summary refs log tree commit diff stats
path: root/doc/ranger.fsobject.loader.html
Commit message (Expand)AuthorAgeFilesLines
* moved pydoc pages to doc/pydochut2009-12-251-122/+0
* updated pydoc pageshut2009-12-251-0/+122
generated by cgit-pink 1.4.1-2-gfad0 (git 2.36.2.497.gbbea4dcf42) at 2024-12-27 08:25:38 +0000
#n31'>31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 
<!DOCTYPE html>
<html dir="ltr" lang="en">
    <head>
        <meta charset='utf-8'>
        <title>2.1. Kernel Linux</title>
    </head>
    <body>

        <a href="index.html">GNU/Linux Index</a>

        <h1 id="kernel">2.1. Kernel Linux</h1>

        <p>Linux is a monolith kernel, a big one ! Visit
        <a href="http://www.fsfla.org/ikiwiki/selibre/linux-libre/">Linux Libre</a>
        and
        <a href="https://www.kernel.org/">Linux Non-Libre</a> pages for more links
        and information.</p>

        <p>Spectre-meltdown checker;</p>
        <pre>
        https://github.com/speed47/spectre-meltdown-checker/
        </pre>

        <h2 id="download">2.1.1. Download Linux Libre</h2>

        <p>Download Linux Source from
        <a href="http://linux-libre.fsfla.org/pub/linux-libre/releases/">linux libre</a>,
        or using the port system;</p>

        <pre>
        $ mkdir ~/kernel
        $ cd ~/kernel
        $ cd linux-4.9.86/
        </pre>

        <p>Gcc <a href="https://github.com/graysky2/kernel_gcc_patch/">graysky2</a> kernel_gcc_patch (<a href="https://github.com/graysky2/kernel_gcc_patch/archive/master.zip">master.zip</a>)
        that adds more cpu options (FLAGS) for native builds.
        Check <a href="ports/linux-gnu/Pkgfile">Pkgfile</a>
        for instructions how linux-gnu port is built.</p>

        <p>Check version on Makefile;</p>

        <pre>
        VERSION = 4
        PATCHLEVEL = 9
        SUBLEVEL = 86
        EXTRAVERSION = -gnu
        NAME = Roaring Lionus
        </pre>

        <p>Change cpu optimization patch;</p>

        <pre>
        depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
        </pre>

        <p>to;</p>

        <pre>
        depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
        </pre>

        <p>Apply additional cpu optimizations patch;</p>

        <pre>
        $ patch -p1 &lt; ../enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch
        </pre>

        <p>Cleaning targets:</p>

        <pre>
        clean           - Remove most generated files but keep the config and
                    enough build support to build external modules
        mrproper        - Remove all generated files + config + various backup files
        distclean       - mrproper + remove editor backup and patch files
        </pre>

        <p>Prepare sources for configuration;</p>

        <pre>
        $ make distclean
        </pre>

        <h2 id="configure">2.1.2. Configure</h2>

        <p>Port linux-gnu port comes with default configuration file  that is
        a good starting point to tune kernel according to your needs. To
        automatically configure kernel with support to your hardware
        based on modules loaded by current kernel run.</p>

        <pre>
        $ make localmodconfig
        </pre>

        <p>To get more information about the hardware, for example
        information about which graphic module (driver) is in use
        as root run;</p>

        <pre>
        # lspci -nnk | grep -i vga -A3 | grep 'in use'
        Kernel driver in use: i915
        </pre>

        <p>Make configuration targets;</p>

        <pre>
        config          - Update current config utilising a line-oriented program
        nconfig         - Update current config utilising a ncurses menu based program
        menuconfig      - Update current config utilising a menu based program
        xconfig         - Update current config utilising a Qt based front-end
        gconfig         - Update current config utilising a GTK+ based front-end
        oldconfig       - Update current config utilising a provided .config as base
        localmodconfig  - Update current config disabling modules not loaded
        localyesconfig  - Update current config converting local mods to core
        silentoldconfig - Same as oldconfig, but quietly, additionally update deps
        defconfig       - New config with default from ARCH supplied defconfig
        savedefconfig   - Save current config as ./defconfig (minimal config)
        allnoconfig     - New config where all options are answered with no
        allyesconfig    - New config where all options are accepted with yes
        allmodconfig    - New config selecting modules when possible
        alldefconfig    - New config with all symbols set to default
        randconfig      - New config with random answer to all options
        listnewconfig   - List new options
        olddefconfig    - Same as silentoldconfig but sets new symbols to their default value
        kvmconfig       - Enable additional options for kvm guest kernel support
        xenconfig       - Enable additional options for xen dom0 and guest kernel support
        tinyconfig      - Configure the tiniest possible kernel
        </pre>

