build: separate generic ARM64 from Raspberry Pi kernel builds
Splits the ARM64 build into two tracks per docs/arm64-architecture.md: Generic ARM64 (mainline kernel.org, UEFI, virtio, GRUB): - New build/scripts/build-kernel-arm64.sh builds mainline LTS (6.12.x by default) from arm64 defconfig + shared container fragment + arm64-virt enables (VIRTIO_*, EFI_STUB, NVMe). Output: build/cache/kernel-arm64-generic/. - New Makefile targets: kernel-arm64, rootfs-arm64 (now consumes the mainline kernel modules via TARGET_VARIANT=generic). - versions.env: pin MAINLINE_KERNEL_VERSION=6.12.10, declare cdn.kernel.org URL and SHA256 placeholder. Raspberry Pi (raspberrypi/linux fork, custom DTBs, autoboot.txt): - build-kernel-arm64.sh (RPi-flavoured) renamed to build-kernel-rpi.sh; cache dir renamed from custom-kernel-arm64 to custom-kernel-rpi. - New Makefile targets: kernel-rpi, rootfs-arm64-rpi (uses TARGET_VARIANT=rpi). - rpi-image now depends on rootfs-arm64-rpi + kernel-rpi instead of the generic rootfs-arm64. - create-rpi-image.sh + inject-kubesolo.sh updated to reference the new cache path. inject-kubesolo.sh now takes a TARGET_VARIANT env var (rpi|generic) to select which ARM64 kernel modules to consume. Shared substrate: - rpi-kernel-config.fragment renamed to kernel-container.fragment. The contents were never RPi-specific (cgroup, namespaces, AppArmor, netfilter) — just misnamed. Extended with extra subsystem disables (KVM, WLAN, CFG80211, INFINIBAND, PCMCIA, HAMRADIO, ISDN, ATM, INPUT_JOYSTICK, INPUT_TABLET, FPGA) and CONFIG_LSM=lockdown,yama,apparmor. - build-kernel.sh (x86) refactored to apply the shared fragment via a generic apply_fragment function (two-pass for the TC stock config security dance), killing ~50 lines of inline config duplication. Note: rename detection shows build-kernel-arm64.sh as 'modified' because the new file at that path is the mainline build, while the old RPi-flavoured content lives in build-kernel-rpi.sh (which appears as a new file). The git log for build-kernel-rpi.sh is empty; the RPi history is preserved at the original path until this commit. No actual kernel build runs in this commit — that's Phase 3 work. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -85,85 +85,49 @@ echo " Source dir: $(basename "$KERNEL_SRC_DIR")"
|
||||
|
||||
cd "$KERNEL_SRC_DIR"
|
||||
|
||||
# --- Apply stock config + enable CONFIG_CGROUP_BPF ---
|
||||
# --- Apply stock config + shared container-config fragment ---
|
||||
echo "==> Applying stock Tiny Core config..."
|
||||
cp "$KERNEL_CFG" .config
|
||||
|
||||
echo "==> Enabling required kernel configs..."
|
||||
./scripts/config --enable CONFIG_CGROUP_BPF
|
||||
./scripts/config --enable CONFIG_DEVTMPFS
|
||||
./scripts/config --enable CONFIG_DEVTMPFS_MOUNT
|
||||
./scripts/config --enable CONFIG_MEMCG
|
||||
./scripts/config --enable CONFIG_CFS_BANDWIDTH
|
||||
CONFIG_FRAGMENT="$PROJECT_ROOT/build/config/kernel-container.fragment"
|
||||
if [ ! -f "$CONFIG_FRAGMENT" ]; then
|
||||
echo "ERROR: Config fragment not found: $CONFIG_FRAGMENT"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# --- Strip unnecessary subsystems for smallest footprint ---
|
||||
# This is a headless K8s edge appliance — no sound, GPU, wireless, etc.
|
||||
echo "==> Disabling unnecessary subsystems for minimal footprint..."
