Skip to content

[WIP] Add firmware exclusion class#3794

Draft
acostach wants to merge 16 commits intomasterfrom
wip_firmware_exclusion
Draft

[WIP] Add firmware exclusion class#3794
acostach wants to merge 16 commits intomasterfrom
wip_firmware_exclusion

Conversation

@acostach
Copy link
Copy Markdown
Contributor

@acostach acostach commented Jan 23, 2026

Contributor checklist

Reviewer Guidelines

  • When submitting a review, please pick:
    • 'Approve' if this change would be acceptable in the codebase (even if there are minor or cosmetic tweaks that could be improved).
    • 'Request Changes' if this change would not be acceptable in our codebase (e.g. bugs, changes that will make development harder in future, security/performance issues, etc).
    • 'Comment' if you don't feel you have enough information to decide either way (e.g. if you have major questions, or you don't understand the context of the change sufficiently to fully review yourself, but want to make a comment)

@acostach acostach temporarily deployed to balena-cloud.com January 23, 2026 18:24 — with GitHub Actions Inactive
@acostach acostach temporarily deployed to balena-cloud.com January 23, 2026 18:24 — with GitHub Actions Inactive
@acostach acostach temporarily deployed to balena-cloud.com January 23, 2026 18:24 — with GitHub Actions Inactive
@acostach acostach temporarily deployed to balena-cloud.com January 23, 2026 18:24 — with GitHub Actions Inactive
@acostach acostach temporarily deployed to balena-cloud.com January 23, 2026 18:24 — with GitHub Actions Inactive
@acostach acostach temporarily deployed to balena-cloud.com January 23, 2026 18:24 — with GitHub Actions Inactive
@acostach acostach temporarily deployed to balena-cloud.com January 23, 2026 18:24 — with GitHub Actions Inactive
@acostach acostach temporarily deployed to balena-cloud.com January 23, 2026 18:24 — with GitHub Actions Inactive
@acostach acostach temporarily deployed to balena-cloud.com January 23, 2026 18:24 — with GitHub Actions Inactive
@acostach acostach temporarily deployed to balena-cloud.com January 23, 2026 18:24 — with GitHub Actions Inactive
@acostach acostach temporarily deployed to balena-cloud.com January 23, 2026 18:24 — with GitHub Actions Inactive
@acostach acostach temporarily deployed to balena-cloud.com January 23, 2026 18:24 — with GitHub Actions Inactive
@acostach acostach temporarily deployed to balena-cloud.com January 23, 2026 18:24 — with GitHub Actions Inactive
@acostach acostach temporarily deployed to balena-cloud.com January 23, 2026 18:24 — with GitHub Actions Inactive
@acostach acostach temporarily deployed to balena-cloud.com January 23, 2026 18:24 — with GitHub Actions Inactive
@acostach acostach temporarily deployed to balena-cloud.com January 23, 2026 18:24 — with GitHub Actions Inactive
@acostach acostach temporarily deployed to balena-cloud.com January 23, 2026 18:24 — with GitHub Actions Inactive
@acostach acostach temporarily deployed to balena-cloud.com January 23, 2026 18:24 — with GitHub Actions Inactive
@acostach acostach temporarily deployed to balena-cloud.com January 23, 2026 18:24 — with GitHub Actions Inactive
@acostach acostach temporarily deployed to balena-cloud.com January 23, 2026 18:24 — with GitHub Actions Inactive
@acostach acostach temporarily deployed to balena-cloud.com January 23, 2026 18:24 — with GitHub Actions Inactive
@acostach acostach temporarily deployed to balena-cloud.com January 23, 2026 18:24 — with GitHub Actions Inactive
@acostach acostach temporarily deployed to balena-cloud.com January 23, 2026 18:24 — with GitHub Actions Inactive
@acostach acostach temporarily deployed to balena-cloud.com January 23, 2026 18:24 — with GitHub Actions Inactive
@acostach acostach temporarily deployed to balena-cloud.com January 23, 2026 18:24 — with GitHub Actions Inactive
@acostach acostach temporarily deployed to balena-cloud.com January 23, 2026 18:24 — with GitHub Actions Inactive
@acostach acostach temporarily deployed to balena-cloud.com January 23, 2026 18:24 — with GitHub Actions Inactive
@acostach acostach temporarily deployed to balena-cloud.com January 23, 2026 18:24 — with GitHub Actions Inactive
@acostach acostach temporarily deployed to balena-cloud.com January 23, 2026 18:24 — with GitHub Actions Inactive
@acostach acostach temporarily deployed to balena-cloud.com January 23, 2026 18:24 — with GitHub Actions Inactive
@acostach acostach temporarily deployed to balena-cloud.com January 23, 2026 18:24 — with GitHub Actions Inactive
@acostach acostach had a problem deploying to sign.balena-cloud.com January 23, 2026 18:26 — with GitHub Actions Failure
@flowzone-app
Copy link
Copy Markdown
Contributor