        <p>Following configuration try's to be generic about the hardware
        support  while addressing the requirements of applications such as
        qemu, docker, etc. For more information about hardening options read
        <a href="https://kernsec.org">kernsec.org</a>. Configure kernel
        using ncurses;</p>

        <pre>
        $ make nconfig
        </pre>

        <pre>
            CONFIG_BUG_ON_DATA_CORRUPTION=y

            # Perform extensive checks on reference counting.
            CONFIG_REFCOUNT_FULL=y

            # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.
            CONFIG_FORTIFY_SOURCE=y

        </pre>

        <h3 id="general">2.1.2.1 General Setup</h3>
        <dl>
            <dt>CONFIG_POSIX_MQUEUE=y</dt>
            <dd>POSIX Message Queues</dd>

            <dt>CONFIG_VMAP_STACK=y</dt>
            <dd>Use a virtually-mapped stack</dd>
            <dd>Adds guard pages to kernel stacks (not all architectures
            support this yet).</dd>

            <dt>CONFIG_CGROUPS=y</dt>
            <dd>Control Group support</dd>

            <dt>CONFIG_MEMCG=y</dt>
            <dd>Memory controller</dd>

            <dt>CONFIG_MEMCG_SWAP=y</dt>
            <dd>Swap controller</dd>

            <dt>CONFIG_MEMCG_SWAP_ENABLED=y</dt>
            <dd>Swap controller enabled by default</dd>

            <dt>CONFIG_BLK_CGROUP=y</dt>
            <dd>IO controller</dd>

            <dt>CGROUP_SCHED=y</dt>
            <dd>CPU controller</dd>

            <dt>FAIR_GROUP_SCHED=y</dt>
            <dd>Group scheduling for SCHED_OTHER</dd>

            <dt>CONFIG_CFS_BANDWIDTH=y</dt>
            <dd>CPU bandwidth provisioning for FAIR_GROUP_SCHED</dd>

            <dt>CONFIG_RT_GROUP_SCHED=y</dt>
            <dd>Group scheduling for SCHED_RR/FIFO</dd>

            <dt>CONFIG_CGROUP_PIDS=y</dt>
            <dd>PIDs controller</dd>

            <dd>Freezer controller</dd>
            <dd>HugeTLB controller</dd>
            <dd>Cpuset controller</dd>
            <dd>Include legacy /proc/<pid>/cpuset file</dd>
            <dd>Device controller</dd>
            <dd>Simple CPU accounting controller</dd>
            <dd>Perf controller</dd>
        </dl>

        <h4>Namespaces support</h4>
        <dl>
            <dd>UTS namespace</dd>
            <dd>IPC namespace</dd>
            <dd>User namespace</dd>
            <dd>PID Namespaces</dd>
            <dd>Network namespace</dd>
        </dl>

        <dl>

            <dt>CONFIG_COMPAT_BRK=n</dt>
            <dd>Disable heap randomization</dd>
            <dd>Dangerous; enabling this disables brk ASLR.</dd>

            <dt>CONFIG_SLAB_FREELIST_RANDOM=y</dt>
            <dd>Randomize allocator freelists, harden metadata.</dd>

            <dt>CONFIG_SLAB_FREELIST_HARDENED=y</dt>
            <dd>Randomize allocator freelists, harden metadata.</dd>

            <dt>CONFIG_SLUB_DEBUG=y<dt>
            <dd>Enable SLUB debugging support</dd>
            <dd>Allow allocator validation checking to be enabled
            (see "slub_debug=P" below).</dd>

            <dt>CONFIG_CC_STACKPROTECTOR=y</dt>
            <dd>Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.</dd>

            <dt>CONFIG_CC_STACKPROTECTOR_STRONG=y</dt>
            <dd>Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.</dd>
        </dl>


