What documentation should be prepared for this change? Do we typically document these types of changes that may adversely affect userspace?
@coderabbitai

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash

# Find documentation directories and key files
echo "=== Documentation structure ==="
find . -maxdepth 3 -type d -iname "*doc*" -o -iname "*changelog*" -o -iname "*release*" 2>/dev/null | head -20

echo -e "\n=== Check for CHANGELOG, NEWS, RELEASE_NOTES files ==="
fd -t f -d 2 "^(CHANGELOG|NEWS|RELEASE|HISTORY|CHANGES)" -i

echo -e "\n=== Check for documentation about kernel config changes ==="
rg -l -i "kernel.*config.*change|configuration.*change" --type=md --max-depth=3 | head -10

echo -e "\n=== Look for previous BPF or security-related documentation ==="
rg -n -C2 "BPF|unprivileged|security.*change|breaking.*change" --type=md -g "!*.lock" | head -50

echo -e "\n=== Check for developer/contributor documentation ==="
fd -t f "CONTRIBUTING|DEVELOP|MAINTAINER" -i

echo -e "\n=== Check docs directory structure if it exists ==="
if [ -d "docs" ]; then
  tree docs -L 2 -I "node_modules|*.pyc"
fi

Length of output: 1460

---

🏁 Script executed:

#!/bin/bash

# Check the Releases.md and Releases-wip.md to understand the format
echo "=== Check Releases.md structure ==="
head -100 .github/Releases.md

echo -e "\n=== Check Releases-wip.md structure ==="
head -100 .github/Releases-wip.md

echo -e "\n=== Look for examples of kernel config changes in release notes ==="
rg -n -C3 "CONFIG_|kernel.*config|kernel.*option" .github/Releases*.md | head -50

echo -e "\n=== Check CONTRIBUTING.md for guidance on documentation ==="
rg -n -C5 "document|changelog|release.*note" CONTRIBUTING.md -i | head -40

Length of output: 3477

---

🏁 Script executed:

#!/bin/bash

# Search for forums, documentation sites, or release note processes
echo "=== Search for documentation processes or guidelines ==="
rg -n -C5 "forum|announce|breaking|behavior.*change|user.*facing" CONTRIBUTING.md -i | head -60

echo -e "\n=== Check for any existing kernel security changes documentation ==="
rg -l "security|hardening|privilege|capability" .github/*.md config/sources/*.conf lib/functions/*.sh | head -10

echo -e "\n=== Look at the workflow files for release/documentation automation ==="
ls -la .github/workflows/*.yml | grep -E "(release|doc|announce|changelog)"

echo -e "\n=== Check if there's a template or standard for documenting changes ==="
fd -t f "TEMPLATE|template" .github/

echo -e "\n=== Search for previous kernel config changes in git log ==="
git log --oneline --grep="CONFIG_.*DEFAULT" --all | head -20

echo -e "\n=== Check armbian-kernel.sh for any documentation patterns ==="
rg -n "# .*document|# .*note|# .*breaking|# .*user" lib/functions/compilation/armbian-kernel.sh | head -20

Length of output: 2476

---

@tabrisnet: Based on my investigation of Armbian's documentation practices, here's what I found:

Current Documentation Practices

Armbian does not have a formal CHANGELOG or release notes process for individual kernel configuration changes. The .github/Releases.md files are auto-generated build status pages, not changelogs. There are no previous examples of kernel config changes being formally documented beyond the PR itself.

Recommended Documentation for This Change

For this specific change, minimal additional documentation is needed because:

1. The PR itself serves as primary documentation - It contains:

   • Clear problem statement (vulnerability warning)
   • Root cause analysis (missing CONFIG_BPF_UNPRIV_DEFAULT_OFF)
   • Solution approach (armbian-kernel.sh modification)
   • Technical discussion in comments

2. The code is self-documenting - The change is in armbian_kernel_config__600_enable_ebpf_and_btf_info() which clearly signals the security context

3. This is a security fix, not a breaking change:

   • Aligns with kernel defaults for 5.16+ (released Jan 2022)
   • Fixes incorrect vulnerability reporting
   • Minimal userspace impact on ARM embedded systems
   • Value =2 provides admin escape hatch via sysctl if needed

Optional: Forum Announcement

If maintainers want to proactively communicate this change, consider a brief note in the forum announcements section for the next release:

Security hardening: Unprivileged eBPF now disabled by default
CONFIG_BPF_UNPRIV_DEFAULT_OFF is now enabled, aligning with kernel defaults and security best practices. This fixes incorrect CPU vulnerability warnings. Administrators can re-enable via sysctl -w kernel.unprivileged_bpf_disabled=0 if needed.

