<!DOCTYPE html>
<html dir="ltr" lang="en">
<head>
<meta charset='utf-8'>
<title>2.1. Kernel Linux</title>
</head>
<body>
<a href="index.html">Core OS Index</a>
<h1 id="kernel">2.1. Kernel Linux</h1>
<p>Linux is a monolith kernel, a big one ! Visit
<a href="http://www.fsfla.org/ikiwiki/selibre/linux-libre/">Linux Libre</a>
and
<a href="https://www.kernel.org/">Linux Non-Libre</a> pages for more links
and information.</p>
<p>Spectre-meltdown checker;</p>
<pre>
https://github.com/speed47/spectre-meltdown-checker/
</pre>
<h2 id="download">2.1.1. Download Linux Libre</h2>
<p>Download Linux Source from
<a href="http://linux-libre.fsfla.org/pub/linux-libre/releases/">linux libre</a>,
or using the port system;</p>
<pre>
$ mkdir ~/kernel
$ cd ~/kernel
$ cd linux-4.9.86/
</pre>
<p>Gcc <a href="https://github.com/graysky2/kernel_gcc_patch/">graysky2</a> kernel_gcc_patch (<a href="https://github.com/graysky2/kernel_gcc_patch/archive/master.zip">master.zip</a>)
that adds more cpu options (FLAGS) for native builds.
Check <a href="ports/linux-gnu/Pkgfile">Pkgfile</a>
for instructions how linux-gnu port is built.</p>
<p>Check version on Makefile;</p>
<pre>
VERSION = 4
PATCHLEVEL = 9
SUBLEVEL = 86
EXTRAVERSION = -gnu
NAME = Roaring Lionus
</pre>
<p>Change cpu optimization patch;</p>
<pre>
depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
</pre>
<p>to;</p>
<pre>
depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
</pre>
<p>Apply additional cpu optimizations patch;</p>
<pre>
$ patch -p1 < ../enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch
</pre>
<p>Cleaning targets:</p>
<pre>
clean - Remove most generated files but keep the config and
enough build support to build external modules
mrproper - Remove all generated files + config + various backup files
distclean - mrproper + remove editor backup and patch files
</pre>
<p>Prepare sources for configuration;</p>
<pre>
$ make distclean
</pre>
<h2 id="configure">2.1.2. Configure</h2>
<p>Port linux-gnu port comes with default configuration file that is
a good starting point to tune kernel according to your needs. To
automatically configure kernel with support to your hardware
based on modules loaded by current kernel run.</p>
<pre>
$ make localmodconfig
</pre>
<p>To get more information about the hardware, for example
information about which graphic module (driver) is in use
as root run;</p>
<pre>
# lspci -nnk | grep -i vga -A3 | grep 'in use'
Kernel driver in use: i915
</pre>
<p>Make configuration targets;</p>
<pre>
config - Update current config utilising a line-oriented program
nconfig - Update current config utilising a ncurses menu based program
menuconfig - Update current config utilising a menu based program
xconfig - Update current config utilising a Qt based front-end
gconfig - Update current config utilising a GTK+ based front-end
oldconfig - Update current config utilising a provided .config as base
localmodconfig - Update current config disabling modules not loaded
localyesconfig - Update current config converting local mods to core
silentoldconfig - Same as oldconfig, but quietly, additionally update deps
defconfig - New config with default from ARCH supplied defconfig
savedefconfig - Save current config as ./defconfig (minimal config)
allnoconfig - New config where all options are answered with no
allyesconfig - New config where all options are accepted with yes
allmodconfig - New config selecting modules when possible
alldefconfig - New config with all symbols set to default
randconfig - New config with random answer to all options
listnewconfig - List new options
olddefconfig - Same as silentoldconfig but sets new symbols to their default value
kvmconfig - Enable additional options for kvm guest kernel support
xenconfig - Enable additional options for xen dom0 and guest kernel support
tinyconfig - Configure the tiniest possible kernel
</pre>
<p>Following configuration try's to be generic about the hardware
support while addressing the requirements of applications such as
qemu, docker, etc. For more information about hardening options read
<a href="https://kernsec.org">kernsec.org</a>. Configure kernel
using ncurses;</p>
<pre>
$ make nconfig
</pre>
<pre>
CONFIG_BUG_ON_DATA_CORRUPTION=y
# Perform extensive checks on reference counting.
CONFIG_REFCOUNT_FULL=y
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.
