about summary refs log blame commit diff stats
path: root/core/linux.html
blob: 670d0e714694c99c447b2570fff9dc7e322d0a01 (plain) (tree)
1
2
3
4
5
6
7
8
9
               


                              
                                        


           
                                              
 
                                              
 




                                                                                   
 
                                        
             
                                                            

              
                                                          
 


                                                                                         
 
             

                        
                          

              



                                                                                                                                                                                               
 
                                         



                      

                           




















                                                                                                                                                                                              




















                                                                                    




                             

                                                                  
                        



                                                      

              






























                                                                                             



                      
 





























































































































































































































































































































                                                                                                                                     















                                                                 
































                                                                                       

                                                  




                                                            
                                                  
 

                                           


























                                                                                                                                       





                                                  










                                                                 


                                                           


























































































































                                                                                                                         

             





































                                                                             
 































                                                                                                  

                            
             



                                                             

                                            























                                                                              



























                                                                                     

              

             
                                          











                                                                                
                                   

                                                                





                                              

              
                                          

             


                                             

              
                                              
                                                         
                          
                  

                                                                                            


           
<!DOCTYPE html>
<html dir="ltr" lang="en">
    <head>
        <meta charset='utf-8'>
        <title>2.1. Kernel Linux</title>
    </head>
    <body>

        <a href="index.html">Core OS Index</a>

        <h1 id="kernel">2.1. Kernel Linux</h1>

        <p>Linux is a monolith kernel, a big one ! Visit
        <a href="http://www.fsfla.org/ikiwiki/selibre/linux-libre/">Linux Libre</a>
        and
        <a href="https://www.kernel.org/">Linux Non-Libre</a> pages for more links
        and information.</p>

        <p>Spectre-meltdown checker;</p>
        <pre>
        https://github.com/speed47/spectre-meltdown-checker/
        </pre>

        <h2 id="download">2.1.1. Download Linux Libre</h2>

        <p>Download Linux Source from
        <a href="http://linux-libre.fsfla.org/pub/linux-libre/releases/">linux libre</a>,
        or using the port system;</p>

        <pre>
        $ mkdir ~/kernel
        $ cd ~/kernel
        $ cd linux-4.9.86/
        </pre>

        <p>Gcc <a href="https://github.com/graysky2/kernel_gcc_patch/">graysky2</a> kernel_gcc_patch (<a href="https://github.com/graysky2/kernel_gcc_patch/archive/master.zip">master.zip</a>)
        that adds more cpu options (FLAGS) for native builds.
        Check <a href="ports/linux-gnu/Pkgfile">Pkgfile</a>
        for instructions how linux-gnu port is built.</p>

        <p>Check version on Makefile;</p>

        <pre>
        VERSION = 4
        PATCHLEVEL = 9
        SUBLEVEL = 86
        EXTRAVERSION = -gnu
        NAME = Roaring Lionus
        </pre>

        <p>Change cpu optimization patch;</p>

        <pre>
        depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
        </pre>

        <p>to;</p>

        <pre>
        depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
        </pre>

        <p>Apply additional cpu optimizations patch;</p>

        <pre>
        $ patch -p1 &lt; ../enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch
        </pre>

        <p>Cleaning targets:</p>

        <pre>
        clean           - Remove most generated files but keep the config and
                    enough build support to build external modules
        mrproper        - Remove all generated files + config + various backup files
        distclean       - mrproper + remove editor backup and patch files
        </pre>

        <p>Prepare sources for configuration;</p>

        <pre>
        $ make distclean
        </pre>

        <h2 id="configure">2.1.2. Configure</h2>

        <p>Port linux-gnu port comes with default configuration file  that is
        a good starting point to tune kernel according to your needs. To
        automatically configure kernel with support to your hardware
        based on modules loaded by current kernel run.</p>

        <pre>
        $ make localmodconfig
        </pre>

        <p>To get more information about the hardware, for example
        information about which graphic module (driver) is in use
        as root run;</p>

        <pre>
        # lspci -nnk | grep -i vga -A3 | grep 'in use'
        Kernel driver in use: i915
        </pre>