Commit Message Suggestion

Ensure the commit message is descriptive:

board configs: disable unprivileged BPF by default

Fix incorrect CPU vulnerability warning showing "Unprivileged eBPF enabled"
by setting CONFIG_BPF_UNPRIV_DEFAULT_OFF=y in armbian-kernel.sh.

This aligns with kernel defaults (5.16+) and security hardening best
practices. The option sets kernel.unprivileged_bpf_disabled=2, which
allows administrators to re-enable if needed via sysctl.

Bottom line: The PR description and commit message provide sufficient documentation for this type of security-aligned kernel configuration change. No additional formal documentation is required based on Armbian's current practices.

---

🧠 Learnings used

Learnt from: igorpecovnik
Repo: armbian/build PR: 8705
File: .github/workflows/rewrite-kernel-configs.yml:96-169
Timestamp: 2025-10-03T11:42:46.660Z
Learning: In the Armbian build repository's kernel config rewrite workflow (.github/workflows/rewrite-kernel-configs.yml), deletion of kernel config files does not need to be handled. The workflow intentionally only captures ACMR (added/copied/modified/renamed) changes and does not need to propagate deletions to the aggregator.

---

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-sunxi64-current.config:94-94
Timestamp: 2025-09-27T21:50:15.915Z
Learning: When kernel config files are generated through Armbian's automated process (previous config → armbian-kernel.sh changes → make oldconfig → Armbian machinery processing), manual config file edits are not appropriate since they would be overwritten. Deprecated option handling should be implemented in the automated tooling instead.

---

Learnt from: tabrisnet
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-08-30T04:13:16.457Z
Learning: Armbian kernel configuration files like linux-filogic-current.config are autogenerated overlays on top of arch defconfig. Comments added manually will be lost during future updates by maintainers, and explicit "CONFIG_OPTION is not set" statements aren't needed for mutually exclusive options since these are overlay configs that only specify changes from the base configuration.

---

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-sm8250-edge.config:80-82
Timestamp: 2025-09-27T21:50:04.845Z
Learning: In the Armbian build system, kernel configuration files are generated through this automated process: taking previous config → applying scripted changes from armbian-kernel.sh → running kernel's `make oldconfig` → processing by Armbian machinery back into config files. This automated process properly handles kernel configuration dependencies and reduces the likelihood of manual configuration errors.

---

Learnt from: igorpecovnik
Repo: armbian/build PR: 8705
File: .github/workflows/rewrite-kernel-configs.yml:217-220
Timestamp: 2025-10-04T17:59:19.369Z
Learning: In the Armbian build repository's kernel config rewrite workflow (.github/workflows/rewrite-kernel-configs.yml), the workflow is designed to rewrite existing kernel configs only. New/untracked files can be safely ignored, so using `git diff --quiet` (which ignores untracked files) is the correct approach for detecting changes rather than `git status --porcelain`.

---

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-sm8250-current.config:78-80
Timestamp: 2025-09-27T21:49:55.796Z
Learning: In the Armbian build system, kernel configuration files are generated through an automated process: taking previous config → applying scripted changes from armbian-kernel.sh → running kernel's `make oldconfig` → processing by Armbian machinery back into config files. This automated process properly handles kernel configuration dependencies and reduces the likelihood of manual configuration errors.

---

Learnt from: igorpecovnik
Repo: armbian/build PR: 8849
File: config/boards/radxa-e54c.csc:14-28
Timestamp: 2025-11-02T20:49:56.719Z
Learning: In Armbian board configuration files (config/boards/*.conf, *.csc, etc.), do not use kernel_config_set, kernel_config_set_m, kernel_config_set_y, or custom_kernel_config__* functions to modify kernel configuration. Kernel configuration is associated with LINUXFAMILY/BOARDFAMILY, not individual BOARD. Board-specific kernel modifications cause inconsistency in kernel packages published to the apt repository because boards within a family share the same kernel packages. Kernel configuration changes must be made in the appropriate kernel config file (e.g., config/kernel/linux-*-*.config) or in family configuration files (config/sources/families/*.conf, *.inc) instead.