        <h3 id="mod">2.1.2.2 Enable loadable module support</h3>
        <dl>

            <dt>CONFIG_MODULES=y</dt>
            <dd>Enable loadable module support
            <dd>Keep root from altering kernel memory via loadable modules.
            set CONFIG_MODULES=n</dd>
            <dd>But if CONFIG_MODULE=y is needed, at least they must be
            signed with a per-build key.<dd>

            <dt>CONFIG_DEBUG_SET_MODULE_RONX=y</dt>
            <dd>(prior to v4.11)</dd>

            <dt>CONFIG_STRICT_MODULE_RWX=y</dt>
            <dd>(since v4.11)</dd>

            <dt>CONFIG_MODULE_SIG=y</dt>
            <dd>Module signature verification</dd>

            <dt>CONFIG_MODULE_SIG_FORCE=y</dt>
            <dd>Require modules to be validly signed</dd>

            <dt>CONFIG_MODULE_SIG_ALL=y</dt>
            <dd>Automatically sign all modules</dd>

            <dt>CONFIG_MODULE_SIG_SHA512=y</dt>
            <dd>Sign modules with SHA-512</dd>
        </dl>

        <h3 id="block">2.1.2.3 Enable the block layer</h3>
        <dl>
            <dt>BLK_DEV_THROTTLING=y</dt>
            <dd>Block layer bio throttling support</dd>

            <dt>IOSCHED_CFQ=y</dt>
            <dd>CFQ IO scheduler</dd>

            <dt>CONFIG_CFQ_GROUP_IOSCHED=y</dt>
            <dd>CFQ Group Scheduling support</dd>
        </dl>

        <h3 id="proc">2.1.2.4 Processor type and features</h3>

        <dl>
            <dt>CONFIG_DEFAULT_MMAP_MIN_ADDR=65536</dt>
            <dd>Low address space to protect from user allocation</dd>
            <dd>Disallow allocating the first 64k of memory.</dd>

            <dt>X86_VSYSCALL_EMULATION=n</dt>
            <dd>Enable vsyscall emulation</dd>
            <dd>Required by programs before 2013, some programs my
            require.</dd>
            <dd>Remove additional attack surface, unless you really
            need them.</dd>

            <dt>CONFIG_SECCOMP=y</dt>
            <dd>Enable seccomp to safely compute untrusted bytecode</dd>
            <dd>Provide userspace with seccomp BPF API for syscall attack surface reduction.</dd>

            <dt>CONFIG_SECCOMP_FILTER=y</dt>
            <dd>Provide userspace with seccomp BPF API for syscall attack surface reduction.</dd>

            <dt>CONFIG_KEXEC=n</dt>
            <dd>kexec system call</dd>
            <dd>Dangerous; enabling this allows replacement
            of running kernel.</dd>

            <dt>CONFIG_RANDOMIZE_BASE=y</dt>
            <dd>Randomize the address of the kernel image (KASLR)</dd>

            <dt>CONFIG_RANDOMIZE_MEMORY=y</dt>
            <dd>Randomize the kernel memory sections</dd>

            <dt>CONFIG_LEGACY_VSYSCALL_NONE=y</dt>
            <dd>vsyscall table for legacy applications (None)</dd>
            <dd>Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.</dd>

            <dt>CONFIG_COMPAT_VDSO=n</dt>
            <dd>Disable the 32-bit vDSO (needed for glibc 2.3.3)</dd>
            <dd>Dangerous; enabling this disables VDSO ASLR.</dd>

            <dt>CONFIG_MODIFY_LDT_SYSCALL=n</dt>
            <dd>Enable the LDT (local descriptor table)</dd>
            <dd>Remove additional attack surface, unless you really need them.</dd>
        </dl>

        <h3 id="acpi">2.1.2.5 Power management and ACPI options</h3>

        <dl>
            <dt>CONFIG_HIBERNATION=n</dt>
            <dd>Hibernation (aka 'suspend to disk')</dd>
            <dd>Dangerous; enabling this allows replacement of running
            kernel.</dd>

            <dt>CONFIG_ACPI_CUSTOM_METHOD=n</dt>
            <dd>Allow ACPI methods to be inserted/replaced at run time</dd>
            <dd>Dangerous; enabling this allows direct physical
            memory writing.</dd>
        </dl>