        <p>Make configuration targets;</p>

        <pre>
        config          - Update current config utilising a line-oriented program
        nconfig         - Update current config utilising a ncurses menu based program
        menuconfig      - Update current config utilising a menu based program
        xconfig         - Update current config utilising a Qt based front-end
        gconfig         - Update current config utilising a GTK+ based front-end
        oldconfig       - Update current config utilising a provided .config as base
        localmodconfig  - Update current config disabling modules not loaded
        localyesconfig  - Update current config converting local mods to core
        silentoldconfig - Same as oldconfig, but quietly, additionally update deps
        defconfig       - New config with default from ARCH supplied defconfig
        savedefconfig   - Save current config as ./defconfig (minimal config)
        allnoconfig     - New config where all options are answered with no
        allyesconfig    - New config where all options are accepted with yes
        allmodconfig    - New config selecting modules when possible
        alldefconfig    - New config with all symbols set to default
        randconfig      - New config with random answer to all options
        listnewconfig   - List new options
        olddefconfig    - Same as silentoldconfig but sets new symbols to their default value
        kvmconfig       - Enable additional options for kvm guest kernel support
        xenconfig       - Enable additional options for xen dom0 and guest kernel support
        tinyconfig      - Configure the tiniest possible kernel
        </pre>

        <p>Following configuration try's to be generic about the hardware
        support  while addressing the requirements of applications such as
        qemu, docker, etc. For more information about hardening options read
        <a href="https://kernsec.org">kernsec.org</a>. Configure kernel
        using ncurses;</p>

        <pre>
        $ make nconfig
        </pre>

        <pre>
            CONFIG_BUG_ON_DATA_CORRUPTION=y

            # Perform extensive checks on reference counting.
            CONFIG_REFCOUNT_FULL=y

            # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.
            CONFIG_FORTIFY_SOURCE=y

        </pre>

        <h3 id="general">2.1.2.1 General Setup</h3>
        <dl>
            <dt>CONFIG_POSIX_MQUEUE=y</dt>
            <dd>POSIX Message Queues</dd>

            <dt>CONFIG_VMAP_STACK=y</dt>
            <dd>Use a virtually-mapped stack</dd>
            <dd>Adds guard pages to kernel stacks (not all architectures
            support this yet).</dd>

            <dt>CONFIG_CGROUPS=y</dt>
            <dd>Control Group support</dd>

            <dt>CONFIG_MEMCG=y</dt>
            <dd>Memory controller</dd>

            <dt>CONFIG_MEMCG_SWAP=y</dt>
            <dd>Swap controller</dd>

            <dt>CONFIG_MEMCG_SWAP_ENABLED=y</dt>
            <dd>Swap controller enabled by default</dd>

            <dt>CONFIG_BLK_CGROUP=y</dt>
            <dd>IO controller</dd>

            <dt>CGROUP_SCHED=y</dt>
            <dd>CPU controller</dd>

            <dt>FAIR_GROUP_SCHED=y</dt>
            <dd>Group scheduling for SCHED_OTHER</dd>

            <dt>CONFIG_CFS_BANDWIDTH=y</dt>
            <dd>CPU bandwidth provisioning for FAIR_GROUP_SCHED</dd>

            <dt>CONFIG_RT_GROUP_SCHED=y</dt>
            <dd>Group scheduling for SCHED_RR/FIFO</dd>

            <dt>CONFIG_CGROUP_PIDS=y</dt>
            <dd>PIDs controller</dd>

            <dd>Freezer controller</dd>
            <dd>HugeTLB controller</dd>
            <dd>Cpuset controller</dd>
            <dd>Include legacy /proc/<pid>/cpuset file</dd>
            <dd>Device controller</dd>
            <dd>Simple CPU accounting controller</dd>
            <dd>Perf controller</dd>
        </dl>

        <h4>Namespaces support</h4>
        <dl>
            <dd>UTS namespace</dd>
            <dd>IPC namespace</dd>
            <dd>User namespace</dd>
            <dd>PID Namespaces</dd>
            <dd>Network namespace</dd>
        </dl>

        <dl>

            <dt>CONFIG_COMPAT_BRK=n</dt>
            <dd>Disable heap randomization</dd>
            <dd>Dangerous; enabling this disables brk ASLR.</dd>

            <dt>CONFIG_SLAB_FREELIST_RANDOM=y</dt>
            <dd>Randomize allocator freelists, harden metadata.</dd>

            <dt>CONFIG_SLAB_FREELIST_HARDENED=y</dt>
            <dd>Randomize allocator freelists, harden metadata.</dd>