|
||||
# Apply the fragment: each "CONFIG_X=v" line becomes the right scripts/config
|
||||
# invocation; "# CONFIG_X is not set" comments become --disable.
|
||||
apply_fragment() {
|
||||
local fragment="$1"
|
||||
while IFS= read -r line; do
|
||||
case "$line" in
|
||||
"# CONFIG_"*" is not set")
|
||||
key=$(echo "$line" | sed -n 's/^# \(CONFIG_[A-Z0-9_]*\) is not set$/\1/p')
|
||||
[ -n "$key" ] && ./scripts/config --disable "${key#CONFIG_}"
|
||||
continue
|
||||
;;
|
||||
\#*|"") continue ;;
|
||||
esac
|
||||
key="${line%%=*}"
|
||||
value="${line#*=}"
|
||||
case "$value" in
|
||||
y) ./scripts/config --enable "$key" ;;
|
||||
m) ./scripts/config --module "$key" ;;
|
||||
n) ./scripts/config --disable "${key#CONFIG_}" ;;
|
||||
*) ./scripts/config --set-str "$key" "$value" ;;
|
||||
esac
|
||||
done < "$fragment"
|
||||
}
|
||||
|
||||
# Sound subsystem (not needed on headless appliance)
|
||||
./scripts/config --disable SOUND
|
||||
|
||||
# GPU/DRM (serial console only, no display)
|
||||
./scripts/config --disable DRM
|
||||
|
||||
# KVM hypervisor (this IS the guest/bare metal, not a hypervisor)
|
||||
./scripts/config --disable KVM
|
||||
|
||||
# Media/camera/TV/radio (not needed)
|
||||
./scripts/config --disable MEDIA_SUPPORT
|
||||
|
||||
# Wireless networking (wired edge device)
|
||||
./scripts/config --disable WIRELESS
|
||||
./scripts/config --disable WLAN
|
||||
./scripts/config --disable CFG80211
|
||||
|
||||
# Bluetooth (not needed)
|
||||
./scripts/config --disable BT
|
||||
|
||||
# NFC (not needed)
|
||||
./scripts/config --disable NFC
|
||||
|
||||
# Infiniband (not needed on edge)
|
||||
./scripts/config --disable INFINIBAND
|
||||
|
||||
# PCMCIA (legacy, not needed)
|
||||
./scripts/config --disable PCMCIA
|
||||
|
||||
# Amateur radio (not needed)
|
||||
./scripts/config --disable HAMRADIO
|
||||
|
||||
# ISDN (not needed)
|
||||
./scripts/config --disable ISDN
|
||||
|
||||
# ATM networking (not needed)
|
||||
./scripts/config --disable ATM
|
||||
|
||||
# Joystick/gamepad (not needed)
|
||||
./scripts/config --disable INPUT_JOYSTICK
|
||||
./scripts/config --disable INPUT_TABLET
|
||||
|
||||
# FPGA (not needed)
|
||||
./scripts/config --disable FPGA
|
||||
|
||||
# First pass: resolve base dependencies before adding security configs.
|
||||
# The stock TC config has "# CONFIG_SECURITY is not set" which causes
|
||||
# olddefconfig to strip security-related options if applied in a single pass.
|
||||
# Two-pass apply: TC's stock config has CONFIG_SECURITY disabled, so olddefconfig
|
||||
# strips the security subtree before its dependencies resolve. Re-applying the
|
||||
# fragment after the first olddefconfig restores those entries.
|
||||
echo "==> Applying kernel-container.fragment (pass 1)..."
|
||||
apply_fragment "$CONFIG_FRAGMENT"
|
||||
make olddefconfig
|
||||
|
||||
# Security: AppArmor LSM + Audit subsystem
|
||||
# Applied AFTER first olddefconfig to ensure CONFIG_SECURITY dependencies
|
||||
# (SYSFS, MULTIUSER) are resolved before enabling the security subtree.
|
||||
echo "==> Enabling AppArmor + Audit kernel configs..."
|
||||
./scripts/config --enable CONFIG_AUDIT
|
||||
./scripts/config --enable CONFIG_AUDITSYSCALL
|
||||
./scripts/config --enable CONFIG_SECURITY
|
||||
./scripts/config --enable CONFIG_SECURITYFS
|
||||
./scripts/config --enable CONFIG_SECURITY_NETWORK
|
||||
./scripts/config --enable CONFIG_SECURITY_APPARMOR
|
||||
./scripts/config --set-str CONFIG_LSM "lockdown,yama,apparmor"
|
||||
./scripts/config --set-str CONFIG_DEFAULT_SECURITY "apparmor"
|
||||
|
||||
# Second pass: resolve security config dependencies
|
||||
echo "==> Applying kernel-container.fragment (pass 2)..."
|
||||
apply_fragment "$CONFIG_FRAGMENT"
|
||||
make olddefconfig
|
||||
|
||||
# Verify critical configs are set
|
||||
|
||||
Reference in New Issue
Block a user