feat: Kernel config validation tool (#16224)

Adds a Python-based kernel config checker that validates kernel .config files against a centralized JSON schema of required configurations. This catches unintentional config regressions during PR review.

Author: rlmenge

.github/workflows/check-kernel-configs.yml

@@ -0,0 +1,114 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+# This action checks that required kernel configs have not been removed or
+# modified to an undesirable value.
+name: Kernel Required Configs Check
+
+on:
+  push:
+    branches: [3.0*, fasttrack/*]
+    paths:
+      - 'SPECS/kernel*/config*'
+  pull_request:
+    branches: [3.0*, fasttrack/*]
+    paths:
+      - 'SPECS/kernel*/config*'
+
+jobs:
+  check:
+    name: Kernel configs check
+    runs-on: ubuntu-latest
+
+    steps:
+      # Checkout the branch of our repo that triggered this action
+      - name: Workflow trigger checkout
+        uses: actions/checkout@v4
+
+      - name: Get base commit for PRs
+        if: ${{ github.event_name == 'pull_request' }}
+        run: |
+          git fetch origin ${{ github.base_ref }}
+          echo "base_sha=$(git rev-parse origin/${{ github.base_ref }})" >> $GITHUB_ENV
+          echo "Merging ${{ github.sha }} into ${{ github.base_ref }}"
+
+      - name: Get base commit for Pushes
+        if: ${{ github.event_name == 'push' }}
+        run: |
+          git fetch origin ${{ github.event.before }}
+          echo "base_sha=${{ github.event.before }}" >> $GITHUB_ENV
+          echo "Merging ${{ github.sha }} into ${{ github.event.before }}"
+
+      # For consistency, we use the same major/minor version of Python that Azure Linux ships
+      - name: Setup Python 3.12
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.12
+
+      - name: Get Python dependencies
+        run: python3 -m pip install -r toolkit/scripts/requirements.txt
+
+      # Check if kernel configs changed
+      - name: Check if config files changed
+        run: |
+          echo "Files changed: '$(git diff-tree --no-commit-id --name-only -r ${{ env.base_sha }} ${{ github.sha }})'"
+          changed_configs=$(git diff-tree --diff-filter=d --no-commit-id --name-only -r ${{ env.base_sha }} ${{ github.sha }} | { grep "SPECS/kernel.*/config.*$" || test $? = 1; })
+          echo "Files to validate: '${changed_configs}'"
+          echo "updated_configs<<EOF" >> $GITHUB_ENV
+          echo "${changed_configs}" >> $GITHUB_ENV
+          echo "EOF" >> $GITHUB_ENV
+
+      # Run kernel config checker against each changed config file
+      - name: Run kernel config checking script
+        if: ${{ env.updated_configs != '' }}
+        run: |
+          JSON_PATH="toolkit/scripts/kernel_config_checker/kernel_configs_json/azl3-os-required-kernel-configs.json"
+
+          # Extract kernel names that have overrides in the JSON (these are the kernels we track)
+          tracked_kernels=$(python3 -c "
+          import json
+          with open('${JSON_PATH}') as f:
+              data = json.load(f)
+          for o in data['overrides']:
+              print(o['name'])
+          ")
+          echo "Tracked kernels: ${tracked_kernels}"
+
+          failed=0
+          holder="${{ env.updated_configs }}"
+          for file in $holder; do
+            # Extract kernel name from path (e.g., SPECS/kernel-hwe/config -> kernel-hwe)
+            kernel_name=$(echo "$file" | sed 's|SPECS/\([^/]*\)/.*|\1|')
+
+            # Skip kernels that don't have overrides in the JSON
+            if ! echo "${tracked_kernels}" | grep -qx "${kernel_name}"; then
+              echo "============================================"
+              echo "Skipping: ${file} (kernel=${kernel_name} not tracked in JSON)"
+              echo "============================================"
+              continue
+            fi
+
+            # Determine architecture from filename
+            if [[ "$file" == *"aarch64"* ]]; then
+              arch="arm64"
+            else
+              arch="x86_64"
+            fi
+
+            echo "============================================"
+            echo "Checking: ${file} (kernel=${kernel_name}, arch=${arch})"
+            echo "============================================"
+
+            if ! (cd toolkit/scripts && python3 -m kernel_config_checker.check_config \
+              "../../${file}" \
+              kernel_config_checker/kernel_configs_json/azl3-os-required-kernel-configs.json \
+              "${kernel_name}" "${arch}"); then
+              failed=1
+            fi
+          done
+
+          if [ "$failed" -eq 1 ]; then
+            echo ""
+            echo "✗ One or more kernel config checks failed"
+            exit 1
+          fi

