Following on from enabling CONFIG_SHOW_USAGE=y.
Rationale: make it easier to debug the host OS.
Size increase of libbusybox.so: +32 KB over CONFIG_SHOW_USAGE=y
baseline.
We could enable COMPRESS_USAGE to bring it down to +8KB over
CONFIG_SHOW_USAGE=y baseline, but I'm not sure it's worth optimizing?
If we want to compress, it's probably fine: just a slight CPU hit when
asking for CPU usage, which is probably fine for interactive use.
This lets us run `which`
I've found myself wanting this a bunch while trying to figure out, well,
which binary I'm running. I can walk $PATH myself, but it's no fun.
libbusybox.so size impact: +0 bytes (that is, it's less than the
4KB-padded text section we already have).
Ping is a foundational tool for network debugging, and with so many
network integrations in Home Assistant, we deserve a fancy ping.
This enables flags like `-c` count ping and packet loss statistics.
Nothing totally groundbreaking, but it enables more detailed debugging.
Without fancy ping, you get very limited flags, that just do one ping
per invocation.
```
# ping 127.0.0.1
127.0.0.1 is alive!
# ping --help
BusyBox v1.37.0 (2026-07-01 07:04:23 UTC) multi-call binary.
Usage: ping HOST
```
Add firmware for the Intel Wi-Fi 7 BZ family (e.g. BE201, used in Arrow
Lake systems) and the Intel SC chip (Panther Lake). Both detect but fail
to probe without their respective iwlwifi-bz-*/iwlwifi-sc-* firmware.
* buildroot fe7b14c878...c1438cf214 (2):
> package/linux-firmware: add Intel BZ WiFi firmware
> package/linux-firmware: add Intel SC WiFi firmware
Closes#4829Closes#4826
* Enable CONFIG_BT_INTEL_PCIE for Intel PCIe Bluetooth
Starting with Meteor Lake and continuing through Lunar Lake and Panther
Lake, Intel integrates the Bluetooth controller as a native PCIe endpoint
rather than behind the internal USB hub. These chips (e.g. Scorpius Peak
on Panther Lake, PCI 8086:e476) require the btintel_pcie transport driver,
which was not built so far.
The Kconfig dependencies (PCI, ACPI, BT_INTEL, FW_LOADER) and the
linux-firmware ibt-* files are already present, so enabling the module is
sufficient to bind these controllers.
Closes#4827
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* Rewording of comment
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---------
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
The boot script only persisted the decremented boot-attempt counter
(storebootstate) when a kernel was successfully loaded. When *neither*
slot's kernel could be loaded, it instead reset both counters back to 3
and rebooted - pinning them and looping forever without ever counting
down or falling back. A failed kernel load therefore never consumed an
attempt, defeating the A/B rollback safety net (#4788).
Persist the (decremented) counters on a failed load too, and only re-arm
them once both slots are actually exhausted instead of on every failure.
Repeated load failures now count down and we fall back to the other slot.
Note: this does not address the underlying eMMC read unreliability seen
on some N2 units (kernel/boot.scr loads failing in U-Boot); it makes the
slot-fallback logic behave correctly when a load does fail.
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
The seedrng applet got pulled in by an oldconfig default when busybox was
bumped to 1.37.0; it was never a deliberate choice. RNG seeding on HAOS is
already handled by systemd's systemd-random-seed.service, which runs the
native systemd-random-seed binary directly (it does not invoke the seedrng
command). The applet is therefore redundant and orphaned - nothing in the
image references it - so disable it.
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The netstat applet is not used anywhere within HAOS and is superseded by
ss from iproute2, which is shipped on all boards and is the modern,
preferred equivalent (e.g. ss -tulpn replaces netstat -tulpn).
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This costs a few KB, but is invaluable when debugging host problems,
otherwise busybox just exits failure on any argument it doesn't
understand.
Fixes#4830
The haos-expand.service ("HAOS data resizing") is a Type=oneshot unit
without an explicit timeout, so it inherited systemd's
DefaultTimeoutStartSec (90s). On slow or previously used disks the data
partition resize can take longer than that, causing the service to be
killed and mnt-data.mount to fail with "Dependency failed for HAOS data
resizing", leaving the system unusable.
Aborting the resize serves no purpose: if it fails the installation is
broken anyway. Set TimeoutStartSec=infinity so the resize runs for as
long as it needs instead of failing the boot.
Fixes#3365
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Enable CONFIG_DRM_ACCEL_IVPU on the generic-x86-64 and OVA boards so the
Intel NPU (Neural Processing Unit) found on Core Ultra CPUs (Meteor Lake
and later, including Panther Lake) is exposed as /dev/accel/accel0. This
lets add-ons such as Frigate use OpenVINO with hardware-accelerated
inference on the NPU.
Also select the Intel NPU firmware (intel/vpu/vpu_*.bin), which already
ships in linux-firmware 20260410 including the Panther Lake (vpu_50xx)
blob.
The driver is x86_64-only, so it is added to the per-board configs rather
than the shared device-support-pci.config which is also used by aarch64
boards.
Fixes#4783
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The kernel bump to 6.18 means newer Intel Wi-Fi 7 devices (BZ/GL/SC/DR
families, e.g. the BE200) are no longer handled by the iwlmvm op-mode.
Their firmware now requires the new iwlmld driver, and without it the
iwlwifi core aborts the probe with:
IWLMLD needs to be compiled to support this firmware
probe with driver iwlwifi failed with error -22
Enable CONFIG_IWLMLD so these devices bind again. The matching firmware
(iwlwifi-gl-*) already ships via linux-firmware.
