build: separate generic ARM64 from Raspberry Pi kernel builds
Splits the ARM64 build into two tracks per docs/arm64-architecture.md: Generic ARM64 (mainline kernel.org, UEFI, virtio, GRUB): - New build/scripts/build-kernel-arm64.sh builds mainline LTS (6.12.x by default) from arm64 defconfig + shared container fragment + arm64-virt enables (VIRTIO_*, EFI_STUB, NVMe). Output: build/cache/kernel-arm64-generic/. - New Makefile targets: kernel-arm64, rootfs-arm64 (now consumes the mainline kernel modules via TARGET_VARIANT=generic). - versions.env: pin MAINLINE_KERNEL_VERSION=6.12.10, declare cdn.kernel.org URL and SHA256 placeholder. Raspberry Pi (raspberrypi/linux fork, custom DTBs, autoboot.txt): - build-kernel-arm64.sh (RPi-flavoured) renamed to build-kernel-rpi.sh; cache dir renamed from custom-kernel-arm64 to custom-kernel-rpi. - New Makefile targets: kernel-rpi, rootfs-arm64-rpi (uses TARGET_VARIANT=rpi). - rpi-image now depends on rootfs-arm64-rpi + kernel-rpi instead of the generic rootfs-arm64. - create-rpi-image.sh + inject-kubesolo.sh updated to reference the new cache path. inject-kubesolo.sh now takes a TARGET_VARIANT env var (rpi|generic) to select which ARM64 kernel modules to consume. Shared substrate: - rpi-kernel-config.fragment renamed to kernel-container.fragment. The contents were never RPi-specific (cgroup, namespaces, AppArmor, netfilter) — just misnamed. Extended with extra subsystem disables (KVM, WLAN, CFG80211, INFINIBAND, PCMCIA, HAMRADIO, ISDN, ATM, INPUT_JOYSTICK, INPUT_TABLET, FPGA) and CONFIG_LSM=lockdown,yama,apparmor. - build-kernel.sh (x86) refactored to apply the shared fragment via a generic apply_fragment function (two-pass for the TC stock config security dance), killing ~50 lines of inline config duplication. Note: rename detection shows build-kernel-arm64.sh as 'modified' because the new file at that path is the mainline build, while the old RPi-flavoured content lives in build-kernel-rpi.sh (which appears as a new file). The git log for build-kernel-rpi.sh is empty; the RPi history is preserved at the original path until this commit. No actual kernel build runs in this commit — that's Phase 3 work. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -1,6 +1,15 @@
|
||||
# KubeSolo OS — Raspberry Pi kernel config overrides
|
||||
# Applied on top of bcm2711_defconfig (Pi 4) or bcm2712_defconfig (Pi 5)
|
||||
# These ensure container runtime support is enabled.
|
||||
# KubeSolo OS — Shared kernel config fragment for container workloads
|
||||
#
|
||||
# Applied on top of:
|
||||
# - Tiny Core stock config (x86_64) via build-kernel.sh
|
||||
# - mainline kernel.org arm64 defconfig via build-kernel-arm64.sh
|
||||
# - bcm2711_defconfig / bcm2712_defconfig via build-kernel-rpi.sh
|
||||
#
|
||||
# All entries here are architecture-agnostic.
|
||||
# Apply this fragment twice with `make olddefconfig` between passes — TC's stock
|
||||
# config has CONFIG_SECURITY disabled, which causes a single-pass olddefconfig
|
||||
# to strip the security subtree before its dependencies (SYSFS, MULTIUSER) are
|
||||
# resolved.
|
||||
|
||||
# cgroup v2 (mandatory for containerd/runc)
|
||||
CONFIG_CGROUPS=y
|
||||
@@ -52,6 +61,7 @@ CONFIG_SECURITYFS=y
|
||||
CONFIG_SECURITY_NETWORK=y
|
||||
CONFIG_SECURITY_APPARMOR=y
|
||||
CONFIG_DEFAULT_SECURITY_APPARMOR=y
|
||||
CONFIG_LSM=lockdown,yama,apparmor
|
||||
|
||||
# Security: seccomp
|
||||
CONFIG_SECCOMP=y
|
||||
@@ -60,10 +70,21 @@ CONFIG_SECCOMP_FILTER=y
|
||||
# Crypto (image verification)
|
||||
CONFIG_CRYPTO_SHA256=y
|
||||
|
||||
# Disable unnecessary subsystems for edge appliance
|
||||
# Disable unnecessary subsystems for headless edge appliance
|
||||
# CONFIG_SOUND is not set
|
||||
# CONFIG_DRM is not set
|
||||
# CONFIG_KVM is not set
|
||||
# CONFIG_MEDIA_SUPPORT is not set
|
||||
# CONFIG_WIRELESS is not set
|
||||
# CONFIG_WLAN is not set
|
||||
# CONFIG_CFG80211 is not set
|
||||
# CONFIG_BT is not set
|
||||
# CONFIG_NFC is not set
|
||||
# CONFIG_INFINIBAND is not set
|
||||
# CONFIG_PCMCIA is not set
|
||||
# CONFIG_HAMRADIO is not set
|
||||
# CONFIG_ISDN is not set
|
||||
# CONFIG_ATM is not set
|
||||
# CONFIG_INPUT_JOYSTICK is not set
|
||||
# CONFIG_INPUT_TABLET is not set
|
||||
# CONFIG_FPGA is not set
|
||||
@@ -41,5 +41,13 @@ RPI_FIRMWARE_URL=https://github.com/raspberrypi/firmware/archive/refs/tags/${RPI
|
||||
RPI_KERNEL_BRANCH=rpi-6.6.y
|
||||
RPI_KERNEL_REPO=https://github.com/raspberrypi/linux
|
||||
|
||||
# Mainline Linux kernel (for generic ARM64 — kernel.org LTS)
|
||||
# Bump within the 6.12 LTS series as patch levels release.
|
||||
# 6.12 LTS is supported until Dec 2029.
|
||||
MAINLINE_KERNEL_VERSION=6.12.10
|
||||
MAINLINE_KERNEL_MAJOR=v6.x
|
||||
MAINLINE_KERNEL_URL=https://cdn.kernel.org/pub/linux/kernel/${MAINLINE_KERNEL_MAJOR}/linux-${MAINLINE_KERNEL_VERSION}.tar.xz
|
||||
MAINLINE_KERNEL_SHA256=""
|
||||
|
||||
# Output naming
|
||||
OS_NAME=kubesolo-os
|
||||
|
||||
Reference in New Issue
Block a user