m/node: build Linux with modules
This introduces modules into our Linux build. I originally didn't want
to do this, this is why this wasn't done until now. But various things
in the kernel weren't set up for this, for example the AMD and Intel KVM
modules cannot both be loaded, only the first one loaded works. Also,
the Linux kernel cannot load firmware for built-in modules reliably as
the filesystem it tries to load it from is not always mounted first,
even if the kernel itself mounts it.
The firmware issue was brought up multiple times on LKML, but Linus is
of the opinion that the firmware should be next to the kernel module,
thus either built-in (not viable for licensing and size reasons) or the
modules need to be loadable and on the same filesystem as the firmware.
Thus unless we want to carry signifcant patches against the Kernel in a
deadlock-prone area, we are forced to adopt a design with loadable
modules (or ship everything twice in an initramfs which is also not
desirable).
The kernel config currently only has the modules as non-builtin which
require firmware, everything else has been left as-is. For boot-time
performance it would eventually be a good idea to move to a setup with
more modules once we're confident in the implementation and everything
can deal with late-loaded modules/devices.
As a drive-by fix this also moves the kernel builds to out-of-tree so
that we no longer pollute the source folder. Bazel protected us from
serious issues due to this, but it's still bad practice.
Change-Id: Iced8e12234565e5b7447e732716651e05e67d55b
Reviewed-on: https://review.monogon.dev/c/monogon/+/1791
Reviewed-by: Serge Bazanski <serge@monogon.tech>
Tested-by: Jenkins CI
diff --git a/cloud/agent/BUILD.bazel b/cloud/agent/BUILD.bazel
index 9d8174e..e8b4ffd 100644
--- a/cloud/agent/BUILD.bazel
+++ b/cloud/agent/BUILD.bazel
@@ -16,6 +16,7 @@
         "//cloud/agent/api",
         "//cloud/bmaas/server/api",
         "//metropolis/node/build/mkimage/osimage",
+        "//metropolis/node/core/devmgr",
         "//metropolis/node/core/network",
         "//metropolis/pkg/bootparam",
         "//metropolis/pkg/efivarfs",
diff --git a/cloud/agent/agent.go b/cloud/agent/agent.go
index ca2bd0c..75888ce 100644
--- a/cloud/agent/agent.go
+++ b/cloud/agent/agent.go
@@ -20,6 +20,7 @@
 
 	apb "source.monogon.dev/cloud/agent/api"
 	bpb "source.monogon.dev/cloud/bmaas/server/api"
+	"source.monogon.dev/metropolis/node/core/devmgr"
 	"source.monogon.dev/metropolis/node/core/network"
 	"source.monogon.dev/metropolis/pkg/pki"
 	"source.monogon.dev/metropolis/pkg/supervisor"
@@ -69,6 +70,9 @@
 		return errors.New("AgentInit takeover_init field is unset, this is not allowed")
 	}
 
+	devmgrSvc := devmgr.New()
+	supervisor.Run(ctx, "devmgr", devmgrSvc.Run)
+
 	networkSvc := network.New(agentInit.NetworkConfig)
 	networkSvc.DHCPVendorClassID = "dev.monogon.cloud.agent.v1"
 	supervisor.Run(ctx, "networking", networkSvc.Run)
diff --git a/metropolis/node/build/fwprune/BUILD.bazel b/metropolis/node/build/fwprune/BUILD.bazel
index 578b829..bc22665 100644
--- a/metropolis/node/build/fwprune/BUILD.bazel
+++ b/metropolis/node/build/fwprune/BUILD.bazel
@@ -7,7 +7,9 @@
     visibility = ["//visibility:private"],
     deps = [
         "//metropolis/node/build/fsspec",
+        "//metropolis/pkg/kmod",
         "@org_golang_google_protobuf//encoding/prototext",
+        "@org_golang_google_protobuf//proto",
     ],
 )
 
diff --git a/metropolis/node/build/fwprune/def.bzl b/metropolis/node/build/fwprune/def.bzl
index 507532e..154009e 100644
--- a/metropolis/node/build/fwprune/def.bzl
+++ b/metropolis/node/build/fwprune/def.bzl
@@ -10,16 +10,32 @@
     )
 
