Adds dtparam=pciex1_gen=3 to config.txt overlay. Benchmarked Gen 2 baseline
on all 3 pg nodes showing consistent ~375 MB/s write throughput, bottlenecked
by the Gen 2 x1 lane limit.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
On fresh SBC images, the EFI partition has sd-boot UKI files but no
GRUB config. During upgrade, Probe() found sd-boot and used it, which
failed because RPi5/CM5 firmware lacks EFI SetVariableRT support.
Add arm64 guard to Probe(): when no GRUB config is found, skip sd-boot
probing and return a fresh GRUB config. This transitions from sd-boot
to GRUB on the first upgrade from a fresh flash.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Patch 0005 fixes talosctl upgrade on SBC layouts (RPi5/CM5) where
the disk has no separate BOOT (XFS) partition — only EFI (VFAT).
Falls back to mounting EFI at /boot for probe, install, and revert.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Talos assumes bare metal kernels support open_tree on anonymous FS
(added in 6.15). The RPi downstream kernel (6.12.x) does not, causing
shadow bind mount failures for /etc files and cascading network init
failures. This patch removes the InContainer() gate so the capability
check runs on all platforms.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
ip6_gre.ko exists in Talos upstream module list (v1.12.4) but not
in the RPi downstream kernel build. Only add it to the removal side
of the patch, not our custom module list.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The hardcoded job-level PATH env wiped out nvm/node, breaking
actions/checkout. Use GITHUB_PATH to prepend GNU sed's gnubin
directory while preserving the runner's inherited PATH.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Talos v1.12.4 added kernel/net/ipv6/ip6_gre.ko to modules-arm64.txt.
Update our patch to match. Also silence gmake checkouts-clean stdout
in auto-update.sh to prevent it leaking into GITHUB_OUTPUT.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
BSD sed on macOS requires `sed -i ''` but auto-update.sh uses GNU
`sed -i` syntax. The workflows installed gnu-sed via Homebrew but
never added it to PATH, causing "invalid command code M" failures.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Push the full installer tar with crane first (preserving all layers),
then re-wrap with docker buildx to add provenance and SBOM attestation
for Docker Scout compliance. Buildx can pull the image from the registry
since crane already pushed it, avoiding the docker-container driver
limitation with locally loaded images.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The docker buildx build wrapper with docker-container driver cannot
access locally loaded images, causing it to only capture the first
layer (22MB base) and drop the kernel (~98MB) and overlay (~3MB).
Switch back to crane push which pushes the tar as-is, preserving
all 3 layers. Attestation args remain on actual build steps where
buildx works correctly.
Fixes broken tags: v1.12.3-k6.12.47-3, v1.12.3-k6.12.47-4
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
CM5 on Compute Blade doesn't have an SD slot for booting Raspberry Pi
OS. Use rpiboot recovery mode over USB instead.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Documents the dd + EEPROM configuration approach for booting Talos
from NVMe on RPi5/CM5. Includes BOOT_ORDER, PCIE_PROBE settings,
and optional PCIe Gen 3 configuration.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
NVMe kernel driver is already built-in (CONFIG_BLK_DEV_NVME=y). The
expected approach is simply dd'ing the metal image to NVMe and setting
EEPROM BOOT_ORDER=0xf416 + PCIE_PROBE=1. Pending hardware validation.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The overlay was using console=ttyAMA0 (GPIO 14/15) but the RPi5 debug
UART is ttyAMA10 (JST connector between HDMI ports on Pi5, test pads
TP35/TP36 on CM5). Also adds earlycon for early boot output and disables
GPIO UART on Pi5 in config.txt to avoid U-Boot compatibility issues.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Force GRUB instead of sd-boot on arm64 and pass --no-nvram to
grub-install, working around the SetVariableRT firmware limitation
that prevents in-place upgrades on RPi5/CM5 hardware.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Remove the 16K page override from the kernel patch, preserving
upstream Talos's default 4K pages. RPi5 hardware works correctly
with 4K pages — the RPi Foundation's 16K default is a TLB
performance optimization (~5%), not a hardware requirement.