CONFIG_FORTIFY_SOURCE=y
</pre>
<h3 id="general">2.1.2.1 General Setup</h3>
<dl>
<dt>CONFIG_POSIX_MQUEUE=y</dt>
<dd>POSIX Message Queues</dd>
<dt>CONFIG_VMAP_STACK=y</dt>
<dd>Use a virtually-mapped stack</dd>
<dd>Adds guard pages to kernel stacks (not all architectures
support this yet).</dd>
<dt>CONFIG_CGROUPS=y</dt>
<dd>Control Group support</dd>
<dt>CONFIG_MEMCG=y</dt>
<dd>Memory controller</dd>
<dt>CONFIG_MEMCG_SWAP=y</dt>
<dd>Swap controller</dd>
<dt>CONFIG_MEMCG_SWAP_ENABLED=y</dt>
<dd>Swap controller enabled by default</dd>
<dt>CONFIG_BLK_CGROUP=y</dt>
<dd>IO controller</dd>
<dt>CGROUP_SCHED=y</dt>
<dd>CPU controller</dd>
<dt>FAIR_GROUP_SCHED=y</dt>
<dd>Group scheduling for SCHED_OTHER</dd>
<dt>CONFIG_CFS_BANDWIDTH=y</dt>
<dd>CPU bandwidth provisioning for FAIR_GROUP_SCHED</dd>
<dt>CONFIG_RT_GROUP_SCHED=y</dt>
<dd>Group scheduling for SCHED_RR/FIFO</dd>
<dt>CONFIG_CGROUP_PIDS=y</dt>
<dd>PIDs controller</dd>
<dd>Freezer controller</dd>
<dd>HugeTLB controller</dd>
<dd>Cpuset controller</dd>
<dd>Include legacy /proc/<pid>/cpuset file</dd>
<dd>Device controller</dd>
<dd>Simple CPU accounting controller</dd>
<dd>Perf controller</dd>
</dl>
<h4>Namespaces support</h4>
<dl>
<dd>UTS namespace</dd>
<dd>IPC namespace</dd>
<dd>User namespace</dd>
<dd>PID Namespaces</dd>
<dd>Network namespace</dd>
</dl>
<dl>
<dt>CONFIG_COMPAT_BRK=n</dt>
<dd>Disable heap randomization</dd>
<dd>Dangerous; enabling this disables brk ASLR.</dd>
<dt>CONFIG_SLAB_FREELIST_RANDOM=y</dt>
<dd>Randomize allocator freelists, harden metadata.</dd>
<dt>CONFIG_SLAB_FREELIST_HARDENED=y</dt>
<dd>Randomize allocator freelists, harden metadata.</dd>
<dt>CONFIG_SLUB_DEBUG=y<dt>
<dd>Enable SLUB debugging support</dd>
<dd>Allow allocator validation checking to be enabled
(see "slub_debug=P" below).</dd>
<dt>CONFIG_CC_STACKPROTECTOR=y</dt>
<dd>Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.</dd>
<dt>CONFIG_CC_STACKPROTECTOR_STRONG=y</dt>
<dd>Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.</dd>
</dl>
<h3 id="mod">2.1.2.2 Enable loadable module support</h3>
<dl>
<dt>CONFIG_MODULES=y</dt>
<dd>Enable loadable module support
<dd>Keep root from altering kernel memory via loadable modules.