            <dt>CONFIG_SLUB_DEBUG=y<dt>
            <dd>Enable SLUB debugging support</dd>
            <dd>Allow allocator validation checking to be enabled
            (see "slub_debug=P" below).</dd>

            <dt>CONFIG_CC_STACKPROTECTOR=y</dt>
            <dd>Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.</dd>

            <dt>CONFIG_CC_STACKPROTECTOR_STRONG=y</dt>
            <dd>Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.</dd>
        </dl>


        <h3 id="mod">2.1.2.2 Enable loadable module support</h3>
        <dl>

            <dt>CONFIG_MODULES=y</dt>
            <dd>Enable loadable module support
            <dd>Keep root from altering kernel memory via loadable modules.
            set CONFIG_MODULES=n</dd>
            <dd>But if CONFIG_MODULE=y is needed, at least they must be
            signed with a per-build key.<dd>

            <dt>CONFIG_DEBUG_SET_MODULE_RONX=y</dt>
            <dd>(prior to v4.11)</dd>

            <dt>CONFIG_STRICT_MODULE_RWX=y</dt>
            <dd>(since v4.11)</dd>

            <dt>CONFIG_MODULE_SIG=y</dt>
            <dd>Module signature verification</dd>

            <dt>CONFIG_MODULE_SIG_FORCE=y</dt>
            <dd>Require modules to be validly signed</dd>

            <dt>CONFIG_MODULE_SIG_ALL=y</dt>
            <dd>Automatically sign all modules</dd>

            <dt>CONFIG_MODULE_SIG_SHA512=y</dt>
            <dd>Sign modules with SHA-512</dd>
        </dl>

        <h3 id="block">2.1.2.3 Enable the block layer</h3>
        <dl>
            <dt>BLK_DEV_THROTTLING=y</dt>
            <dd>Block layer bio throttling support</dd>

            <dt>IOSCHED_CFQ=y</dt>
            <dd>CFQ IO scheduler</dd>

            <dt>CONFIG_CFQ_GROUP_IOSCHED=y</dt>
            <dd>CFQ Group Scheduling support</dd>
        </dl>

        <h3 id="proc">2.1.2.4 Processor type and features</h3>

        <dl>
            <dt>CONFIG_DEFAULT_MMAP_MIN_ADDR=65536</dt>
            <dd>Low address space to protect from user allocation</dd>
            <dd>Disallow allocating the first 64k of memory.</dd>

            <dt>X86_VSYSCALL_EMULATION=n</dt>
            <dd>Enable vsyscall emulation</dd>
            <dd>Required by programs before 2013, some programs my
            require.</dd>
            <dd>Remove additional attack surface, unless you really
            need them.</dd>

            <dt>CONFIG_SECCOMP=y</dt>
            <dd>Enable seccomp to safely compute untrusted bytecode</dd>
            <dd>Provide userspace with seccomp BPF API for syscall attack surface reduction.</dd>

            <dt>CONFIG_SECCOMP_FILTER=y</dt>
            <dd>Provide userspace with seccomp BPF API for syscall attack surface reduction.</dd>

            <dt>CONFIG_KEXEC=n</dt>
            <dd>kexec system call</dd>
            <dd>Dangerous; enabling this allows replacement
            of running kernel.</dd>

            <dt>CONFIG_RANDOMIZE_BASE=y</dt>
            <dd>Randomize the address of the kernel image (KASLR)</dd>

            <dt>CONFIG_RANDOMIZE_MEMORY=y</dt>
            <dd>Randomize the kernel memory sections</dd>

            <dt>CONFIG_LEGACY_VSYSCALL_NONE=y</dt>
            <dd>vsyscall table for legacy applications (None)</dd>
            <dd>Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.</dd>

            <dt>CONFIG_COMPAT_VDSO=n</dt>
            <dd>Disable the 32-bit vDSO (needed for glibc 2.3.3)</dd>
            <dd>Dangerous; enabling this disables VDSO ASLR.</dd>

            <dt>CONFIG_MODIFY_LDT_SYSCALL=n</dt>
            <dd>Enable the LDT (local descriptor table)</dd>
            <dd>Remove additional attack surface, unless you really need them.</dd>
        </dl>

        <h3 id="acpi">2.1.2.5 Power management and ACPI options</h3>

        <dl>
            <dt>CONFIG_HIBERNATION=n</dt>
            <dd>Hibernation (aka 'suspend to disk')</dd>
            <dd>Dangerous; enabling this allows replacement of running
            kernel.</dd>