     modinfo = ctx.attr.kernel[OutputGroupInfo].modinfo.to_list()[0]
+    modules = ctx.attr.kernel[OutputGroupInfo].modules.to_list()[0]
+
+    meta_out = ctx.actions.declare_file(ctx.label.name + "-meta.pb")
 
     ctx.actions.run(
-        outputs = [fsspec_out],
-        inputs = [fwlist, modinfo, ctx.file.metadata] + ctx.files.firmware_files,
+        outputs = [fsspec_out, meta_out],
+        inputs = [fwlist, modinfo, modules, ctx.file.metadata] + ctx.files.firmware_files,
         tools = [ctx.executable._fwprune],
         executable = ctx.executable._fwprune,
-        arguments = [modinfo.path, fwlist.path, ctx.file.metadata.path, fsspec_out.path],
+        arguments = [
+            "-modinfo",
+            modinfo.path,
+            "-modules",
+            modules.path,
+            "-firmware-file-list",
+            fwlist.path,
+            "-firmware-whence",
+            ctx.file.metadata.path,
+            "-out-meta",
+            meta_out.path,
+            "-out-fsspec",
+            fsspec_out.path,
+        ],
     )
 
-    return [DefaultInfo(files = depset([fsspec_out])), FSSpecInfo(spec = fsspec_out, referenced = ctx.files.firmware_files)]
+    return [DefaultInfo(files = depset([fsspec_out])), FSSpecInfo(spec = fsspec_out, referenced = ctx.files.firmware_files + [modules, meta_out])]
 
 fsspec_linux_firmware = rule(
     implementation = _fsspec_linux_firmware,
diff --git a/metropolis/node/build/fwprune/main.go b/metropolis/node/build/fwprune/main.go
index 861a2d0..c8c8e9c 100644
--- a/metropolis/node/build/fwprune/main.go
+++ b/metropolis/node/build/fwprune/main.go
@@ -5,82 +5,46 @@
 package main
 
 import (
-	"bytes"
+	"debug/elf"
+	"flag"
+	"io/fs"
 	"log"
 	"os"
 	"path"
+	"path/filepath"
 	"regexp"
 	"sort"
 	"strings"
 
 	"google.golang.org/protobuf/encoding/prototext"
+	"google.golang.org/protobuf/proto"
 
 	"source.monogon.dev/metropolis/node/build/fsspec"
+	"source.monogon.dev/metropolis/pkg/kmod"
 )
 
+// linkRegexp parses the Link: lines in the WHENCE file. This does not have
+// an official grammar, the regexp has been written in an approximation of
+// the original parsing algorithm at @linux-firmware//:copy_firmware.sh.
+var linkRegexp = regexp.MustCompile(`(?m:^Link:\s*([^\s]+)\s+->\s+([^\s+]+)\s*$)`)
+
 var (
-	// linkRegexp parses the Link: lines in the WHENCE file. This does not have
-	// an official grammar, the regexp has been written in an approximation of
-	// the original parsing algorithm at @linux-firmware//:copy_firmware.sh.
-	linkRegexp = regexp.MustCompile(`(?m:^Link:\s*([^\s]+)\s+->\s+([^\s+]+)\s*$)`)
+	modinfoPath      = flag.String("modinfo", "", "Path to the modules.builtin.modinfo file built with the kernel")
+	modulesPath      = flag.String("modules", "", "Path to the directory containing the dynamically loaded kernel modules (.ko files)")
+	firmwareListPath = flag.String("firmware-file-list", "", "Path to a file containing a newline-separated list of paths to firmware files")
+	whenceFilePath   = flag.String("firmware-whence", "", "Path to the linux-firmware WHENCE file containing aliases for firmware files")
+	outMetaPath      = flag.String("out-meta", "", "Path where the resulting module metadata protobuf file should be created")
+	outFSSpecPath    = flag.String("out-fsspec", "", "Path where the resulting fsspec should be created")
 )
 