set CONFIG_MODULES=n</dd>
<dd>But if CONFIG_MODULE=y is needed, at least they must be
signed with a per-build key.<dd>
<dt>CONFIG_DEBUG_SET_MODULE_RONX=y</dt>
<dd>(prior to v4.11)</dd>
<dt>CONFIG_STRICT_MODULE_RWX=y</dt>
<dd>(since v4.11)</dd>
<dt>CONFIG_MODULE_SIG=y</dt>
<dd>Module signature verification</dd>
<dt>CONFIG_MODULE_SIG_FORCE=y</dt>
<dd>Require modules to be validly signed</dd>
<dt>CONFIG_MODULE_SIG_ALL=y</dt>
<dd>Automatically sign all modules</dd>
<dt>CONFIG_MODULE_SIG_SHA512=y</dt>
<dd>Sign modules with SHA-512</dd>
</dl>
<h3 id="block">2.1.2.3 Enable the block layer</h3>
<dl>
<dt>BLK_DEV_THROTTLING=y</dt>
<dd>Block layer bio throttling support</dd>
<dt>IOSCHED_CFQ=y</dt>
<dd>CFQ IO scheduler</dd>
<dt>CONFIG_CFQ_GROUP_IOSCHED=y</dt>
<dd>CFQ Group Scheduling support</dd>
</dl>
<h3 id="proc">2.1.2.4 Processor type and features</h3>
<dl>
<dt>CONFIG_DEFAULT_MMAP_MIN_ADDR=65536</dt>
<dd>Low address space to protect from user allocation</dd>
<dd>Disallow allocating the first 64k of memory.</dd>
<dt>X86_VSYSCALL_EMULATION=n</dt>
<dd>Enable vsyscall emulation</dd>
<dd>Required by programs before 2013, some programs my
require.</dd>
<dd>Remove additional attack surface, unless you really
need them.</dd>
<dt>CONFIG_SECCOMP=y</dt>
<dd>Enable seccomp to safely compute untrusted bytecode</dd>
<dd>Provide userspace with seccomp BPF API for syscall attack surface reduction.</dd>
<dt>CONFIG_SECCOMP_FILTER=y</dt>
<dd>Provide userspace with seccomp BPF API for syscall attack surface reduction.</dd>
<dt>CONFIG_KEXEC=n</dt>
<dd>kexec system call</dd>
<dd>Dangerous; enabling this allows replacement
of running kernel.</dd>
<dt>CONFIG_RANDOMIZE_BASE=y</dt>
<dd>Randomize the address of the kernel image (KASLR)</dd>
<dt>CONFIG_RANDOMIZE_MEMORY=y</dt>
<dd>Randomize the kernel memory sections</dd>
<dt>CONFIG_LEGACY_VSYSCALL_NONE=y</dt>
<dd>vsyscall table for legacy applications (None)</dd>
<dd>Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.</dd>
<dt>CONFIG_COMPAT_VDSO=n</dt>
<dd>Disable the 32-bit vDSO (needed for glibc 2.3.3)</dd>
<dd>Dangerous; enabling this disables VDSO ASLR.</dd>
<dt>CONFIG_MODIFY_LDT_SYSCALL=n</dt>
<dd>Enable the LDT (local descriptor table)</dd>
<dd>Remove additional attack surface, unless you really need them.</dd>
</dl>
<h3 id="acpi">2.1.2.5 Power management and ACPI options</h3>
<dl>
<dt>CONFIG_HIBERNATION=n</dt>
<dd>Hibernation (aka 'suspend to disk')</dd>
<dd>Dangerous; enabling this allows replacement of running
kernel.</dd>
<dt>CONFIG_ACPI_CUSTOM_METHOD=n</dt>
<dd>Allow ACPI methods to be inserted/replaced at run time</dd>
<dd>Dangerous; enabling this allows direct physical
memory writing.</dd>
</dl>
<h3 id="bus">2.1.2.6 Bus options (PCI etc.)</h3>
<h3 id="exec">2.1.2.7 Executable file formats / Emulations</h3>
<dl>
<dt>CONFIG_BINFMT_MISC=n</dt>
<dd>Kernel support for MISC binaries</dd>
<dd>Easily confused by misconfigured userspace, keep off.</dd>
<dt>CONFIG_IA32_EMULATION</dt>