            <dt>CONFIG_ACPI_CUSTOM_METHOD=n</dt>
            <dd>Allow ACPI methods to be inserted/replaced at run time</dd>
            <dd>Dangerous; enabling this allows direct physical
            memory writing.</dd>
        </dl>


        <h3 id="bus">2.1.2.6 Bus options (PCI etc.)</h3>
        <h3 id="exec">2.1.2.7 Executable file formats / Emulations</h3>
        <dl>

            <dt>CONFIG_BINFMT_MISC=n</dt>
            <dd>Kernel support for MISC binaries</dd>
            <dd>Easily confused by misconfigured userspace, keep off.</dd>

            <dt>CONFIG_IA32_EMULATION</dt>
            <dd>Remove additional attack surface, unless you really need them.</dd>
            <dt>CONFIG_X86_X32</dt>
            <dd>Remove additional attack surface, unless you really need them.</dd>
        </dl>

        <h3 id="net">2.1.2.8 Networking support</h3>
        <h4>Networking options</h4>
        <dl>
            <dt>CONFIG_INET_DIAG=m</dt>
            <dd>INET: socket monitoring interface</dd>
            <dd>Support for INET (TCP, DCCP, etc) socket monitoring
            interface used by native Linux tools such as ss. ss is
            included in iproute2</dd>
            <dd>Prior to v4.1, assists heap memory attacks;
            best to keep interface disabled.</dd>

            <dt>CONFIG_BRIDGE=y</dt>
            <dd>802.1d Ethernet Bridging</dd>

            <dt>CONFIG_NET_SCHED=y</dt>
            <dd>QoS and/or fair queueing</dd>

            <dt>CONFIG_NET_CLS_CGROUP=y</dt>
            <dd>Control Group Classifier</dd>

            <dt>CONFIG_VSOCKETS=y</dt>
            <dd>Virtual Socket protocol</dd>

            <dt>CONFIG_VIRTIO_VSOCKETS=y<dt>
            <dd>virtio transport for Virtual Sockets</dd>

            <dt>CONFIG_NET_L3_MASTER_DEV=y</dt>
            <dd>L3 Master device support</dd>

            <dt>CONFIG_CGROUP_NET_PRIO=y</dt>
            <dd>Network priority cgroup</dd>

            <dt>CGROUP_NET_CLASSID=y</dt>
            <dd>Network classid cgroup</dd>

        </dl>

        <dl>
            <dt>CONFIG_NETFILTER=y</dt>
            <dd>Network packet filtering framework (Netfilter)</dd>

            <dt>CONFIG_NETFILTER_ADVANCED=y</dt>
            <dd>Advanced netfilter configuration</dd>

            <dt>BRIDGE_NETFILTER=y</dt>
            <dd>Bridged IP/ARP packets filtering</dd>

            <dt>NF_CONNTRACK=y</dt>
            <dd>Netfilter connection tracking support</dd>

            <dt>NETFILTER_XT_MATCH_ADDRTYPE=y</dt>
            <dd>"addrtype" address type match support</dd>

            <dt>NETFILTER_XT_MATCH_CONNTRACK=y</dt>
            <dd>"conntrack" connection tracking match support</dd>

            <dt>CONFIG_NETFILTER_XT_MATCH_IPVS=y</dt>
            <dd>"ipvs" match support</dd>

            <dt>CONFIG_IP_VS=y</dt>
            <dd>IP virtual server support</dd>

            <dt>IP_VS_PROTO_TCP=y</dt>
            <dd>TCP load balancing support</dd>

            <dt>IP_VS_PROTO_UDP=y</dt>
            <dd>UDP load balancing support</dd>

            <dt>IP_VS_RR=y</dt>
            <dd>round-robin scheduling</dd>

            <dt>IP_VS_NFCT=y</dt>
            <dd>Netfilter connection tracking</dd>

            <dt>CONFIG_NF_CONNTRACK_IPV4=y</dt>
            <dd>IPv4 connection tracking support (required for NAT)</dd>

            <dt>NF_NAT_IPV4=y</dt>
            <dd>IPv4 NAT</dd>

            <dt>NF_NAT_MASQUERADE_IPV4=y</dt>
            <dd>IPv4 masquerade support</dd>

            <dt>IP_NF_IPTABLES=y</dt>
            <dd>IP tables support (required for filtering/masq/NAT)</dd>