-// fwPaths returns a slice of filesystem paths relative to the root of the
-// linux-firmware repository, pointing at firmware files, according to contents
-// of the kernel build side effect: modules.builtin.modinfo.
-func fwPaths(mi []byte) []string {
-	// Use a map pset to deduplicate firmware paths.
-	pset := make(map[string]bool)
-	// Get a slice of entries of the form "unix.license=GPL" from mi. Then extract
-	// firmware information from it.
-	entries := bytes.Split(mi, []byte{0})
-	for _, entry := range entries {
-		// Skip empty entries.
-		if len(entry) == 0 {
-			continue
-		}
-		// Parse the entries. Split each entry into a key-value pair, separated
-		// by "=".
-		kv := strings.SplitN(string(entry), "=", 2)
-		key, value := kv[0], kv[1]
-		// Split the key into a module.attribute] pair, such as "unix.license".
-		ma := strings.SplitN(key, ".", 2)
-		// Skip, if it's not a firmware entry, according to the attribute.
-		if ma[1] != "firmware" {
-			continue
-		}
-		// If it is though, value holds a firmware path.
-		pset[value] = true
-	}
-	// Convert the deduplicated pset to a slice.
-	pslice := make([]string, 0, len(pset))
-	for p, _ := range pset {
-		pslice = append(pslice, p)
-	}
-	sort.Strings(pslice)
-	return pslice
-}
-
-// fwprune takes a modinfo file from the kernel and extracts a list of all
-// firmware files requested by all modules in that file. It then takes all
-// available firmware file paths (newline-separated in the firmwareList file)
-// and tries to match the requested file paths as a suffix of them.
-// For example if a module requests firmware foo/bar.bin and in the firmware list
-// there is a file at path build-out/x/y/foo/bar.bin it will use that file.
-// It also parses links from the linux-firmware metadata file and uses them
-// for matching requested firmware.
-// Finally it generates an fsspec placing each file under its requested path
-// under /lib/firmware.
 func main() {
-	if len(os.Args) != 5 {
-		log.Fatal("Usage: fwprune modules.builtin.modinfo firmwareListPath metadataFilePath outSpec")
+	flag.Parse()
+	if *modinfoPath == "" || *modulesPath == "" || *firmwareListPath == "" ||
+		*whenceFilePath == "" || *outMetaPath == "" || *outFSSpecPath == "" {
+		log.Fatal("all flags are required and need to be provided")
 	}
-	modinfo := os.Args[1]
-	firmwareListPath := os.Args[2]
-	metadataFilePath := os.Args[3]
-	outSpec := os.Args[4]
 
-	allFirmwareData, err := os.ReadFile(firmwareListPath)
+	allFirmwareData, err := os.ReadFile(*firmwareListPath)
 	if err != nil {
 		log.Fatalf("Failed to read firmware source list: %v", err)
 	}
@@ -89,16 +53,23 @@
 	// Create a look-up table of all possible suffixes to their full paths as
 	// this is much faster at O(n) than calling strings.HasSuffix for every
 	// possible combination which is O(n^2).
+	// For example a build output at out/a/b/c.bin will be entered into
+	// the suffix LUT as build as out/a/b/c.bin, a/b/c.bin, b/c.bin and c.bin.
+	// If the firmware then requests b/c.bin, the output path is contained in
+	// the suffix LUT.
 	suffixLUT := make(map[string]string)
 	for _, firmwarePath := range allFirmwarePaths {
 		pathParts := strings.Split(firmwarePath, string(os.PathSeparator))
 		for i := range pathParts {
-			suffixLUT[path.Join(pathParts[i:len(pathParts)]...)] = firmwarePath
+			suffixLUT[path.Join(pathParts[i:]...)] = firmwarePath
 		}
 	}
 
+	// The linux-firmware repo contains a WHENCE file which contains (among
+	// other information) aliases for firmware which should be symlinked.
+	// Open this file and create a map of aliases in it.
 	linkMap := make(map[string]string)
-	metadata, err := os.ReadFile(metadataFilePath)
+	metadata, err := os.ReadFile(*whenceFilePath)
 	if err != nil {
 		log.Fatalf("Failed to read metadata file: %v", err)
 	}
@@ -109,15 +80,90 @@
 		linkMap[link[1]] = link[2]
 	}
 