<dd>Remove additional attack surface, unless you really need them.</dd>
<dt>CONFIG_X86_X32</dt>
<dd>Remove additional attack surface, unless you really need them.</dd>
</dl>
<h3 id="net">2.1.2.8 Networking support</h3>
<h4>Networking options</h4>
<dl>
<dt>CONFIG_INET_DIAG=m</dt>
<dd>INET: socket monitoring interface</dd>
<dd>Support for INET (TCP, DCCP, etc) socket monitoring
interface used by native Linux tools such as ss. ss is
included in iproute2</dd>
<dd>Prior to v4.1, assists heap memory attacks;
best to keep interface disabled.</dd>
<dt>CONFIG_BRIDGE=y</dt>
<dd>802.1d Ethernet Bridging</dd>
<dt>CONFIG_NET_SCHED=y</dt>
<dd>QoS and/or fair queueing</dd>
<dt>CONFIG_NET_CLS_CGROUP=y</dt>
<dd>Control Group Classifier</dd>
<dt>CONFIG_VSOCKETS=y</dt>
<dd>Virtual Socket protocol</dd>
<dt>CONFIG_VIRTIO_VSOCKETS=y<dt>
<dd>virtio transport for Virtual Sockets</dd>
<dt>CONFIG_NET_L3_MASTER_DEV=y</dt>
<dd>L3 Master device support</dd>
<dt>CONFIG_CGROUP_NET_PRIO=y</dt>
<dd>Network priority cgroup</dd>
<dt>CGROUP_NET_CLASSID=y</dt>
<dd>Network classid cgroup</dd>
</dl>
<dl>
<dt>CONFIG_NETFILTER=y</dt>
<dd>Network packet filtering framework (Netfilter)</dd>
<dt>CONFIG_NETFILTER_ADVANCED=y</dt>
<dd>Advanced netfilter configuration</dd>
<dt>BRIDGE_NETFILTER=y</dt>
<dd>Bridged IP/ARP packets filtering</dd>
<dt>NF_CONNTRACK=y</dt>
<dd>Netfilter connection tracking support</dd>
<dt>NETFILTER_XT_MATCH_ADDRTYPE=y</dt>
<dd>"addrtype" address type match support</dd>
<dt>NETFILTER_XT_MATCH_CONNTRACK=y</dt>
<dd>"conntrack" connection tracking match support</dd>
<dt>CONFIG_NETFILTER_XT_MATCH_IPVS=y</dt>
<dd>"ipvs" match support</dd>
<dt>CONFIG_IP_VS=y</dt>
<dd>IP virtual server support</dd>
<dt>IP_VS_PROTO_TCP=y</dt>
<dd>TCP load balancing support</dd>
<dt>IP_VS_PROTO_UDP=y</dt>
<dd>UDP load balancing support</dd>
<dt>IP_VS_RR=y</dt>
<dd>round-robin scheduling</dd>
<dt>IP_VS_NFCT=y</dt>
<dd>Netfilter connection tracking</dd>
<dt>CONFIG_NF_CONNTRACK_IPV4=y</dt>
<dd>IPv4 connection tracking support (required for NAT)</dd>
<dt>NF_NAT_IPV4=y</dt>
<dd>IPv4 NAT</dd>
<dt>NF_NAT_MASQUERADE_IPV4=y</dt>
<dd>IPv4 masquerade support</dd>
<dt>IP_NF_IPTABLES=y</dt>
<dd>IP tables support (required for filtering/masq/NAT)</dd>
<dt>IP_NF_FILTER=y</dt>
<dd>Packet filtering</dd>
<dt>CONFIG_IP_NF_NAT=y</dt>
<dd>iptables NAT support</dd>
<dt>IP_NF_TARGET_MASQUERADE=y</dt>
<dd>MASQUERADE target support</dd>
<dt>IP_NF_TARGET_NETMAP=y</dt>
<dd>NETMAP target support</dd>
<dt>IP_NF_TARGET_REDIRECT=y</dt>
<dd>REDIRECT target support</dd>
<dt>CONFIG_SYN_COOKIES=y</dt>
<dd>IP: TCP syncookie support</dd>
<dd>Provides some protections against SYN flooding.</dd>
</dl>
<h3 id="drivers">2.1.2.9 Device Drivers</h3>
<h4>Block devices</h4>
<dl>
<dt>CONFIG_VIRTIO_BLK=y</dt>
<dd>This is the virtual block driver for virtio.</dd>
<dd>For QEMU based VMMs.</dd>
<dt>BLK_DEV_NBD=y</dt>
<dd>Network block device support.</dd>
</dl>
<h4>SCSI device support</h4>
<dl>
<dt>CONFIG_SCSI_VIRTIO=y</dt>
<dd>This is the virtual HBA driver for virtio.