            <dt>IP_NF_FILTER=y</dt>
            <dd>Packet filtering</dd>

            <dt>CONFIG_IP_NF_NAT=y</dt>
            <dd>iptables NAT support</dd>

            <dt>IP_NF_TARGET_MASQUERADE=y</dt>
            <dd>MASQUERADE target support</dd>

            <dt>IP_NF_TARGET_NETMAP=y</dt>
            <dd>NETMAP target support</dd>

            <dt>IP_NF_TARGET_REDIRECT=y</dt>
            <dd>REDIRECT target support</dd>

            <dt>CONFIG_SYN_COOKIES=y</dt>
            <dd>IP: TCP syncookie support</dd>
            <dd>Provides some protections against SYN flooding.</dd>

        </dl>

        <h3 id="drivers">2.1.2.9 Device Drivers</h3>

        <h4>Block devices</h4>
        <dl>
            <dt>CONFIG_VIRTIO_BLK=y</dt>
            <dd>This is the virtual block driver for virtio.</dd>
            <dd>For QEMU based VMMs.</dd>
            <dt>BLK_DEV_NBD=y</dt>
            <dd>Network block device support.</dd>
        </dl>

        <h4>SCSI device support</h4>
        <dl>
            <dt>CONFIG_SCSI_VIRTIO=y</dt>
            <dd>This is the virtual HBA driver for virtio.
            If the kernel will used in a virtual machine.</dd>
        </dl>

        <h4>Multiple devices driver support (RAID and LVM)</h4>

        <dl>
            <dt>CONFIG_MD=y</dt>
            <dd>Multiple devices driver support (RAID and LVM)</dd>
            <dt>CONFIG_BLK_DEV_DM=y</dt>
            <dd>Device mapper support</dd>
            <dt>DM_THIN_PROVISIONING=y</dt>
            <dd>Thin provisioning target<dd>
        </dl>

        <h4>Network device support</h4>

        <dl>
            <dt>CONFIG_NETDEVICES=y</dt>
            <dd>Network device support</dd>

            <dt>NET_CORE=y</dt>
            <dd>Network core driver support</dd>

            <dt>CONFIG_DUMMY=y</dt>
            <dd>Dummy net driver support</dd>

            <dt>CONFIG_MACVLAN=y</dt>
            <dd>MAC-VLAN support</dd>
            <dd>This allows one to create virtual interfaces that map
            packets to or from specific MAC addresses to a particular
            interface. Macvlan devices can be added using the "ip" command
            from the route2 package starting with the iproute2.</dd>
            <dd>ip link add link <real dev> [ address MAC ] [ NAME ] type macvlan"</dd>

            <dt>CONFIG_VXLAN=y</dt>
            <dd>Virtual eXtensible Local Area Network (VXLAN)</dd>
            <dt>BLK_DEV_NBD=y</dt>
            <dd>Network block device support.</dd>

            <dt>CONFIG_TUN=y</dt>
            <dd>Universal TUN/TAP device driver support</dd>

            <dt>CONFIG_VETH=y</dt>
            <dd>Virtual ethernet pair device.</dd>

            <dt>CONFIG_VIRTIO_NET=y</dt>
            <dd>Virtio network driver.</dd>

            <dt>IPVLAN=n</dt>
            <dd>IP-VLAN support</dd>
            <dd>Requires ipv6</dd>
        </dl>

        <h4>Character devices</h4>
        <dl>
            <dt>CONFIG_DEVMEM=n</dt>
            <dd>/dev/mem virtual device support</dd>
            <dd>Do not allow direct physical memory access (but if you must have it, at least enable CONFIG_STRICT_DEVMEM mode...)</dd>

            <dd>Enable TTY</dd>
            <dd>Unix98 PTY support</dd>

            <dt>CONFIG_LEGACY_PTYS=n</dt>
            <dd>Legacy (BSD) PTY support</dd>
            <dd>Use the modern PTY interface (devpts) only.</dd>

            <dd>Support multiple instances of devpts</dd>

            <dt>CONFIG_DEVKMEM=n</dt>
            <dd>/dev/kmem virtual device support</dd>
            <dd>Dangerous; enabling this allows direct kernel
            memory writing.</dd>
        </dl>