Fixes#4784
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* Enable usbip on all targets
Enable the usbip userland tools (BR2_PACKAGE_USBIP), already provided by
the pinned Buildroot (package/usbip), to attach remote USB devices over
the network. The USBIP kernel modules are already enabled via
device-support.config.
This is the OS-side prerequisite for driving USB/IP from os-agent
(home-assistant/os-agent#265).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* Fix configs ordering using savedefconfig
---------
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-authored-by: Jan Čermák <sairon@sairon.cz>
(cherry picked from commit c8b9d5919b)
After #4762, NFS_V4 was set as module in ODROIDs, Green and VIM3
kernels. This is because their defconfigs set the upper NFS_FS symbol to
module. Set it to built-in in these defconfigs as well (for other
targets this is handled by defconfigs from the kernel) and remove
redundant options we set in the haos fragment.
(cherry picked from commit e2a0c9bb3b)
* Add sanity checks for correct release channel to the build workflow
There's currently nothing preventing us from publishing RC build to the
stable channel if the GH release is configured incorrectly. Since we
have the meta file which dictates where the deployment should go, use
this as a sanity check and reject the workflow if the expected
configuration doesn't match.
* Improve the check to validate version string as well
(cherry picked from commit b4977ed0a9)
* buildroot 89ddb15854...78450fa882 (3):
> package/runc: fix regression with kernel without user namespace
> Revert "package/runc: fix regression with kernel without user namespace"
> Merge tag '2025.02.15' into 2025.02.x-haos
* Enable usbip on all targets
Enable the usbip userland tools (BR2_PACKAGE_USBIP), already provided by
the pinned Buildroot (package/usbip), to attach remote USB devices over
the network. The USBIP kernel modules are already enabled via
device-support.config.
This is the OS-side prerequisite for driving USB/IP from os-agent
(home-assistant/os-agent#265).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* Fix configs ordering using savedefconfig
---------
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-authored-by: Jan Čermák <sairon@sairon.cz>
After #4762, NFS_V4 was set as module in ODROIDs, Green and VIM3
kernels. This is because their defconfigs set the upper NFS_FS symbol to
module. Set it to built-in in these defconfigs as well (for other
targets this is handled by defconfigs from the kernel) and remove
redundant options we set in the haos fragment.
* Add sanity checks for correct release channel to the build workflow
There's currently nothing preventing us from publishing RC build to the
stable channel if the GH release is configured incorrectly. Since we
have the meta file which dictates where the deployment should go, use
this as a sanity check and reject the workflow if the expected
configuration doesn't match.
* Improve the check to validate version string as well
Borrow shrinking used in home-assistant/operating-system-full-images for
reducing the data partition size to only fit its contents. Currently the
data partition is intentionally overprovisioned to comfortably fit all
docker images in the hassio build. This results in unnecessarily large
image which takes longer to flash, as all the zeroes at the end of the
filesystem need to be written to the SD card.
For OVA and aarch64 VM formats, the image is resized before creating the
VM images - this also makes all generic-aarch64 images sized to 32GB,
unlike 6GB which inherently needed resizing before use. Some juggling
extra juggling is needed in the aarch64 post-image step, as we want to
preserve the raw image (e.g. for generic aarch64 boards) but it's
desirable to keep it minimal as well, as it's meant to be flashed to
real hardware storage.
Not all defconfigs enable NFS v4.1/v4.2 by default, most importantly
it's not enabled for x86_64 (on the other hand, it is enabled on RPi,
Rockchip and Amlogic). Explicitly enable NFS_V4 and its minor versions
in the common config fragment to ensure it's available everywhere.
It can now be removed from the Rochckip fragment, while removing the
migration option there for good (as Kconfig says it's very
experimental).
Fixes#4742
Add certificates with new PKI chain to replace the old one. Until May
14th 2028, bundles signed with the old certs will be accepted as well.
The transition to the new authority using bundles signed by the new
certs is ensured by the intermediate certificate signed by the old CA.
This, and the old CA certificates can be removed from the keyring after
their expiry.
The keyrings no longer contain CRLs, but the validity of the
certificates will be shortened to 4 years, as discussed in the linked
issue.
Closes#4743
The rule using 33% of RAM for default swapfile size had flaws both for
low and high RAM systems - for the former the swap was too small to
provide any buffer for OOM situations, for the latter it created
unnecessarily big swapfile.
Clamp the swapfile size to 1-4 GB. This means the file will somewhat
grow on systems with 1 or 2 GB of RAM, but this should be within bounds
of what's reported by HA as low storage. For systems with >12 GB of RAM,
the swap file wouldn't be created larger than 4 GB (in fact, will be
recreated if bigger). The configured size is still respected.
Closes#4481
Enable the JMicron JMC25x Gigabit Ethernet driver (CONFIG_JME) in the
kernel configuration.
This controller (specifically the JMC251) is very common on various
budget mini PCs (often used as Home Assistant nodes) but currently lacks
native driver support in Home Assistant OS out of the box. Adding these
flags restores native network connectivity for these devices.
* Add CI check for sufficient validity of the OTA signing certificate
To ensure that we don't miss expiration of the signing certificate, add
a CI check that checks its validity and validity of the full chain of
trust, ensuring CA doesn't expire either. Currently set to 25 months,
which should be enough to allow migration of existing devices to new CA
and allow some wiggle room for upgrades and downgrades.
Refs #4743
* Find real issuer when walking the chain
* Add number of certs checked to the suceess message