If the kernel will used in a virtual machine.</dd>
</dl>
<h4>Multiple devices driver support (RAID and LVM)</h4>
<dl>
<dt>CONFIG_MD=y</dt>
<dd>Multiple devices driver support (RAID and LVM)</dd>
<dt>CONFIG_BLK_DEV_DM=y</dt>
<dd>Device mapper support</dd>
<dt>DM_THIN_PROVISIONING=y</dt>
<dd>Thin provisioning target<dd>
</dl>
<h4>Network device support</h4>
<dl>
<dt>CONFIG_NETDEVICES=y</dt>
<dd>Network device support</dd>
<dt>NET_CORE=y</dt>
<dd>Network core driver support</dd>
<dt>CONFIG_DUMMY=y</dt>
<dd>Dummy net driver support</dd>
<dt>CONFIG_MACVLAN=y</dt>
<dd>MAC-VLAN support</dd>
<dd>This allows one to create virtual interfaces that map
packets to or from specific MAC addresses to a particular
interface. Macvlan devices can be added using the "ip" command
from the route2 package starting with the iproute2.</dd>
<dd>ip link add link <real dev> [ address MAC ] [ NAME ] type macvlan"</dd>
<dt>CONFIG_VXLAN=y</dt>
<dd>Virtual eXtensible Local Area Network (VXLAN)</dd>
<dt>BLK_DEV_NBD=y</dt>
<dd>Network block device support.</dd>
<dt>CONFIG_TUN=y</dt>
<dd>Universal TUN/TAP device driver support</dd>
<dt>CONFIG_VETH=y</dt>
<dd>Virtual ethernet pair device.</dd>
<dt>CONFIG_VIRTIO_NET=y</dt>
<dd>Virtio network driver.</dd>
<dt>IPVLAN=n</dt>
<dd>IP-VLAN support</dd>
<dd>Requires ipv6</dd>
</dl>
<h4>Character devices</h4>
<dl>
<dt>CONFIG_DEVMEM=n</dt>
<dd>/dev/mem virtual device support</dd>
<dd>Do not allow direct physical memory access (but if you must have it, at least enable CONFIG_STRICT_DEVMEM mode...)</dd>
<dd>Enable TTY</dd>
<dd>Unix98 PTY support</dd>
<dt>CONFIG_LEGACY_PTYS=n</dt>
<dd>Legacy (BSD) PTY support</dd>
<dd>Use the modern PTY interface (devpts) only.</dd>
<dd>Support multiple instances of devpts</dd>
<dt>CONFIG_DEVKMEM=n</dt>
<dd>/dev/kmem virtual device support</dd>
<dd>Dangerous; enabling this allows direct kernel
memory writing.</dd>
</dl>
<h4>Virtio drivers</h4>
<dl>
<dt>CONFIG_VIRTIO_PCI=y</dt>
<dd>PCI driver for virtio devices</dd>
</dl>
<h3 id="firm">2.1.2.10 Firmware Drivers</h3>
<h3 id="fs">2.1.2.11 File systems</h3>
<dl>
<dd>Overlay filesystem support</dd>
<dt>CONFIG_PROC_KCORE=n</dt>
<dd>/proc/kcore support</dd>
<dd>Dangerous; exposes kernel text image layout.</dd>
<dd>HugeTLB file system support</dd>
<dt>CONFIG_FUSE_FS=y</dt>
<dd>FUSE (Filesystem in Userspace) support</dd>
</dl>
<h3 id="hack">2.1.2.12 Kernel hacking</h3>
<dl>
<dt>CONFIG_DEBUG=y</dt>
<dt>CONFIG_DEBUG_RODATA=y</dt>
<dt>CONFIG_DEBUG_KERNEL=y</dt>
<dd>Kernel debugging</dd>
<dd>Make sure kernel page tables have safe permissions.</dd>
<dt>CONFIG_STRICT_KERNEL_RWX=y</dt>
<dd>since v4.11</dd>
<dd>Make sure kernel page tables have safe permissions.</dd>
<dt>CONFIG_PANIC_ON_OOPS=y</dt>
<dd>Panic on Oops</dd>
<dd>This feature is useful to ensure that the kernel does not do
anything erroneous after an oops which could result in data