        <h4>Virtio drivers</h4>
        <dl>
            <dt>CONFIG_VIRTIO_PCI=y</dt>
            <dd>PCI driver for virtio devices</dd>
        </dl>

        <h3 id="firm">2.1.2.10 Firmware Drivers</h3>
        <h3 id="fs">2.1.2.11 File systems</h3>
        <dl>
            <dd>Overlay filesystem support</dd>

            <dt>CONFIG_PROC_KCORE=n</dt>
            <dd>/proc/kcore support</dd>
            <dd>Dangerous; exposes kernel text image layout.</dd>

            <dd>HugeTLB file system support</dd>

            <dt>CONFIG_FUSE_FS=y</dt>
            <dd>FUSE (Filesystem in Userspace) support</dd>

        </dl>

        <h3 id="hack">2.1.2.12 Kernel hacking</h3>

        <dl>
            <dt>CONFIG_DEBUG=y</dt>
            <dt>CONFIG_DEBUG_RODATA=y</dt>

            <dt>CONFIG_DEBUG_KERNEL=y</dt>
            <dd>Kernel debugging</dd>
            <dd>Make sure kernel page tables have safe permissions.</dd>

            <dt>CONFIG_STRICT_KERNEL_RWX=y</dt>
            <dd>since v4.11</dd>
            <dd>Make sure kernel page tables have safe permissions.</dd>

            <dt>CONFIG_PANIC_ON_OOPS=y</dt>
            <dd>Panic on Oops</dd>
            <dd>This feature is useful to ensure that the kernel does not do
            anything erroneous after an oops which could result in data
            corruption or other issues.</dd>

            <dt>CONFIG_PANIC_TIMEOUT=-1</dt>
            <dd>Reboot devices immediately if kernel experiences an Oops.</dd>

            <dt>CONFIG_SCHED_STACK_END_CHECK=y</dt>
            <dd>Detect stack corruption on calls to schedule()</dd>
            <dd>Perform additional validation of various commonly targeted structures.</dd>

            <dt>CONFIG_DEBUG_LIST=y</dt>
            <dd>Debug linked list manipulation</dd>
            <dd>Perform additional validation of various commonly targeted structures.</dd>

            <dt>CONFIG_DEBUG_SG=y</dt>
            <dd>Debug SG table operations</dd>
            <dd>Perform additional validation of various commonly targeted structures.</dd>

            <dt>CONFIG_DEBUG_NOTIFIERS=y</dt>
            <dd>Debug notifier call chains</dd>
            <dd>Perform additional validation of various commonly
            targeted structures.</dd>

            <dt>CONFIG_DEBUG_CREDENTIALS=y</dt>
            <dd>Debug credential management</dd>
            <dd>Perform additional validation of various commonly
            targeted structures.</dd>

            <dt>CONFIG_STRICT_DEVMEM=y</dt>
            <dd>Filter access to /dev/mem</dd>
            <dd>Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)</dd>

            <dt>CONFIG_IO_STRICT_DEVMEM=y</dt>
            <dd>Filter I/O access to /dev/mem</dd>
            <dd>Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)</dd>

            <dt>CONFIG_DEBUG_WX=y</dt>
            <dd>Warn on W+X mappings at boot</dd>
            <dd>Report any dangerous memory permissions
            (not available on all archs).</dd>


        </dl>

        <h4>Compile-time checks and compiler options</h4>
        <dl>
            <dt>CONFIG_DEBUG_FS=y</dt>
            <dd>Debug Filesystem</dd>

        </dl>

        <h4>Memory Debugging</h4>
        <dl>
            <dt>CONFIG_PAGE_POISONING=y</dt>
            <dd>Poison pages after freeing</dd>
            <dd>Wipe higher-level memory allocations when they are freed
            (needs "page_poison=1" command line below).</dd>

            <dt>CONFIG_PAGE_POISONING_NO_SANITY=y</dt>
            <dd>Only poison, don't sanity check</dd>
            <dd>(If you can afford even more performance penalty,
            leave CONFIG_PAGE_POISONING_NO_SANITY=n)</dd>

            <dt>CONFIG_PAGE_POISONING_ZERO=y</dt>
            <dd>Use zero for poisoning instead of random data</dd>

        </dl>

        <h3 id="sec">2.1.2.13 Security options</h3>

        <dl>
            <dd>Enable access key retention support</dd>
            <dd>Enable register of persistent per-UID keyrings</dd>
            <dd>ENCRYPTED KEYS</dd>
            <dd>Diffie-Hellman operations on retained keys</dd>