flowzone-app bot commented Jan 23, 2026
edited
Loading

Website deployed to CF Pages, 👀 preview link https://a382a4ff.balena-os.pages.dev

@flowzone-app flowzone-app bot enabled auto-merge January 23, 2026 18:27
@acostach acostach force-pushed the wip_firmware_exclusion branch from 7c4ad43 to 071a6bc Compare January 24, 2026 11:47
@acostach acostach temporarily deployed to balena-cloud.com January 24, 2026 11:47 — with GitHub Actions Inactive
@acostach acostach temporarily deployed to balena-cloud.com January 24, 2026 11:47 — with GitHub Actions Inactive
@acostach acostach temporarily deployed to balena-cloud.com January 24, 2026 11:47 — with GitHub Actions Inactive
ycardaillac
ycardaillac reviewed Jan 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@ycardaillac ycardaillac left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've a few remark regarding the tools to create the non essential file.

I'm also wondering if we couldn't use external tools to create a non essential firmware list and/or a essential firmware list, and just use those as explicit list of packages that should end up in our distro. Would that be possible? Would that simplify things a bit?

Comment thread meta-balena-common/classes/balena-firmware-exclusion.bbclass
]
}

# Parse WHENCE files to obtain the list of firmware files
Copy link
Copy Markdown
Contributor

@ycardaillac ycardaillac Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@acostach, can we add a comment about the whence_map that is returned? It would be overkill to extract even more function to make it more readable, but it would be great to have the bigger picture right ahead, and know what data format is returned.

Copy link
Copy Markdown
Contributor Author

@acostach acostach Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, the whence map is a dictionary of drivers and their associated firmware files:

whence_map = {
    "iwlwifi": [
        "iwlwifi-9260-th-b0-jf-b0-34.ucode",
        "iwlwifi-9260-th-b0-jf-b0-38.ucode",
        ...
    ],
    "ath9k": [
        "ar9271.fw",
        "htc_9271.fw"
    ]
}

Comment thread meta-balena-common/classes/balena-firmware-exclusion.bbclass
Comment thread meta-balena-common/classes/balena-firmware-exclusion.bbclass
Comment thread meta-balena-common/classes/balena-firmware-exclusion.bbclass Outdated
Comment thread meta-balena-common/classes/image-balena.bbclass
d.appendVar('BAD_RECOMMENDATIONS', " " + bad_str)
bb.note(f"Policy applied: Excluded {len(extra_bad)} firmware packages.")
except Exception as e:
bb.fatal(f"Failed to enforce firmware exclusion policy: {str(e)}")
Copy link
Copy Markdown
Contributor

@ycardaillac ycardaillac Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you confirm that this is making any firmware present in nonessential_firmware.txt, that would have ended up in the image, caught and added to BAD_RECOMMENDATIONS, and hence not installed?

Copy link
Copy Markdown
Contributor Author

@acostach acostach Feb 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ycardaillac adding files to BAD_RECOMMENDATIONS only removes packages from RRECOMENDS, packages installed through other methods still end up in the image, but they are included in the nonessential_firmware.txt and when the files in this file are found in the image manifest, the build fails.