-	// Get the firmware file paths used by modules according to modinfo data
-	mi, err := os.ReadFile(modinfo)
+	// Collect module metadata (modinfo) from both built-in modules via the
+	// kbuild-generated metadata file as well as from the loadable modules by
+	// walking them.
+	var files []*fsspec.File
+	var symlinks []*fsspec.SymbolicLink
+
+	mi, err := os.Open(*modinfoPath)
 	if err != nil {
 		log.Fatalf("While reading modinfo: %v", err)
 	}
-	fwp := fwPaths(mi)
+	modMeta, err := kmod.GetBuiltinModulesInfo(mi)
+	if err != nil {
+		log.Fatalf("Failed to read modules modinfo data: %v", err)
+	}
 
-	var files []*fsspec.File
-	var symlinks []*fsspec.SymbolicLink
+	err = filepath.WalkDir(*modulesPath, func(p string, d fs.DirEntry, err error) error {
+		if err != nil {
+			log.Fatal(err)
+		}
+		if d.IsDir() {
+			return nil
+		}
+		mod, err := elf.Open(p)
+		if err != nil {
+			log.Fatal(err)
+		}
+		defer mod.Close()
+		out, err := kmod.GetModuleInfo(mod)
+		if err != nil {
+			log.Fatal(err)
+		}
+		relPath, err := filepath.Rel(*modulesPath, p)
+		if err != nil {
+			return err
+		}
+		// Add path information for MakeMetaFromModuleInfo.
+		out["path"] = []string{relPath}
+		modMeta = append(modMeta, out)
+		files = append(files, &fsspec.File{
+			Path:       path.Join("/lib/modules", relPath),
+			SourcePath: filepath.Join(*modulesPath, relPath),
+			Mode:       0555,
+		})
+		return nil
+	})
+	if err != nil {
+		log.Fatalf("Error walking modules: %v", err)
+	}
+
+	// Generate loading metadata from all known modules.
+	meta, err := kmod.MakeMetaFromModuleInfo(modMeta)
+	if err != nil {
+		log.Fatal(err)
+	}
+	metaRaw, err := proto.Marshal(meta)
+	if err != nil {
+		log.Fatal(err)
+	}
+	if err := os.WriteFile(*outMetaPath, metaRaw, 0640); err != nil {
+		log.Fatal(err)
+	}
+	files = append(files, &fsspec.File{
+		Path:       "/lib/modules/meta.pb",
+		SourcePath: *outMetaPath,
+		Mode:       0444,
+	})
+
+	// Create set of all firmware paths required by modules
+	fwset := make(map[string]bool)
+	for _, m := range modMeta {
+		if len(m["path"]) == 0 && len(m.Firmware()) > 0 {
+			log.Fatalf("Module %v is built-in, but requires firmware. Linux does not support this in all configurations.", m.Name())
+		}
+		for _, fw := range m.Firmware() {
+			fwset[fw] = true
+		}
+	}
+
+	// Convert set to list and sort for determinism
+	fwp := make([]string, 0, len(fwset))
+	for p := range fwset {
+		fwp = append(fwp, p)
+	}
+	sort.Strings(fwp)
 
 	// This function is called for every requested firmware file and adds and
 	// resolves symlinks until it finds the target file and adds that too.
@@ -163,7 +209,7 @@
 	// Format output in a both human- and machine-readable form
 	marshalOpts := prototext.MarshalOptions{Multiline: true, Indent: "  "}
 	fsspecRaw, err := marshalOpts.Marshal(&fsspec.FSSpec{File: files, SymbolicLink: symlinks})
-	if err := os.WriteFile(outSpec, fsspecRaw, 0644); err != nil {
+	if err := os.WriteFile(*outFSSpecPath, fsspecRaw, 0644); err != nil {
 		log.Fatalf("failed writing output: %v", err)
 	}
 }
diff --git a/metropolis/node/core/BUILD.bazel b/metropolis/node/core/BUILD.bazel
index 49873d8..09f99a7 100644
--- a/metropolis/node/core/BUILD.bazel
+++ b/metropolis/node/core/BUILD.bazel
@@ -24,6 +24,7 @@
     deps = [
         "//metropolis/node",
         "//metropolis/node/core/cluster",
+        "//metropolis/node/core/devmgr",
         "//metropolis/node/core/localstorage",
         "//metropolis/node/core/localstorage/declarative",
         "//metropolis/node/core/mgmt",
diff --git a/metropolis/node/core/main.go b/metropolis/node/core/main.go
index dc50269..d40942d 100644
--- a/metropolis/node/core/main.go
+++ b/metropolis/node/core/main.go
@@ -29,6 +29,7 @@
 