            <dt>CONFIG_SECURITY=y</dt>
            <dd>Enable different security models</dd>
            <dd>Provide userspace with ptrace ancestry protections.</dd>

            <dt>CONFIG_HARDENED_USERCOPY=y</dt>
            <dd>Harden memory copies between kernel and userspace</dd>
            <dd>Perform usercopy bounds checking.</dd>

            <dt>SECURITY_SELINUX=n</dt>
            <dd>NSA SELinux Support</dd>
            <dt>CONFIG_SECURITY_SELINUX_DISABLE=n</dt>
            <dd>NSA SELinux runtime disable</dd>
            <dd>If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.</dd>

            <dt>CONFIG_SECURITY_APPARMOR=y</dt>
            <dd>AppArmor support</dd>
            <dd>This enables the AppArmor security module. Rquired userspace
            tools (if they are not included in your distribution) and further
            information may be found at <a href="apparmor.html">AppArmor</a></dd>
            <dt>CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1</dt>
            <dd>AppArmor boot parameter default value</dd>

            <dt>CONFIG_SECURITY_YAMA=y</dt>
            <dd>Yama support</dd>
            <dd>Provide userspace with ptrace ancestry protections.</dd>
        </dl>

        <h3 id="crypt">2.1.2.14 Cryptographic API</h3>

        <pre>

            <dt>CONFIG_CRYPTO_LRW</dt>
            <dd>Liskov Rivest Wagner, a tweakable, non malleable, non movable
            narrow block cipher mode for dm-crypt.</dd>

            <dt>CONFIG_CRYPTO_RMD160=y</dt>
            <dt>CONFIG_CRYPTO_RMD256=y</dt>
            <dt>CONFIG_CRYPTO_RMD320=y</dt>
            <dd>RIPEMD 160/256/320 digest algorithm</dd>

	    <dt>CONFIG_CRYPTO_SHA256=y</dt>
	    <dd>SHA224 and SHA256 digest algorithm<dd>

            <dt>CONFIG_CRYPTO_SHA512=y</dt>
            <dd>SHA384 and SHA512 digest algorithms</dd>

            <dt>CONFIG_CRYPTO_WP512=y</dt>
            <dd>Whirlpool digest algorithms</dd>

	    <dt>CONFIG_CRYPTO_DES3_EDE_X86_64=y</dt>
	    <dd>DES and Triple DES EDE cipher algorithms<dd>

            <dt>CONFIG_CRYPTO_SERPENT=y</dt>
            <dd>Serpent cipher algorithm</dd>

            <dt>CONFIG_CRYPTO_TWOFISH=y<dt>
            <dd>Twofish cipher algorithm</dd>

	    <pre>
	    *   MD4 digest algorithm
	    *   MD5 digest algorithm
	    *   SHA1 digest algorithm
	    *   Blowfish cipher algorithm
	    *   AES cipher algorithms
	    *   CAST5 (CAST-128) cipher algorithm
	    *   CAST6 (CAST-256) cipher algorithm 
	    *   Deflate compression algorithm
	    </pre>

        <h3 id="virt">2.1.2.15 Virtualization</h3>

        <dl>
            <dt>CONFIG_KVM=y</dt>
            <dd>Kernel-based Virtual Machine (KVM) support</dd>

            <dt>CONFIG_KVM_INTEL=y</dt>
            <dd>KVM for Intel processors support</dd>
            <dd>Provides support for KVM on Intel processors equipped with the VT extensions.</dd>

            <dt>CONFIG_KVM_AMD=y</dt>
            <dd>KVM for AMD processors support</dd>
            <dd>Provides support for KVM on AMD processors equipped with the
            AMD-V (SVM) extensions.</dd>

            <dt>CONFIG_KVM_DEVICE_ASSIGNMENT=n</dt>
            <dd>KVM legacy PCI device assignment support (DEPRECATED)</dd>

            <dt>CONFIG_VHOST_NET=y</dt>
            <dd>Host kernel accelerator for virtio net<dd>

            <dt>CONFIG_VHOST_VSOCK=y</dt>
            <dd>vhost virtio-vsock driver</dd>

            <dt>CONFIG_VHOST_CROSS_ENDIAN_LEGACY=y</dt>
            <dd>Cross-endian support for vhost</dd>
        </dl>