        <h3 id="bus">2.1.2.6 Bus options (PCI etc.)</h3>
        <h3 id="exec">2.1.2.7 Executable file formats / Emulations</h3>
        <dl>

            <dt>CONFIG_BINFMT_MISC=n</dt>
            <dd>Kernel support for MISC binaries</dd>
            <dd>Easily confused by misconfigured userspace, keep off.</dd>

            <dt>CONFIG_IA32_EMULATION</dt>
            <dd>Remove additional attack surface, unless you really need them.</dd>
            <dt>CONFIG_X86_X32</dt>
            <dd>Remove additional attack surface, unless you really need them.</dd>
        </dl>

        <h3 id="net">2.1.2.8 Networking support</h3>
        <h4>Networking options</h4>
        <dl>
            <dt>CONFIG_INET_DIAG=m</dt>
            <dd>INET: socket monitoring interface</dd>
            <dd>Support for INET (TCP, DCCP, etc) socket monitoring
            interface used by native Linux tools such as ss. ss is
            included in iproute2</dd>
            <dd>Prior to v4.1, assists heap memory attacks;
            best to keep interface disabled.</dd>

            <dt>CONFIG_BRIDGE=y</dt>
            <dd>802.1d Ethernet Bridging</dd>

            <dt>CONFIG_NET_SCHED=y</dt>
            <dd>QoS and/or fair queueing</dd>

            <dt>CONFIG_NET_CLS_CGROUP=y</dt>
            <dd>Control Group Classifier</dd>

            <dt>CONFIG_VSOCKETS=y</dt>
            <dd>Virtual Socket protocol</dd>

            <dt>CONFIG_VIRTIO_VSOCKETS=y<dt>
            <dd>virtio transport for Virtual Sockets</dd>

            <dt>CONFIG_NET_L3_MASTER_DEV=y</dt>
            <dd>L3 Master device support</dd>

            <dt>CONFIG_CGROUP_NET_PRIO=y</dt>
            <dd>Network priority cgroup</dd>

            <dt>CGROUP_NET_CLASSID=y</dt>
            <dd>Network classid cgroup</dd>

        </dl>

        <dl>
            <dt>CONFIG_NETFILTER=y</dt>
            <dd>Network packet filtering framework (Netfilter)</dd>

            <dt>CONFIG_NETFILTER_ADVANCED=y</dt>
            <dd>Advanced netfilter configuration</dd>

            <dt>BRIDGE_NETFILTER=y</dt>
            <dd>Bridged IP/ARP packets filtering</dd>

            <dt>NF_CONNTRACK=y</dt>
            <dd>Netfilter connection tracking support</dd>

            <dt>NETFILTER_XT_MATCH_ADDRTYPE=y</dt>
            <dd>"addrtype" address type match support</dd>

            <dt>NETFILTER_XT_MATCH_CONNTRACK=y</dt>
            <dd>"conntrack" connection tracking match support</dd>

            <dt>CONFIG_NETFILTER_XT_MATCH_IPVS=y</dt>
            <dd>"ipvs" match support</dd>

            <dt>CONFIG_IP_VS=y</dt>
            <dd>IP virtual server support</dd>

            <dt>IP_VS_PROTO_TCP=y</dt>
            <dd>TCP load balancing support</dd>

            <dt>IP_VS_PROTO_UDP=y</dt>
            <dd>UDP load balancing support</dd>

            <dt>IP_VS_RR=y</dt>
            <dd>round-robin scheduling</dd>

            <dt>IP_VS_NFCT=y</dt>
            <dd>Netfilter connection tracking</dd>

            <dt>CONFIG_NF_CONNTRACK_IPV4=y</dt>
            <dd>IPv4 connection tracking support (required for NAT)</dd>

            <dt>NF_NAT_IPV4=y</dt>
            <dd>IPv4 NAT</dd>

            <dt>NF_NAT_MASQUERADE_IPV4=y</dt>
            <dd>IPv4 masquerade support</dd>

            <dt>IP_NF_IPTABLES=y</dt>
            <dd>IP tables support (required for filtering/masq/NAT)</dd>

            <dt>IP_NF_FILTER=y</dt>
            <dd>Packet filtering</dd>

            <dt>CONFIG_IP_NF_NAT=y</dt>
            <dd>iptables NAT support</dd>

            <dt>IP_NF_TARGET_MASQUERADE=y</dt>
            <dd>MASQUERADE target support</dd>