 	"source.monogon.dev/metropolis/node"
 	"source.monogon.dev/metropolis/node/core/cluster"
+	"source.monogon.dev/metropolis/node/core/devmgr"
 	"source.monogon.dev/metropolis/node/core/localstorage"
 	"source.monogon.dev/metropolis/node/core/localstorage/declarative"
 	"source.monogon.dev/metropolis/node/core/network"
@@ -119,6 +120,7 @@
 	networkSvc.DHCPVendorClassID = "dev.monogon.metropolis.node.v1"
 	networkSvc.ExtraDNSListenerIPs = []net.IP{node.ContainerDNSIP}
 	timeSvc := timesvc.New()
+	devmgrSvc := devmgr.New()
 
 	// This function initializes a headless Delve if this is a debug build or
 	// does nothing if it's not
@@ -164,6 +166,9 @@
 				logger.Errorf("Unable to load static config, proceeding without it: %v", err)
 			}
 		}
+		if err := supervisor.Run(ctx, "devmgr", devmgrSvc.Run); err != nil {
+			return fmt.Errorf("when starting devmgr: %w", err)
+		}
 		if err := supervisor.Run(ctx, "network", networkSvc.Run); err != nil {
 			return fmt.Errorf("when starting network: %w", err)
 		}
diff --git a/metropolis/pkg/kmod/manager_test.go b/metropolis/pkg/kmod/manager_test.go
index 4f06d17..43c9428 100644
--- a/metropolis/pkg/kmod/manager_test.go
+++ b/metropolis/pkg/kmod/manager_test.go
@@ -10,7 +10,6 @@
 	if os.Getenv("IN_KTEST") != "true" {
 		t.Skip("Not in ktest")
 	}
-	t.Skip("Only works from the final CL in the stack as it has a dep on the new kernel config")
 	mgr, err := NewManagerFromPath("/lib/modules")
 	if err != nil {
 		t.Fatal(err)
diff --git a/third_party/linux/def.bzl b/third_party/linux/def.bzl
index b31b34b..2090ed9 100644
--- a/third_party/linux/def.bzl
+++ b/third_party/linux/def.bzl
@@ -73,8 +73,8 @@
     # (image_name) is the name of the image that will be generated by this
     # rule.
     (target, image_source, image_name) = {
-        'vmlinux': ('vmlinux', 'vmlinux', 'vmlinux'),
-        'bzImage': ('all', 'arch/x86/boot/bzImage', 'bzImage'),
+        'vmlinux': ('vmlinux modules', 'vmlinux', 'vmlinux'),
+        'bzImage': ('all modules', 'arch/x86/boot/bzImage', 'bzImage'),
     }[image_format]
 
     # Root of the given Linux sources.
@@ -82,8 +82,9 @@
 
     image = ctx.actions.declare_file(image_name)
     modinfo = ctx.actions.declare_file("modules.builtin.modinfo")
+    modules = ctx.actions.declare_directory("modules")
     ctx.actions.run_shell(
-        outputs = [ image, modinfo ],
+        outputs = [ image, modinfo, modules ],
         inputs = [ kernel_config ] + kernel_src,
         command = '''
             kconfig=$1
@@ -92,12 +93,20 @@
             image=$4
             root=$5
             modinfo=$6
+            modules=$7
+
+            builddir=$(mktemp -d)
 
             mkdir ${root}/.bin
-            cp ${kconfig} ${root}/.config
-            (cd ${root} && make -j $(nproc) ${target} >/dev/null)
-            cp ${root}/${image_source} ${image}
-            cp ${root}/modules.builtin.modinfo ${modinfo}
+            cp ${kconfig} ${builddir}/.config
+            (cd ${root} && KBUILD_OUTPUT="${builddir}" make -j $(nproc) ${target} >/dev/null)
+            cp "${builddir}"/${image_source} ${image}
+            cp "${builddir}"/modules.builtin.modinfo ${modinfo}
+            # Not using modules_install as it tries to run depmod and friends
+            for f in $(find "${builddir}" -name '*.ko' -type f -printf "%P\n" ); do
+                install -D "${builddir}/$f" "${modules}/$f"
+            done
+            rm -Rf "$builddir"
         ''',
         arguments = [
             kernel_config.path,
@@ -105,7 +114,8 @@
             image_source,
             image.path,
             root,
-            modinfo.path
+            modinfo.path,
+            modules.path,
         ],
         use_default_shell_env = True,
     )
@@ -116,7 +126,8 @@
         runfiles=ctx.runfiles(files=[image])
       ),
       OutputGroupInfo(
-        modinfo = depset([modinfo])
+        modinfo = depset([modinfo]),
+        modules = depset([modules])
       )
     ]
 