        <h3 id="lib">2.1.2.16 Library routines</h3>

        <h2 id="build">2.1.3. Build</h2>

        <p>Make targets;</p>

        <pre>
        Other generic targets:
          all             - Build all targets marked with [*]
        * vmlinux         - Build the bare kernel
        * modules         - Build all modules
                            (default: ./usr)

        Documentation targets:
         Linux kernel internal documentation in different formats (Sphinx):
          htmldocs        - HTML
          latexdocs       - LaTeX
          pdfdocs         - PDF
          epubdocs        - EPUB
          xmldocs         - XML
          cleandocs       - clean all generated files

          make SPHINXDIRS="s1 s2" [target] Generate only docs of folder s1, s2
          valid values for SPHINXDIRS are: development-process media gpu 80211

          make SPHINX_CONF={conf-file} [target] use *additional* sphinx-build
          configuration. This is e.g. useful to build with nit-picking config.

         Linux kernel internal documentation in different formats (DocBook):
          htmldocs        - HTML
          pdfdocs         - PDF
          psdocs          - Postscript
          xmldocs         - XML DocBook
          mandocs         - man pages
          installmandocs  - install man pages generated by mandocs
          cleandocs       - clean all generated DocBook files

        Architecture specific targets (x86):
        * bzImage      - Compressed kernel image (arch/x86/boot/bzImage)
          install      - Install kernel using
                          (your) ~/bin/installkernel or
                          (distribution) /sbin/installkernel or
                          install to $(INSTALL_PATH) and run lilo
          fdimage      - Create 1.4MB boot floppy image (arch/x86/boot/fdimage)
          fdimage144   - Create 1.4MB boot floppy image (arch/x86/boot/fdimage)
          fdimage288   - Create 2.8MB boot floppy image (arch/x86/boot/fdimage)
          isoimage     - Create a boot CD-ROM image (arch/x86/boot/image.iso)
                          bzdisk/fdimage*/isoimage also accept:
                          FDARGS="..."  arguments for the booted kernel
                          FDINITRD=file initrd for the booted kernel

          i386_defconfig           - Build for i386
          x86_64_defconfig         - Build for x86_64

          make V=0|1 [targets] 0 => quiet build (default), 1 => verbose build
          make V=2   [targets] 2 => give reason for rebuild of target
          make O=dir [targets] Locate all output files in "dir", including .config
          make C=1   [targets] Check all c source with $CHECK (sparse by default)
          make C=2   [targets] Force check of all c source with $CHECK
          make RECORDMCOUNT_WARN=1 [targets] Warn about ignored mcount sections
          make W=n   [targets] Enable extra gcc checks, n=1,2,3 where
                        1: warnings which may be relevant and do not occur too often
                        2: warnings which occur quite often but may still be relevant
                        3: more obscure warnings, can most likely be ignored
                        Multiple levels can be combined with W=12 or W=123
        </pre>


        <pre>
        $ make -j $(nproc) bzImage modules
        </pre>

        <h2 id="install">2.1.5. Install</h2>
        <pre>
          modules_install - Install all modules to INSTALL_MOD_PATH (default: /)
          firmware_install- Install all firmware to INSTALL_FW_PATH
                            (default: $(INSTALL_MOD_PATH)/lib/firmware)
          modules_prepare - Set up for building external modules
          headers_install - Install sanitised kernel headers to INSTALL_HDR_PATH
        </pre>

        <pre>
        $ sudo make modules_install
        $ sudo cp arch/x86/boot/bzImage /boot/vmlinuz-4.9.86-gnu
        $ sudo cp System.map /boot/System.map-4.9.86-gnu
        </pre>

        <p>Update grub;</p>

        <pre>
        # grub-mkconfig -o /boot/grub/grub.cfg
        </pre>

        <h2 id="remove">2.1.6. Remove</h2>

        <pre>
        $ sudo rm -r /lib/modules/4.9.86-gnu
        $ sudo rm /boot/vmlinuz-4.9.86-gnu
        $ sudo rm /boot/System.map-4.9.86-gnu
        </pre>

        <a href="index.html">Core OS Index</a>
        <p>This is part of the Hive System Documentation.
        Copyright (C) 2018
        Hive Team.
        See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
        for copying conditions.</p>

    </body>
</html>