corruption or other issues.</dd>
<dt>CONFIG_PANIC_TIMEOUT=-1</dt>
<dd>Reboot devices immediately if kernel experiences an Oops.</dd>
<dt>CONFIG_SCHED_STACK_END_CHECK=y</dt>
<dd>Detect stack corruption on calls to schedule()</dd>
<dd>Perform additional validation of various commonly targeted structures.</dd>
<dt>CONFIG_DEBUG_LIST=y</dt>
<dd>Debug linked list manipulation</dd>
<dd>Perform additional validation of various commonly targeted structures.</dd>
<dt>CONFIG_DEBUG_SG=y</dt>
<dd>Debug SG table operations</dd>
<dd>Perform additional validation of various commonly targeted structures.</dd>
<dt>CONFIG_DEBUG_NOTIFIERS=y</dt>
<dd>Debug notifier call chains</dd>
<dd>Perform additional validation of various commonly
targeted structures.</dd>
<dt>CONFIG_DEBUG_CREDENTIALS=y</dt>
<dd>Debug credential management</dd>
<dd>Perform additional validation of various commonly
targeted structures.</dd>
<dt>CONFIG_STRICT_DEVMEM=y</dt>
<dd>Filter access to /dev/mem</dd>
<dd>Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)</dd>
<dt>CONFIG_IO_STRICT_DEVMEM=y</dt>
<dd>Filter I/O access to /dev/mem</dd>
<dd>Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)</dd>
<dt>CONFIG_DEBUG_WX=y</dt>
<dd>Warn on W+X mappings at boot</dd>
<dd>Report any dangerous memory permissions
(not available on all archs).</dd>
</dl>
<h4>Compile-time checks and compiler options</h4>
<dl>
<dt>CONFIG_DEBUG_FS=y</dt>
<dd>Debug Filesystem</dd>
</dl>
<h4>Memory Debugging</h4>
<dl>
<dt>CONFIG_PAGE_POISONING=y</dt>
<dd>Poison pages after freeing</dd>
<dd>Wipe higher-level memory allocations when they are freed
(needs "page_poison=1" command line below).</dd>
<dt>CONFIG_PAGE_POISONING_NO_SANITY=y</dt>
<dd>Only poison, don't sanity check</dd>
<dd>(If you can afford even more performance penalty,
leave CONFIG_PAGE_POISONING_NO_SANITY=n)</dd>
<dt>CONFIG_PAGE_POISONING_ZERO=y</dt>
<dd>Use zero for poisoning instead of random data</dd>
</dl>
<h3 id="sec">2.1.2.13 Security options</h3>
<dl>
<dd>Enable access key retention support</dd>
<dd>Enable register of persistent per-UID keyrings</dd>
<dd>ENCRYPTED KEYS</dd>
<dd>Diffie-Hellman operations on retained keys</dd>
<dt>CONFIG_SECURITY=y</dt>
<dd>Enable different security models</dd>
<dd>Provide userspace with ptrace ancestry protections.</dd>
<dt>CONFIG_HARDENED_USERCOPY=y</dt>
<dd>Harden memory copies between kernel and userspace</dd>
<dd>Perform usercopy bounds checking.</dd>
<dt>SECURITY_SELINUX=n</dt>
<dd>NSA SELinux Support</dd>
<dt>CONFIG_SECURITY_SELINUX_DISABLE=n</dt>
<dd>NSA SELinux runtime disable</dd>
<dd>If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.</dd>
<dt>CONFIG_SECURITY_APPARMOR=y</dt>
<dd>AppArmor support</dd>
<dd>This enables the AppArmor security module. Rquired userspace
tools (if they are not included in your distribution) and further