            <dt>IP_NF_TARGET_NETMAP=y</dt>
            <dd>NETMAP target support</dd>

            <dt>IP_NF_TARGET_REDIRECT=y</dt>
            <dd>REDIRECT target support</dd>

            <dt>CONFIG_SYN_COOKIES=y</dt>
            <dd>IP: TCP syncookie support</dd>
            <dd>Provides some protections against SYN flooding.</dd>

        </dl>

        <h3 id="drivers">2.1.2.9 Device Drivers</h3>

        <h4>Block devices</h4>
        <dl>
            <dt>CONFIG_VIRTIO_BLK=y</dt>
            <dd>This is the virtual block driver for virtio.</dd>
            <dd>For QEMU based VMMs.</dd>
            <dt>BLK_DEV_NBD=y</dt>
            <dd>Network block device support.</dd>
        </dl>

        <h4>SCSI device support</h4>
        <dl>
            <dt>CONFIG_SCSI_VIRTIO=y</dt>
            <dd>This is the virtual HBA driver for virtio.
            If the kernel will used in a virtual machine.</dd>
        </dl>

        <h4>Multiple devices driver support (RAID and LVM)</h4>

        <dl>
            <dt>CONFIG_MD=y</dt>
            <dd>Multiple devices driver support (RAID and LVM)</dd>
            <dt>CONFIG_BLK_DEV_DM=y</dt>
            <dd>Device mapper support</dd>
            <dt>DM_THIN_PROVISIONING=y</dt>
            <dd>Thin provisioning target<dd>
        </dl>

        <h4>Network device support</h4>

        <dl>
            <dt>CONFIG_NETDEVICES=y</dt>
            <dd>Network device support</dd>

            <dt>NET_CORE=y</dt>
            <dd>Network core driver support</dd>

            <dt>CONFIG_DUMMY=y</dt>
            <dd>Dummy net driver support</dd>

            <dt>CONFIG_MACVLAN=y</dt>
            <dd>MAC-VLAN support</dd>
            <dd>This allows one to create virtual interfaces that map
            packets to or from specific MAC addresses to a particular
            interface. Macvlan devices can be added using the "ip" command
            from the route2 package starting with the iproute2.</dd>
            <dd>ip link add link <real dev> [ address MAC ] [ NAME ] type macvlan"</dd>

            <dt>CONFIG_VXLAN=y</dt>
            <dd>Virtual eXtensible Local Area Network (VXLAN)</dd>
            <dt>BLK_DEV_NBD=y</dt>
            <dd>Network block device support.</dd>

            <dt>CONFIG_TUN=y</dt>
            <dd>Universal TUN/TAP device driver support</dd>

            <dt>CONFIG_VETH=y</dt>
            <dd>Virtual ethernet pair device.</dd>

            <dt>CONFIG_VIRTIO_NET=y</dt>
            <dd>Virtio network driver.</dd>

            <dt>IPVLAN=n</dt>
            <dd>IP-VLAN support</dd>
            <dd>Requires ipv6</dd>
        </dl>

        <h4>Character devices</h4>
        <dl>
            <dt>CONFIG_DEVMEM=n</dt>
            <dd>/dev/mem virtual device support</dd>
            <dd>Do not allow direct physical memory access (but if you must have it, at least enable CONFIG_STRICT_DEVMEM mode...)</dd>

            <dd>Enable TTY</dd>
            <dd>Unix98 PTY support</dd>

            <dt>CONFIG_LEGACY_PTYS=n</dt>
            <dd>Legacy (BSD) PTY support</dd>
            <dd>Use the modern PTY interface (devpts) only.</dd>

            <dd>Support multiple instances of devpts</dd>

            <dt>CONFIG_DEVKMEM=n</dt>
            <dd>/dev/kmem virtual device support</dd>
            <dd>Dangerous; enabling this allows direct kernel
            memory writing.</dd>
        </dl>

        <h4>Virtio drivers</h4>
        <dl>
            <dt>CONFIG_VIRTIO_PCI=y</dt>
            <dd>PCI driver for virtio devices</dd>
        </dl>