---

Learnt from: tabrisnet
Repo: armbian/build PR: 8678
File: config/kernel/linux-bcm2711-edge.config:859-861
Timestamp: 2025-09-27T21:47:58.020Z
Learning: In the Armbian build system, kernel configuration files in config/kernel/ are generated through an automated process: taking previous config → applying scripted changes from armbian-kernel.sh → running kernel's `make oldconfig` → processing by Armbian machinery back into config files. This automated process properly handles kernel configuration dependencies and reduces the likelihood of manual configuration errors.

---

Learnt from: tabrisnet
Repo: armbian/build PR: 9136
File: lib/functions/compilation/armbian-kernel.sh:529-537
Timestamp: 2025-12-28T01:49:34.661Z
Learning: In lib/functions/compilation/armbian-kernel.sh's opts_m handling, checking .config (kernel defconfig) is problematic because savedefconfig elides options matching defconfig, making it impossible to distinguish overlay silence from defconfig agreement. The correct approach is to check only kernel_config_source_filename (the overlay) for explicit =y, otherwise default to =m, letting savedefconfig handle deduplication with defconfig automatically.

---

Learnt from: rpardini
Repo: armbian/build PR: 9159
File: patch/u-boot/u-boot-genio/0026-dts-configs-add-Grinn-GenioSBC-510.patch:161-161
Timestamp: 2026-01-03T20:46:29.189Z
Learning: For the Armbian genio family (config/sources/families/genio.conf and patch/u-boot/u-boot-genio/), when reviewing PRs that include vendor U-Boot patches from Collabora, avoid flagging potential issues in board configurations that are out of scope for the PR's primary focus (e.g., don't flag Genio 510/700 board issues when the PR is focused on radxa-nio-12l/Genio 1200). The maintainer prioritizes keeping vendor patches close to upstream for easier re-copying and maintenance, even if secondary board configs have potential mismatches.
<!-- </add_learning>

---

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: In lib/functions/compilation/armbian-kernel.sh, the kernel_config_modifying_hashes array is not universally required for all kernel configuration functions - some functions like armbian_kernel_config__netkit() operate without it, and adding entries with '=m' would be incorrect when the actual result might be '=y' for options already built-in.

---

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: In lib/functions/compilation/armbian-kernel.sh, the kernel_config_modifying_hashes array is not universally required for all kernel configuration functions - some functions like armbian_kernel_config__netkit() operate without it, and adding entries with '=m' would be incorrect when the actual result might be '=y' for options already built-in.

---

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: The kernel_config_set_m function in lib/functions/compilation/armbian-kernel.sh preserves existing 'y' (built-in) settings and only sets options to 'm' (module) when they are not already built-in, achieving "prefer modules but allow built-ins" behavior.

---

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-201
Timestamp: 2025-09-22T21:52:01.225Z
Learning: The kernel_config_set_m function in lib/functions/compilation/armbian-kernel.sh preserves existing 'y' (built-in) settings and only sets options to 'm' (module) when they are not already built-in, achieving "prefer modules but allow built-ins" behavior.

---

Learnt from: EvilOlaf
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-12-19T13:56:45.124Z
Learning: When reviewing kernel or u-boot version bump PRs in the Armbian build system, check if patches existed in previous kernel version directories (e.g., sunxi-6.12, sunxi-6.13) before describing them as new features. If a patch and the majority of its contents existed previously with no major functionality changes, focus the review on the actual changes: the version bump itself and patch compatibility adjustments. Don't describe existing patches being ported/maintained across versions as new features or drivers—this is misleading. The patches are existing code being re-aligned to work with the new upstream version.

---

Learnt from: igorpecovnik
Repo: armbian/build PR: 9087
File: .github/workflows/pr-check-pictures.yml:138-146
Timestamp: 2025-12-16T13:40:07.649Z
Learning: In the Armbian build repository, when introducing new requirements or checks (like the board assets verification workflow), the project prefers an initial educational-only period where violations post helpful PR comments and warnings but don't block merges. This allows contributors to become familiar with new requirements before enforcement is enabled (typically after ~6 months).

