Add version-gated NETFILTER_XTABLES_LEGACY and BRIDGE_NF_EBTABLES_LEGACY
support in armbian-kernel.sh for kernels >= 6.18. Also add missing
ebtables table modules (BRIDGE_EBT_BROUTE, BRIDGE_EBT_T_FILTER,
BRIDGE_EBT_T_NAT) unconditionally to the nftables config function.
This ensures all hardware families automatically get legacy xtables
support when building kernels 6.18+, fixing Docker and Proxmox
firewall breakage without requiring per-family config changes.
Fixes wrong CPU vulnerability output:
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation:Vulnerable: Unprivileged eBPF enabled
It's enabled but CONFIG_BPF_UNPRIV_DEFAULT_OFF being unset causes the warning.
This warning happens on ARM32 and ARM64 devices.
Edited with:
find -name "*.config" -exec sed -i 's/# CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set/CONFIG_BPF_UNPRIV_DEFAULT_OFF=y/g' '{}' ;
CONFIG_BPF_UNPRIV_DEFAULT_OFF is a Linux kernel build-time hardening option that disables unprivileged use of the bpf() syscall (and thus unprivileged eBPF loading) by default by setting kernel.unprivileged_bpf_disabled=2 at boot. With this default, only privileged processes (e.g., with CAP_SYS_ADMIN / CAP_BPF, depending on kernel) can load eBPF unless an administrator explicitly relaxes it. [1], [2]
Operational behavior you should know
kernel.unprivileged_bpf_disabled semantics (as documented in the kernel sysctl docs/patch):
0: unprivileged bpf() allowed
1: unprivileged bpf() blocked and cannot be re-enabled until reboot (no transition back to 0 while running)
2: unprivileged bpf() blocked but admin can later switch to 0 or 1 if needed
If CONFIG_BPF_UNPRIV_DEFAULT_OFF=y, the default becomes 2 instead of 0. [2]
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Update all copyright notices in shell scripts from 2025 to 2026.
## Changes
- **Igor Pecovnik**: 2013-2025 → 2013-2026 (129 files)
- **Ricardo Pardini**: 2023-2025 → 2023-2026, 2020-2025 → 2020-2026 (5 files)
## Additional Improvements
Also updated the backtitle in `lib/functions/configuration/interactive.sh`:
- Changed title from "Armbian building script" to "Armbian Linux build framework"
- Removed docs link for cleaner display
- Uses dynamic year calculation with separate declaration (fixes shellcheck SC2155)
- call_extensions_kernel_config() now declares the vars and calls
armbian_kernel_config_apply_opts_from_arrays() at the end
- so each individual hook doesn't need to
- adapt family code using the old way too
- one shall NOT use the contents of .config to determine what's in the .config
- also: introduce `opts_m` for armbian_kernel_config_apply_opts_from_arrays()
The current script can overwrite drivers which are set as built-in in
the board-specific config. This is not desirable.
Add a check to ensure we do not convert built-in stuff into modules.
Signed-off-by: Ayush Singh <ayush@beagleboard.org>
- turns out `pahole` for `vmlinux` can take multiple gigabytes of RAM to run successfully
- I can't simply decide based on available RAM, as that would make .config hashes mismatch
- thus, introduce:
- default is to enable BTF; if on low-ram host, error out unless KERNEL_BTF=yes is passed
- if KERNEL_BTF=no is passed, the BTF debug info is always disabled
- if KERNEL_BTF=yes is passed, then a warning is produced, but BTF is still enabled
- the magic number "6451 MiB" was determined empirically (and is probably bs)
- we need to run the hooks _before_ running oldconfig, otherwise it is too late
- drop `kernel_config_check_and_repair()` since it won't ever detect anything now
The kernel option `CONFIG_MODULE_COMPRESS_NONE` was superseded by `CONFIG_MODULE_COMPRESS` in 6.12.
Adapt the kernel compilation script accordingly to force the correct kernel option.
Source: c7ff693fa2
- we had `_DEBUG=n` forced, which conflicted with `_EXPERT=y`;
- some important SBC features (like _GPIO_SYSFS) depend on _EXPERT=y
- we've plans to enable BTF/CO-RE kernels soon, so removing the non-debug enforcement makes some sense
- also, .config's will be free to determine debug config, nothing's changing in those here
- remove the `_EMBEDDED` special case handling, we can do that as well now
- add a separate hook to renable `CONFIG_GPIO_SYSFS=y`; it was a victim of `EXPERT=n` in some kernels
- this does not include rewrites of all the .configs -- those should be done in a separate batch -- either way effect is the same, hooks will always override .config's
- during rewrites, a large number of new options will show up, since `_EXPERT=y` is used as dependency for many of Kernel's experimental-ish features
Disable CONFIG_EXPERT as well since DEBUG_KERNEL=y is a dependency for EXPERT=y, meaning DEBUG_KERNEL would be re-enabled automatically if EXPERT is enabled
- really can't remember why I added those, and they cause trouble for BTF
- See https://www.kernel.org/doc/html/next/bpf/btf.html
- `CONFIG_DEBUG_INFO_BTF: Generate BTF typeinfo`
- _Generate deduplicated BTF type information from DWARF debug info. Turning this on expects presence of pahole tool, which will convert DWARF type info into equivalent deduplicated BTF type info._
* Add / modify (c) in bash scripts
Signed-off-by: Igor <igor@armbian.com>
* Add (c) to the source config files
---------
Signed-off-by: Igor <igor@armbian.com>
- artifacts: introduce `ARTIFACT_IGNORE_CACHE=yes`
- artifacts: introduce `DONT_BUILD_ARTIFACTS`, list of artifacts that if not found cached, fail the build
- kernel_package_source() is no more
- a long dissertation about kernels, families, and the universe
- artifacts: actually use rootfs artifact for image build
- artifacts: detangle via artifact_base_dir
- artifacts: rootfs: use folders in artifact_name; include cache_type
- artifacts: some cleanups / validations
- rootfs artifact; drop old rootfs cli
- artifacts: new CLI shortcuts; remove old firmware CLI
- artifacts: full firmware & usage
- use firmware artifacts in image build and install its debs
- kernel artifact sans legacy; use tmpdir for .deb target for all packages
- legacy artifact versions is no more; pack/unpack now in common obtain;
- artifacts: uboot: cleanup legacy renaming, use artifact version directly
- artifacts: add firmware (small) artifact
- deploy uboot to loop from artifact; allow tty to artifact; todos for cleaning
- fixes, kernel dtb/headers conditional; remove `.git` from Makefile url; use mapfile for finding files to hash
- completely remove KERNEL_HAS_WORKING_HEADERS_FULL_SOURCE and `kernel_package_callback_linux_headers_full_source()`
- don't use realpath for artifact_file_relative
- curb some warnings
- fix: only install headers & dtbs if such exist
- kernel .config hook modification hash versioning
- OCI_TARGET_BASE vs per-artifact defaults; only deploy to remote from CLI with OTB
- artifact revolver & installing into image
- add artifact_map_packages and artifact_map_debs dicts
- revolver accumulates all info
- REPOSITORY_INSTALL is no more (for uboot/kernel, later others)
- rename `VER` to `IMAGE_INSTALLED_KERNEL_VERSION`