diff --git a/third_party/linux/linux-metropolis.config b/third_party/linux/linux-metropolis.config
index 5ecea4e..1e5e1ab 100644
--- a/third_party/linux/linux-metropolis.config
+++ b/third_party/linux/linux-metropolis.config
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 5.15.104 Kernel Configuration
+# Linux/x86 5.15.112 Kernel Configuration
 #
 CONFIG_CC_VERSION_TEXT="gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0"
 CONFIG_CC_IS_GCC=y
@@ -108,6 +108,7 @@
 # BPF subsystem
 #
 # CONFIG_BPF_SYSCALL is not set
+# CONFIG_BPF_JIT is not set
 # end of BPF subsystem
 
 CONFIG_PREEMPT_NONE=y
@@ -632,8 +633,8 @@
 CONFIG_HAVE_KVM_PM_NOTIFIER=y
 CONFIG_VIRTUALIZATION=y
 CONFIG_KVM=y
-CONFIG_KVM_INTEL=y
-CONFIG_KVM_AMD=y
+CONFIG_KVM_INTEL=m
+CONFIG_KVM_AMD=m
 CONFIG_KVM_AMD_SEV=y
 # CONFIG_KVM_XEN is not set
 # CONFIG_KVM_MMU_AUDIT is not set
@@ -649,6 +650,7 @@
 CONFIG_KEXEC_CORE=y
 CONFIG_HOTPLUG_SMT=y
 CONFIG_GENERIC_ENTRY=y
+# CONFIG_KPROBES is not set
 CONFIG_JUMP_LABEL=y
 # CONFIG_STATIC_KEYS_SELFTEST is not set
 # CONFIG_STATIC_CALL_SELFTEST is not set
@@ -735,6 +737,7 @@
 CONFIG_ARCH_HAS_STRICT_KERNEL_RWX=y
 CONFIG_STRICT_KERNEL_RWX=y
 CONFIG_ARCH_HAS_STRICT_MODULE_RWX=y
+CONFIG_STRICT_MODULE_RWX=y
 CONFIG_HAVE_ARCH_PREL32_RELOCATIONS=y
 CONFIG_ARCH_USE_MEMREMAP_PROT=y
 # CONFIG_LOCK_EVENT_COUNTS is not set
@@ -760,7 +763,18 @@
 