---

Learnt from: EvilOlaf
Repo: armbian/build PR: 8428
File: config/boards/lckfb-taishanpi.csc:5-9
Timestamp: 2025-07-25T03:51:50.830Z
Learning: When reviewing PRs in the Armbian build system, U-Boot defconfig files and patches may be added as part of the PR changes but might not be visible in the current repository clone state during review. It's important to check the actual PR file changes directly via GitHub or the PR API to get the complete picture of what files are being added or modified.

---

Learnt from: EvilOlaf
Repo: armbian/build PR: 8428
File: config/boards/lckfb-taishanpi.csc:5-9
Timestamp: 2025-07-25T03:51:50.830Z
Learning: When reviewing PRs in the Armbian build system, U-Boot defconfig files and patches may be added as part of the PR changes but might not be visible in the current repository clone state during review. It's important to check the actual PR file changes directly via GitHub API (https://api.github.com/repos/armbian/build/pulls/{pr_number}/files) to get the complete picture of what files are being added or modified, especially for U-Boot patches that will be applied during the build process.

---

Learnt from: EvilOlaf
Repo: armbian/build PR: 8968
File: patch/u-boot/u-boot-sunxi/arm64-dts-sun50i-h6-orangepi.dtsi-Rollback-r_rsb-to-r_i2c.patch:36-36
Timestamp: 2025-11-20T18:20:11.985Z
Learning: The rewrite-patches tool (REWRITE_PATCHES=yes) in the Armbian build system can inadvertently introduce semantic changes when the u-boot/kernel git base revision differs from expected state. The tool applies patches, commits them, and re-exports them using git format-patch, which can cause the re-exported patch to reflect the base revision's state rather than preserving the original patch intent. This is particularly problematic for device tree changes like interrupt specifications. The tool currently lacks validation mechanisms to detect such semantic drift, and affected patches must be manually corrected after rewriting.

---

Learnt from: EvilOlaf
Repo: armbian/build PR: 0
File: :0-0
Timestamp: 2025-12-17T05:09:02.306Z
Learning: In the Armbian build system, kernel patches (e.g., in patch/kernel/archive/sunxi-6.18/patches.armbian/) contain device tree overlays and other code that have existed for years and are maintained/ported across kernel versions. When reviewing PRs that modify these patch files, focus on the actual changes being made (e.g., Makefile fixes, new additions) rather than reviewing the entire existing content within the patch as if it were new code. The patch file contents are existing, stable code unless explicitly modified in the PR diff.

---

Learnt from: rpardini
Repo: armbian/build PR: 8044
File: patch/u-boot/v2025.04/cmd-fileenv-read-string-from-file-into-env.patch:76-86
Timestamp: 2025-03-31T22:20:48.475Z
Learning: For the Armbian build project, maintaining consistency with existing patches across U-Boot versions (such as between 2025.01 and 2025.04) is prioritized over refactoring individual patches for code improvements.

---

Learnt from: libiunc
Repo: armbian/build PR: 8033
File: config/kernel/linux-starfive2-vendor.config:43-43
Timestamp: 2025-03-31T12:57:13.880Z
Learning: For StarFive2 platform kernel configurations, maintain alignment with vendor-provided configurations rather than modifying security settings like SECCOMP. This ensures hardware compatibility as intended by the manufacturer.

---

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-199
Timestamp: 2025-09-25T18:37:00.330Z
Learning: In PR armbian/build#8661, line 235 of lib/functions/compilation/armbian-kernel.sh already contains the corrected comment "BPF link support for netfilter hooks" for NETFILTER_BPF_LINK, not the misleading "BPF_SYSCALL" comment that was flagged during review.

---

Learnt from: tabrisnet
Repo: armbian/build PR: 8661
File: lib/functions/compilation/armbian-kernel.sh:194-199
Timestamp: 2025-09-25T18:37:00.330Z
Learning: In PR armbian/build#8661, line 235 of lib/functions/compilation/armbian-kernel.sh already contains the corrected comment "BPF link support for netfilter hooks" for NETFILTER_BPF_LINK, not the misleading "BPF_SYSCALL" comment that was flagged during review.

---

Learnt from: EvilOlaf
Repo: armbian/build PR: 8328
File: lib/functions/compilation/patch/drivers_network.sh:542-545
Timestamp: 2025-06-24T10:08:40.313Z
Learning: In the Armbian build system, when a PR removes build support for a specific kernel version, version check issues for that removed version become practically irrelevant even if they appear incorrect in isolation. Context about which kernel versions are being deprecated/removed is important for understanding the impact of version-related code changes.