The alternative would be adding them to PACKAGES_EXCLUDE, but that may trigger build failures which are reportedly more difficult to debug, so we compare the non-essential firmware list to the final manifest and report the packages which shouldn't have been installed, so we can either add them to the WHITELIST or find what installs them and do the removal

@acostach
Copy link
Copy Markdown
Contributor Author

acostach commented Feb 2, 2026

/rebase

@acostach
classes/image-balena: Perform audit of installed linux-firmware packages
1ab5a28 
During linux-firmware recipe build a list of non-essential
packages is created. After the rootfs is generated we compare
that to the image manifest and fail the build if any of them
made it into the image.

These packages can be installed by adding them to the
BALENA_ALLOWED_FIRMWARE_PACKAGES whitelist.

Change-type: patch
Signed-off-by: Alexandru Costache <alexandru@balena.io>
@acostach
meta-balena-common/recipes-kernel: Add a local WHENCE for linux-firmware
8397d38 
This extends the linux-firmware WHENCE and provides
file paths for drivers which are not correctly
specified in the upstream WHENCE, or not listed
at all.

Signed-off-by: Alexandru Costache <alexandru@balena.io>
@acostach
classes: Add non-essential firmware exclusion class
e0d10cb 
We add a new class which maps all packages
provided by the linux-firmware recipe to
drivers and categories, and creates a list
of packages which should be excluded from
the final OS image.

Mapping is performed by comparing the files
shipped by packages to the WHENCE listing.

Signed-off-by: Alexandru Costache <alexandru@balena.io>
@acostach
recipes-core/packagegroups: Separate and avoid including BT firmware …
7185c8c 
…by default

Signed-off-by: Alexandru Costache <alexandru@balena.io>
@acostach
recipes-kernel/linux-firmware: Override qca packaging
07334af 
.. to check if any non BT firmware gets included in the package.
The qca and btqca drivers handle Bluetooth only, and this helps us check
if any device repository introduces connectivity firmware in it.

Signed-off-by: Alexandru Costache <alexandru@balena.io>
@acostach
classes/balena-firmware-exclusion: Create report of all packages and …
4d4ca35 
…their sizes

... after compression is run. Some devices may disable compression
in their board repository, if they run older kernels.

Signed-off-by: Alexandru Costache <alexandru@balena.io>
@acostach
recipes-core/packagegroups: Centralize shipped firmware
617a24e 
We bring all the common firmware from the rest of the
layers to the common layer, for easier management.

Signed-off-by: Alexandru Costache <alexandru@balena.io>
@acostach
distro: Categorize linux-firmware by interfaces
f7c9e49 
Some firmware packages are used by M.2, or USB or Mini PCIE
Wifi modules, so let's group them into such categories,
so we can later remove them for device-types which
don't have the required interfaces. For example,
a RaspberryPi Zero has an USB port but no M.2 or PCIE connectors.

Signed-off-by: Alexandru Costache <alexandru@balena.io>
@acostach
packagegroups/packagegroup-balena-connectivity: Filter connectivity i…
43dc291 
…nstalled by meta-balena based on available hardware interfaces

In this commit we dinamically update the linux-firmware packages
installed by meta-balena for each device-type based on the
hardware interfaces it supports.

This assumes each device type defines a list of supported
hardware interfaces at device integration repository level.

Signed-off-by: Alexandru Costache <alexandru@balena.io>
@acostach
classes/balena-firmware-exclusion: Add extra check for linux-firmware…
3253dac 
… packages

We add the linux-firmware packages installed by meta-balena
and which are not supported by the device-type specific
interfaces to the list of blacklisted packages, to ensure
the final audit catches any packages which should not have been
installed.

Signed-off-by: Alexandru Costache <alexandru@balena.io>
@acostach
Copy link
Copy Markdown
Contributor Author

acostach commented Feb 19, 2026
edited
Loading

For Pi4-64 the following packages are removed, because it lacks the required features (only has features_USB).