        <h3 id="firm">2.1.2.10 Firmware Drivers</h3>
        <h3 id="fs">2.1.2.11 File systems</h3>
        <dl>
            <dd>Overlay filesystem support</dd>

            <dt>CONFIG_PROC_KCORE=n</dt>
            <dd>/proc/kcore support</dd>
            <dd>Dangerous; exposes kernel text image layout.</dd>

            <dd>HugeTLB file system support</dd>

            <dt>CONFIG_FUSE_FS=y</dt>
            <dd>FUSE (Filesystem in Userspace) support</dd>

        </dl>

        <h3 id="hack">2.1.2.12 Kernel hacking</h3>

        <dl>
            <dt>CONFIG_DEBUG=y</dt>
            <dt>CONFIG_DEBUG_RODATA=y</dt>

            <dt>CONFIG_DEBUG_KERNEL=y</dt>
            <dd>Kernel debugging</dd>
            <dd>Make sure kernel page tables have safe permissions.</dd>

            <dt>CONFIG_STRICT_KERNEL_RWX=y</dt>
            <dd>since v4.11</dd>
            <dd>Make sure kernel page tables have safe permissions.</dd>

            <dt>CONFIG_PANIC_ON_OOPS=y</dt>
            <dd>Panic on Oops</dd>
            <dd>This feature is useful to ensure that the kernel does not do
            anything erroneous after an oops which could result in data
            corruption or other issues.</dd>

            <dt>CONFIG_PANIC_TIMEOUT=-1</dt>
            <dd>Reboot devices immediately if kernel experiences an Oops.</dd>

            <dt>CONFIG_SCHED_STACK_END_CHECK=y</dt>
            <dd>Detect stack corruption on calls to schedule()</dd>
            <dd>Perform additional validation of various commonly targeted structures.</dd>

            <dt>CONFIG_DEBUG_LIST=y</dt>
            <dd>Debug linked list manipulation</dd>
            <dd>Perform additional validation of various commonly targeted structures.</dd>

            <dt>CONFIG_DEBUG_SG=y</dt>
            <dd>Debug SG table operations</dd>
            <dd>Perform additional validation of various commonly targeted structures.</dd>

            <dt>CONFIG_DEBUG_NOTIFIERS=y</dt>
            <dd>Debug notifier call chains</dd>
            <dd>Perform additional validation of various commonly
            targeted structures.</dd>

            <dt>CONFIG_DEBUG_CREDENTIALS=y</dt>
            <dd>Debug credential management</dd>
            <dd>Perform additional validation of various commonly
            targeted structures.</dd>

            <dt>CONFIG_STRICT_DEVMEM=y</dt>
            <dd>Filter access to /dev/mem</dd>
            <dd>Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)</dd>

            <dt>CONFIG_IO_STRICT_DEVMEM=y</dt>
            <dd>Filter I/O access to /dev/mem</dd>
            <dd>Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)</dd>

            <dt>CONFIG_DEBUG_WX=y</dt>
            <dd>Warn on W+X mappings at boot</dd>
            <dd>Report any dangerous memory permissions
            (not available on all archs).</dd>


        </dl>

        <h4>Compile-time checks and compiler options</h4>
        <dl>
            <dt>CONFIG_DEBUG_FS=y</dt>
            <dd>Debug Filesystem</dd>

        </dl>

        <h4>Memory Debugging</h4>
        <dl>
            <dt>CONFIG_PAGE_POISONING=y</dt>
            <dd>Poison pages after freeing</dd>
            <dd>Wipe higher-level memory allocations when they are freed
            (needs "page_poison=1" command line below).</dd>

            <dt>CONFIG_PAGE_POISONING_NO_SANITY=y</dt>
            <dd>Only poison, don't sanity check</dd>
            <dd>(If you can afford even more performance penalty,
            leave CONFIG_PAGE_POISONING_NO_SANITY=n)</dd>

            <dt>CONFIG_PAGE_POISONING_ZERO=y</dt>
            <dd>Use zero for poisoning instead of random data</dd>

        </dl>

        <h3 id="sec">2.1.2.13 Security options</h3>

        <dl>
            <dd>Enable access key retention support</dd>
            <dd>Enable register of persistent per-UID keyrings</dd>
            <dd>ENCRYPTED KEYS</dd>
            <dd>Diffie-Hellman operations on retained keys</dd>