toolkit/scripts/kernel_config_checker/README.md

@@ -0,0 +1,196 @@
+# Kernel Config Checker
+
+A robust kernel configuration validation system using Pydantic v2 schemas. Supports default configurations and per-kernel overrides with architecture-specific settings.
+
+## Features
+
+- **Schema-based validation** - Uses Pydantic v2 for robust config validation
+- **Multi-architecture support** - Handles x86_64 and arm64 architectures
+- **Flexible overrides** - Default configs with per-kernel overrides
+- **Interactive config management** - Add new configs with guided prompts
+- **Config querying** - Check config values across all kernels/architectures
+- **Legacy conversion** - Tools to migrate existing configurations
+
+## Installation
+
+From the repo root, install the Python dependencies:
+
+```bash
+pip install -r toolkit/scripts/requirements.txt
+```
+
+All commands below should be run from `toolkit/scripts/`:
+
+```bash
+cd toolkit/scripts
+```
+
+## Usage
+
+### Check Kernel Config
+
+Validate a `.config` file against intentional configurations:
+
+```bash
+python -m kernel_config_checker.check_config /path/to/.config kernel_config_checker/kernel_configs_json/azl3-os-required-kernel-configs.json kernel-name architecture
+```
+
+Example:
+
+```bash
+python -m kernel_config_checker.check_config kernel.config kernel_config_checker/kernel_configs_json/azl3-os-required-kernel-configs.json kernel x86_64
+```
+
+### Add New Config
+
+Interactively add a new kernel configuration:
+
+```bash
+python -m kernel_config_checker.check_config --add-config kernel_config_checker/kernel_configs_json/azl3-os-required-kernel-configs.json
+```
+
+Features:
+
+- Add to default or override sections
+- Support for single or multiple architectures
+- Leave architectures blank to omit them from JSON
+- Create new override sections or use existing ones
+
+### Query Config Values
+
+Check a config value across all architectures and kernels:
+
+```bash
+python -m kernel_config_checker.check_config --check-all kernel_config_checker/kernel_configs_json/azl3-os-required-kernel-configs.json CONFIG_NAME
+```
+
+Example:
+
+```bash
+python -m kernel_config_checker.check_config --check-all kernel_config_checker/kernel_configs_json/azl3-os-required-kernel-configs.json CONFIG_DRM
+```
+
+## Configuration Schema
+
+The system uses a structured JSON schema with default and override sections:
+
+```json
+{
+  "default": {
+    "kernel_configs": [
+      {
+        "name": "CONFIG_EXAMPLE",
+        "values": [
+          {
+            "architecture": "x86_64",
+            "value": "y"
+          },
+          {
+            "architecture": "arm64", 
+            "value": "m"
+          }
+        ],
+        "justification": "Explanation for this config"
+      }
+    ]
+  },
+  "overrides": [
+    {
+      "name": "kernel-64k",
+      "kernel_configs": [
+        {
+          "name": "CONFIG_ARM64_64K_PAGES",
+          "values": [
+            {
+              "architecture": "arm64",
+              "value": "y"
+            }
+          ],
+          "justification": "needed for 64k page size"
+        }
+      ]
+    }
+  ]
+}
+```
+
+### Architecture Support
+
+- Configs can specify values for `x86_64`, `arm64`, or both
+- When adding configs, leaving an architecture blank omits it from the JSON
+- At least one architecture must be specified
+
+### Value Types
+
+- `y` - Built into kernel
+- `m` - Built as module  
+- `n` - Disabled ("is not set" or missing)
+- Custom values supported for specific configs
+
+## Project Structure
+
+```text
+toolkit/scripts/kernel_config_checker/
+├── schema/
+│   ├── __init__.py         # Package init
+│   ├── schema.py           # Pydantic schema definitions
+│   └── print_schema.py     # Schema utility
+├── kernel_configs_json/
+│   └── azl3-os-required-kernel-configs.json  # Main config file
+├── __init__.py             # Package init
+├── check_config.py         # Main checker and utilities
+└── README.md               # This file
+```
+
+## Examples
+
+### Adding a Config for Single Architecture
+
+```bash
+$ python -m kernel_config_checker.check_config --add-config test.json
+Adding new kernel configuration...
+Enter config name (e.g., CONFIG_EXAMPLE): CONFIG_X86_ONLY
+Enter values for each architecture (y/n/m or specific value, leave blank to skip):
+x86_64 value: y
+arm64 value: 
+Enter justification: Only needed on x86_64
+Add to [d]efault or [o]verride? [d]: d
+✓ Added CONFIG_X86_ONLY to default section
+```
+
+Results in:
+
+```json
+{
+  "name": "CONFIG_X86_ONLY",
+  "values": [
+    {
+      "architecture": "x86_64", 
+      "value": "y"
+    }
+  ],
+  "justification": "Only needed on x86_64"
+}
+```
+
+### Querying Config Values
+
+```bash
+$ python -m kernel_config_checker.check_config --check-all kernel_config_checker/kernel_configs_json/azl3-os-required-kernel-configs.json CONFIG_DRM
+Config: CONFIG_DRM
+  arm64: default=m, kernel-hwe=y
+  x86_64: default=m
+  ⚠️  Conflicts in: arm64
+  Reason: amdgpu - https://github.com/microsoft/azurelinux/pull/10612
+```
+
+## Contributing
+
+1. Ensure all configs have proper justifications
+2. Test schema validation after changes
+3. Use the add-config command for consistency
+4. Validate configs against actual kernel .config files
+
+## License
+
+This project follows the same licensing as the Azure Linux project.

toolkit/scripts/kernel_config_checker/__init__.py

@@ -0,0 +1,2 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.