 CONFIG_RT_MUTEXES=y
 CONFIG_BASE_SMALL=0
-# CONFIG_MODULES is not set
+CONFIG_MODULES=y
+# CONFIG_MODULE_FORCE_LOAD is not set
+# CONFIG_MODULE_UNLOAD is not set
+# CONFIG_MODVERSIONS is not set
+# CONFIG_MODULE_SRCVERSION_ALL is not set
+# CONFIG_MODULE_SIG is not set
+CONFIG_MODULE_COMPRESS_NONE=y
+# CONFIG_MODULE_COMPRESS_GZIP is not set
+# CONFIG_MODULE_COMPRESS_XZ is not set
+# CONFIG_MODULE_COMPRESS_ZSTD is not set
+# CONFIG_MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS is not set
+CONFIG_MODPROBE_PATH="/sbin/modprobe"
 CONFIG_MODULES_TREE_LOOKUP=y
 CONFIG_BLOCK=y
 CONFIG_BLK_DEV_BSG_COMMON=y
@@ -1377,6 +1391,7 @@
 # CONFIG_DEBUG_DEVRES is not set
 # CONFIG_DEBUG_TEST_DRIVER_REMOVE is not set
 CONFIG_HMEM_REPORTING=y
+# CONFIG_TEST_ASYNC_DRIVER_PROBE is not set
 CONFIG_SYS_HYPERVISOR=y
 CONFIG_GENERIC_CPU_AUTOPROBE=y
 CONFIG_GENERIC_CPU_VULNERABILITIES=y
@@ -1753,11 +1768,11 @@
 CONFIG_NET_VENDOR_BROADCOM=y
 # CONFIG_B44 is not set
 # CONFIG_BCMGENET is not set
-CONFIG_BNX2=y
-CONFIG_CNIC=y
-CONFIG_TIGON3=y
+CONFIG_BNX2=m
+CONFIG_CNIC=m
+CONFIG_TIGON3=m
 CONFIG_TIGON3_HWMON=y
-CONFIG_BNX2X=y
+CONFIG_BNX2X=m
 # CONFIG_SYSTEMPORT is not set
 CONFIG_BNXT=y
 CONFIG_BNXT_FLOWER_OFFLOAD=y
@@ -1778,7 +1793,7 @@
 CONFIG_NET_VENDOR_I825XX=y
 CONFIG_NET_VENDOR_INTEL=y
 # CONFIG_E100 is not set
-# CONFIG_E1000 is not set
+CONFIG_E1000=y
 CONFIG_E1000E=y
 CONFIG_E1000E_HWTS=y
 CONFIG_IGB=y
@@ -1791,7 +1806,7 @@
 CONFIG_I40E=y
 CONFIG_IAVF=y
 CONFIG_I40EVF=y
-CONFIG_ICE=y
+CONFIG_ICE=m
 CONFIG_FM10K=y
 CONFIG_IGC=y
 # CONFIG_JME is not set
@@ -1817,7 +1832,7 @@
 # CONFIG_NET_VENDOR_MICROSEMI is not set
 CONFIG_NET_VENDOR_MICROSOFT=y
 CONFIG_NET_VENDOR_MYRI=y
-CONFIG_MYRI10GE=y
+CONFIG_MYRI10GE=m
 # CONFIG_FEALNX is not set
 # CONFIG_NET_VENDOR_NI is not set
 # CONFIG_NET_VENDOR_NATSEMI is not set
@@ -1825,7 +1840,7 @@
 # CONFIG_S2IO is not set
 # CONFIG_VXGE is not set
 CONFIG_NET_VENDOR_NETRONOME=y
-CONFIG_NFP=y
+CONFIG_NFP=m
 # CONFIG_NFP_DEBUG is not set
 # CONFIG_NET_VENDOR_NVIDIA is not set
 # CONFIG_NET_VENDOR_OKI is not set
@@ -1836,12 +1851,12 @@
 # CONFIG_NET_VENDOR_PENSANDO is not set
 CONFIG_NET_VENDOR_QLOGIC=y
 CONFIG_QLA3XXX=y
-CONFIG_QLCNIC=y
+CONFIG_QLCNIC=m
 CONFIG_QLCNIC_HWMON=y
 # CONFIG_NETXEN_NIC is not set
 # CONFIG_QED is not set
 CONFIG_NET_VENDOR_BROCADE=y
-CONFIG_BNA=y
+CONFIG_BNA=m
 CONFIG_NET_VENDOR_QUALCOMM=y
 CONFIG_QCOM_EMAC=y
 # CONFIG_RMNET is not set
@@ -1850,7 +1865,7 @@
 CONFIG_NET_VENDOR_REALTEK=y
 # CONFIG_8139CP is not set
 # CONFIG_8139TOO is not set
-CONFIG_R8169=y
+CONFIG_R8169=m
 CONFIG_NET_VENDOR_RENESAS=y
 CONFIG_NET_VENDOR_ROCKER=y
 CONFIG_NET_VENDOR_SAMSUNG=y
@@ -2226,6 +2241,7 @@
 # CONFIG_I2C_VIRTIO is not set
 # end of I2C Hardware Bus support
 