            <dt>CONFIG_SECURITY=y</dt>
            <dd>Enable different security models</dd>
            <dd>Provide userspace with ptrace ancestry protections.</dd>

            <dt>CONFIG_HARDENED_USERCOPY=y</dt>
            <dd>Harden memory copies between kernel and userspace</dd>
            <dd>Perform usercopy bounds checking.</dd>

            <dt>SECURITY_SELINUX=n</dt>
            <dd>NSA SELinux Support</dd>
            <dt>CONFIG_SECURITY_SELINUX_DISABLE=n</dt>
            <dd>NSA SELinux runtime disable</dd>
            <dd>If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.</dd>

            <dt>CONFIG_SECURITY_APPARMOR=y</dt>
            <dd>AppArmor support</dd>
            <dd>This enables the AppArmor security module. Rquired userspace
            tools (if they are not included in your distribution) and further
            information may be found at <a href="apparmor.html">AppArmor</a></dd>
            <dt>CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1</dt>
            <dd>AppArmor boot parameter default value</dd>

            <dt>CONFIG_SECURITY_YAMA=y</dt>
            <dd>Yama support</dd>
            <dd>Provide userspace with ptrace ancestry protections.</dd>
        </dl>

        <h3 id="crypt">2.1.2.14 Cryptographic API</h3>

        <dl>
            <dt>CONFIG_CRYPTO_LRW</dt>
            <dd>Liskov Rivest Wagner, a tweakable, non malleable, non movable
            narrow block cipher mode for dm-crypt.</dd>

            <dt>CONFIG_CRYPTO_RMD160=y</dt>
            <dt>CONFIG_CRYPTO_RMD256=y</dt>
            <dt>CONFIG_CRYPTO_RMD320=y</dt>
            <dd>RIPEMD 160/256/320 digest algorithm</dd>

	    <dt>CONFIG_CRYPTO_SHA256=y</dt>
	    <dd>SHA224 and SHA256 digest algorithm<dd>

            <dt>CONFIG_CRYPTO_SHA512=y</dt>
            <dd>SHA384 and SHA512 digest algorithms</dd>

            <dt>CONFIG_CRYPTO_WP512=y</dt>
            <dd>Whirlpool digest algorithms</dd>

	    <dt>CONFIG_CRYPTO_DES3_EDE_X86_64=y</dt>
	    <dd>DES and Triple DES EDE cipher algorithms<dd>

            <dt>CONFIG_CRYPTO_SERPENT=y</dt>
            <dd>Serpent cipher algorithm</dd>

            <dt>CONFIG_CRYPTO_TWOFISH=y<dt>
            <dd>Twofish cipher algorithm</dd>
        </dl>

	    <pre>
	    *   MD4 digest algorithm
	    *   MD5 digest algorithm
	    *   SHA1 digest algorithm
	    *   Blowfish cipher algorithm
	    *   AES cipher algorithms
	    *   CAST5 (CAST-128) cipher algorithm
	    *   CAST6 (CAST-256) cipher algorithm 
	    *   Deflate compression algorithm
	    </pre>

        <h3 id="virt">2.1.2.15 Virtualization</h3>

        <dl>
            <dt>CONFIG_KVM=y</dt>
            <dd>Kernel-based Virtual Machine (KVM) support</dd>

            <dt>CONFIG_KVM_INTEL=y</dt>
            <dd>KVM for Intel processors support</dd>
            <dd>Provides support for KVM on Intel processors equipped with the VT extensions.</dd>

            <dt>CONFIG_KVM_AMD=y</dt>
            <dd>KVM for AMD processors support</dd>
            <dd>Provides support for KVM on AMD processors equipped with the
            AMD-V (SVM) extensions.</dd>

            <dt>CONFIG_KVM_DEVICE_ASSIGNMENT=n</dt>
            <dd>KVM legacy PCI device assignment support (DEPRECATED)</dd>

            <dt>CONFIG_VHOST_NET=y</dt>
            <dd>Host kernel accelerator for virtio net<dd>

            <dt>CONFIG_VHOST_VSOCK=y</dt>
            <dd>vhost virtio-vsock driver</dd>

            <dt>CONFIG_VHOST_CROSS_ENDIAN_LEGACY=y</dt>
            <dd>Cross-endian support for vhost</dd>
        </dl>