Device-repository branch used: https://github.com/balena-os/balena-raspberrypi/tree/acostach/add_machine_features

linux-firmware-iwlwifi-135-6 all 1:20240909-r0
linux-firmware-iwlwifi-3160 all 1:20240909-r0
linux-firmware-iwlwifi-6000-4 all 1:20240909-r0
linux-firmware-iwlwifi-6000g2a-6 all 1:20240909-r0
linux-firmware-iwlwifi-6000g2b-6 all 1:20240909-r0
linux-firmware-iwlwifi-6050-5 all 1:20240909-r0
linux-firmware-iwlwifi-7260 all 1:20240909-r0
linux-firmware-iwlwifi-7265 all 1:20240909-r0
linux-firmware-iwlwifi-7265d all 1:20240909-r0
linux-firmware-iwlwifi-8000c all 1:20240909-r0
linux-firmware-iwlwifi-8265 all 1:20240909-r0
linux-firmware-iwlwifi-9260 all 1:20240909-r0
linux-firmware-iwlwifi-license all 1:20240909-r0
linux-firmware-rtl8192su all 1:20240909-r0
linux-firmware-rtl8723b-bt all 1:20240909-r0
linux-firmware-ti-connectivity-license all 1:20240909-r0
linux-firmware-wl12xx all 1:20240909-r0
linux-firmware-wl18xx all 1:20240909-r0
linux-firmware-wlcommon all 1:20240909-r0

@acostach
Copy link
Copy Markdown
Contributor Author

acostach commented Feb 19, 2026
edited
Loading

Following packges are removed from iot-gate-imx8. Device repository branch used: https://github.com/balena-os/balena-iot-gate-imx8

linux-firmware-rtl8192su all 1:20240909-r0
linux-firmware-rtl8723b-bt all 1:20240909-r0
linux-firmware-ti-connectivity-license all 1:20240909-r0
linux-firmware-wl12xx all 1:20240909-r0
linux-firmware-wl18xx all 1:20240909-r0
linux-firmware-wlcommon all 1:20240909-r0

@acostach
Copy link
Copy Markdown
Contributor Author

acostach commented Feb 19, 2026
edited
Loading

For RPI CM4 IO-BOARD, the following packages are removed, using the following branch: https://github.com/balena-os/balena-raspberrypi/tree/acostach/add_machine_features

linux-firmware-ti-connectivity-license all 1:20240909-r0
linux-firmware-wl12xx all 1:20240909-r0
linux-firmware-wlcommon all 1:20240909-r0

@acostach
include/balena-os: Switch to using upstream MACHINE_FEATURES where ap…
941a100 
…plicable

We no longer diferentiate by form factor for PCI devices,
and thus include all PCI firmware where upstream
sets "pci" in MACHINE_FEATURES.

Signed-off-by: Alexandru Costache <alexandru@balena.io>
acostach
acostach commented Feb 24, 2026
View reviewed changes
Comment thread meta-balena-common/conf/distro/include/balena-os.inc
linux-firmware-iwlwifi-7265 \
linux-firmware-iwlwifi-8000c \
linux-firmware-iwlwifi-8265 \
linux-firmware-rtl8723 \
Copy link
Copy Markdown
Contributor Author

@acostach acostach Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TODO: Remove duplicates, must be a typo

acostach and others added 5 commits February 25, 2026 13:10
@acostach
classes/image-balena: Don't fail build if non-essential firmware is f…
64d641b 
…ound

Signed-off-by: Alexandru Costache <alexandru@balena.io>
@acostach
classes/balena-firmware-exclusion: Do not fail build package is not l…
ed0af9b 
…isted in WHENCE

This speeds up testing, because the issues can be extracted
from the build outputs. Also, if the build passes, the manifest
is made available for checking.

Signed-off-by: Alexandru Costache <alexandru@balena.io>
@ycardaillac
initial sorting mechanism
9bb4778
@ycardaillac
refacto
1b6dc0d
@ycardaillac
fail at the first error
f8d5aae 
Signed-off-by: Yann CARDAILLAC <yann.cardaillac@balena.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ycardaillac ycardaillac ycardaillac left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@acostach @ycardaillac