Benefits:
- Correct memory accounting (4x less overhead per page)
- Full software compatibility (jemalloc, Longhorn, F2FS, etc.)
- No OOM surprises on control-plane nodes
- Aligned with upstream Talos kernel config
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Document SetVariableRT upgrade failure, 16K page size implications,
serial console issue, and SBC install disk behavior
- Add production roadmap (4K pages, GRUB boot, serial fix, NVMe)
- Make overlay Go patch conditional: apply only on Go 1.24.x,
skip on 1.25+ where CVEs are already fixed upstream
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Docker Scout requires buildx-style provenance+SBOM, not cosign
attestations. Replace crane push with docker load + buildx build
(--provenance=mode=max --sbom=true) for the installer image. Use
buildx imagetools create for the release tag to preserve attestations.
Remove cosign/syft from CI.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Move CI/CD, runner setup, secrets, and project structure to
TECHNICAL.md. Streamline README as a user-facing guide with
install/upgrade instructions. Fix Docker badges for arm64.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Attach cosign+syft SBOM attestations to crane-pushed installer and
release images to satisfy Docker Scout supply chain policy. Replace
docker tag/push with crane copy for the release target. Remove the
Scout CVE scan target and clean up release notes.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add MPL 2.0 LICENSE file for compliance
- Add license section and upstream attribution to README
- Upgrade provenance attestation from mode=min to mode=max
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Patch sbc-raspberrypi5 overlay to use Go 1.24.13 (fixes 1C/7H/12M/1L CVEs)
- Add ATTESTATION_ARGS (--provenance=true --sbom=true) to all buildx targets
- Override upstream --provenance=false via TARGET_ARGS (last flag wins)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Rewrite check-upstream.sh to parse RPi kernel version from patch file
- Add auto-update.sh for automated version bumps with patch smoke test
- Rewrite check-updates.yaml as daily auto-build with issue fallback
- Update build.yaml release body to show Talos + kernel versions from tag
- Fix overlay dirty tag: remove --dirty from SBCOVERLAY_TAG git describe
(the sed rewrite of pkg.yaml is intentional, not an accidental change)
Tag strategy: v{TALOS}-k{KERNEL}-{BUILD} (e.g. v1.12.3-k6.12.47-1)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Patch was stale — regenerated from the working checkout to match
the v1.12.3 hack/modules-arm64.txt index.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The talos patch was incorrectly replaced with pkgs-repo changes
(Pkgfile, kernel config). Restored the correct patch that modifies
hack/modules-arm64.txt in the talos checkout.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Regenerated patches to match current upstream checkouts:
- pkgs: updated kernel version, checksums, and config-arm64
- talos: reworked to patch Pkgfile, kernel config, and pkg.yaml
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add `scout` Makefile target that scans all 5 pushed images with
`docker scout quickview` and writes a summary to _out/scout-report.md
- Switch all CI workflow steps from `make` to `gmake` for GNU Make 4.x
- Add brew dependency step for make, gnu-sed, and crane
- Include CVE summary in Gitea release notes via jq JSON escaping
- Update `clean` target to remove _out/ directory
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The act_runner can't resolve Forgejo actions from Codeberg.
Use direct Gitea API calls for release creation and artifact
upload instead — simpler and no external dependencies.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Update workflows from linux/arm64 to macOS/arm64 runner labels.
Replace GitHub Actions for Docker setup with direct commands
compatible with Docker Desktop on macOS.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace DOCKERHUB_USERNAME/DOCKERHUB_TOKEN with the existing org-level
secrets. Use automatic GITHUB_TOKEN for Gitea release creation.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The image supports both RPi 5 and CM5 (same SoC/RP1), so talos-rpi5
is a better public-facing name. The internal build still produces
an installer image which gets retagged to svrnty/talos-rpi5:<tag>
in the release target.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