+# CONFIG_I2C_STUB is not set
 # CONFIG_I2C_SLAVE is not set
 # CONFIG_I2C_DEBUG_CORE is not set
 # CONFIG_I2C_DEBUG_ALGO is not set
@@ -3612,11 +3628,7 @@
 CONFIG_SECURITY_LOADPIN_ENFORCE=y
 # CONFIG_SECURITY_YAMA is not set
 # CONFIG_SECURITY_SAFESETID is not set
-CONFIG_SECURITY_LOCKDOWN_LSM=y
-# CONFIG_SECURITY_LOCKDOWN_LSM_EARLY is not set
-CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
-# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
-# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
+# CONFIG_SECURITY_LOCKDOWN_LSM is not set
 CONFIG_SECURITY_LANDLOCK=y
 CONFIG_INTEGRITY=y
 # CONFIG_INTEGRITY_SIGNATURE is not set
@@ -3676,6 +3688,7 @@
 CONFIG_CRYPTO_PCRYPT=y
 CONFIG_CRYPTO_CRYPTD=y
 CONFIG_CRYPTO_AUTHENC=y
+# CONFIG_CRYPTO_TEST is not set
 CONFIG_CRYPTO_SIMD=y
 CONFIG_CRYPTO_ENGINE=y
 
@@ -3824,7 +3837,7 @@
 # CONFIG_CRYPTO_DEV_ATMEL_ECC is not set
 # CONFIG_CRYPTO_DEV_ATMEL_SHA204A is not set
 CONFIG_CRYPTO_DEV_CCP=y
-CONFIG_CRYPTO_DEV_CCP_DD=y
+CONFIG_CRYPTO_DEV_CCP_DD=m
 CONFIG_CRYPTO_DEV_SP_PSP=y
 # CONFIG_CRYPTO_DEV_QAT_DH895xCC is not set
 # CONFIG_CRYPTO_DEV_QAT_C3XXX is not set
@@ -3916,7 +3929,7 @@
 # CONFIG_CRC8 is not set
 CONFIG_XXHASH=y
 # CONFIG_RANDOM32_SELFTEST is not set
-CONFIG_ZLIB_INFLATE=y
+CONFIG_ZLIB_INFLATE=m
 CONFIG_LZ4_COMPRESS=y
 CONFIG_LZ4_DECOMPRESS=y
 CONFIG_ZSTD_COMPRESS=y
@@ -4098,6 +4111,7 @@
 CONFIG_BOOTPARAM_HUNG_TASK_PANIC=y
 CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=1
 CONFIG_WQ_WATCHDOG=y
+# CONFIG_TEST_LOCKUP is not set
 # end of Debug Oops, Lockups and Hangs
 
 #
@@ -4223,6 +4237,7 @@
 # CONFIG_FTRACE_STARTUP_TEST is not set
 # CONFIG_RING_BUFFER_STARTUP_TEST is not set
 # CONFIG_RING_BUFFER_VALIDATE_TIME_DELTAS is not set
+# CONFIG_PREEMPTIRQ_DELAY_TEST is not set
 # CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set
 # CONFIG_SAMPLES is not set
 CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y
@@ -4270,6 +4285,7 @@
 # CONFIG_RBTREE_TEST is not set
 # CONFIG_REED_SOLOMON_TEST is not set
 # CONFIG_INTERVAL_TREE_TEST is not set
+# CONFIG_PERCPU_TEST is not set
 # CONFIG_ATOMIC64_SELFTEST is not set
 # CONFIG_TEST_HEXDUMP is not set
 # CONFIG_STRING_SELFTEST is not set
@@ -4285,10 +4301,18 @@
 # CONFIG_TEST_RHASHTABLE is not set
 # CONFIG_TEST_HASH is not set
 # CONFIG_TEST_IDA is not set
+# CONFIG_TEST_LKM is not set
+# CONFIG_TEST_BITOPS is not set
+# CONFIG_TEST_VMALLOC is not set
+# CONFIG_TEST_USER_COPY is not set
+# CONFIG_TEST_BPF is not set
+# CONFIG_TEST_BLACKHOLE_DEV is not set
 # CONFIG_FIND_BIT_BENCHMARK is not set
 # CONFIG_TEST_FIRMWARE is not set
 # CONFIG_TEST_SYSCTL is not set
 # CONFIG_TEST_UDELAY is not set
+# CONFIG_TEST_STATIC_KEYS is not set
+# CONFIG_TEST_KMOD is not set
 # CONFIG_TEST_MEMCAT_P is not set
 # CONFIG_TEST_STACKINIT is not set
 # CONFIG_TEST_MEMINIT is not set