        <h3 id="lib">2.1.2.16 Library routines</h3>

        <h2 id="build">2.1.3. Build</h2>

        <p>Make targets;</p>

        <pre>
        Other generic targets:
          all             - Build all targets marked with [*]
        * vmlinux         - Build the bare kernel
        * modules         - Build all modules
                            (default: ./usr)

        Documentation targets:
         Linux kernel internal documentation in different formats (Sphinx):
          htmldocs        - HTML
          latexdocs       - LaTeX
          pdfdocs         - PDF
          epubdocs        - EPUB
          xmldocs         - XML
          cleandocs       - clean all generated files

          make SPHINXDIRS="s1 s2" [target] Generate only docs of folder s1, s2
          valid values for SPHINXDIRS are: development-process media gpu 80211

          make SPHINX_CONF={conf-file} [target] use *additional* sphinx-build
          configuration. This is e.g. useful to build with nit-picking config.

         Linux kernel internal documentation in different formats (DocBook):
          htmldocs        - HTML
          pdfdocs         - PDF
          psdocs          - Postscript
          xmldocs         - XML DocBook
          mandocs         - man pages
          installmandocs  - install man pages generated by mandocs
          cleandocs       - clean all generated DocBook files

        Architecture specific targets (x86):
        * bzImage      - Compressed kernel image (arch/x86/boot/bzImage)
          install      - Install kernel using
                          (your) ~/bin/installkernel or
                          (distribution) /sbin/installkernel or
                          install to $(INSTALL_PATH) and run lilo
          fdimage      - Create 1.4MB boot floppy image (arch/x86/boot/fdimage)
          fdimage144   - Create 1.4MB boot floppy image (arch/x86/boot/fdimage)
          fdimage288   - Create 2.8MB boot floppy image (arch/x86/boot/fdimage)
          isoimage     - Create a boot CD-ROM image (arch/x86/boot/image.iso)
                          bzdisk/fdimage*/isoimage also accept:
                          FDARGS="..."  arguments for the booted kernel
                          FDINITRD=file initrd for the booted kernel

          i386_defconfig           - Build for i386
          x86_64_defconfig         - Build for x86_64

          make V=0|1 [targets] 0 => quiet build (default), 1 => verbose build
          make V=2   [targets] 2 => give reason for rebuild of target
          make O=dir [targets] Locate all output files in "dir", including .config
          make C=1   [targets] Check all c source with $CHECK (sparse by default)
          make C=2   [targets] Force check of all c source with $CHECK
          make RECORDMCOUNT_WARN=1 [targets] Warn about ignored mcount sections
          make W=n   [targets] Enable extra gcc checks, n=1,2,3 where
                        1: warnings which may be relevant and do not occur too often
                        2: warnings which occur quite often but may still be relevant
                        3: more obscure warnings, can most likely be ignored
                        Multiple levels can be combined with W=12 or W=123
        </pre>


        <pre>
        $ make -j $(nproc) bzImage modules
        </pre>

        <h2 id="install">2.1.5. Install</h2>
        <pre>
          modules_install - Install all modules to INSTALL_MOD_PATH (default: /)
          firmware_install- Install all firmware to INSTALL_FW_PATH
                            (default: $(INSTALL_MOD_PATH)/lib/firmware)
          modules_prepare - Set up for building external modules
          headers_install - Install sanitised kernel headers to INSTALL_HDR_PATH
        </pre>

        <pre>
        $ sudo make modules_install
        $ sudo cp arch/x86/boot/bzImage /boot/vmlinuz-4.9.86-gnu
        $ sudo cp System.map /boot/System.map-4.9.86-gnu
        </pre>

        <p>Update grub;</p>

        <pre>
        # grub-mkconfig -o /boot/grub/grub.cfg
        </pre>

        <h2 id="remove">2.1.6. Remove</h2>

        <pre>
        $ sudo rm -r /lib/modules/4.9.86-gnu
        $ sudo rm /boot/vmlinuz-4.9.86-gnu
        $ sudo rm /boot/System.map-4.9.86-gnu
        </pre>

        <a href="index.html">GNU/Linux Index</a>
        <p>This is part of the LeetIO System Documentation.
        Copyright (C) 2021
        LeetIO Team.
        See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
        for copying conditions.</p>

    </body>
</html>