information may be found at <a href="apparmor.html">AppArmor</a></dd>
<dt>CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1</dt>
<dd>AppArmor boot parameter default value</dd>
<dt>CONFIG_SECURITY_YAMA=y</dt>
<dd>Yama support</dd>
<dd>Provide userspace with ptrace ancestry protections.</dd>
</dl>
<h3 id="crypt">2.1.2.14 Cryptographic API</h3>
<pre>
<dt>CONFIG_CRYPTO_LRW</dt>
<dd>Liskov Rivest Wagner, a tweakable, non malleable, non movable
narrow block cipher mode for dm-crypt.</dd>
<dt>CONFIG_CRYPTO_RMD160=y</dt>
<dt>CONFIG_CRYPTO_RMD256=y</dt>
<dt>CONFIG_CRYPTO_RMD320=y</dt>
<dd>RIPEMD 160/256/320 digest algorithm</dd>
<dt>CONFIG_CRYPTO_SHA256=y</dt>
<dd>SHA224 and SHA256 digest algorithm<dd>
<dt>CONFIG_CRYPTO_SHA512=y</dt>
<dd>SHA384 and SHA512 digest algorithms</dd>
<dt>CONFIG_CRYPTO_WP512=y</dt>
<dd>Whirlpool digest algorithms</dd>
<dt>CONFIG_CRYPTO_DES3_EDE_X86_64=y</dt>
<dd>DES and Triple DES EDE cipher algorithms<dd>
<dt>CONFIG_CRYPTO_SERPENT=y</dt>
<dd>Serpent cipher algorithm</dd>
<dt>CONFIG_CRYPTO_TWOFISH=y<dt>
<dd>Twofish cipher algorithm</dd>
<pre>
* MD4 digest algorithm
* MD5 digest algorithm
* SHA1 digest algorithm
* Blowfish cipher algorithm
* AES cipher algorithms
* CAST5 (CAST-128) cipher algorithm
* CAST6 (CAST-256) cipher algorithm
* Deflate compression algorithm
</pre>
<h3 id="virt">2.1.2.15 Virtualization</h3>
<dl>
<dt>CONFIG_KVM=y</dt>
<dd>Kernel-based Virtual Machine (KVM) support</dd>
<dt>CONFIG_KVM_INTEL=y</dt>
<dd>KVM for Intel processors support</dd>
<dd>Provides support for KVM on Intel processors equipped with the VT extensions.</dd>
<dt>CONFIG_KVM_AMD=y</dt>
<dd>KVM for AMD processors support</dd>
<dd>Provides support for KVM on AMD processors equipped with the
AMD-V (SVM) extensions.</dd>
<dt>CONFIG_KVM_DEVICE_ASSIGNMENT=n</dt>
<dd>KVM legacy PCI device assignment support (DEPRECATED)</dd>
<dt>CONFIG_VHOST_NET=y</dt>
<dd>Host kernel accelerator for virtio net<dd>
<dt>CONFIG_VHOST_VSOCK=y</dt>
<dd>vhost virtio-vsock driver</dd>
<dt>CONFIG_VHOST_CROSS_ENDIAN_LEGACY=y</dt>
<dd>Cross-endian support for vhost</dd>
</dl>
<h3 id="lib">2.1.2.16 Library routines</h3>
<h2 id="build">2.1.3. Build</h2>
<p>Make targets;</p>
<pre>
Other generic targets:
all - Build all targets marked with [*]
* vmlinux - Build the bare kernel
* modules - Build all modules
(default: ./usr)
Documentation targets:
Linux kernel internal documentation in different formats (Sphinx):
htmldocs - HTML
latexdocs - LaTeX
pdfdocs - PDF
epubdocs - EPUB
xmldocs - XML
cleandocs - clean all generated files
make SPHINXDIRS="s1 s2" [target] Generate only docs of folder s1, s2
valid values for SPHINXDIRS are: development-process media gpu 80211
make SPHINX_CONF={conf-file} [target] use *additional* sphinx-build
configuration. This is e.g. useful to build with nit-picking config.
Linux kernel internal documentation in different formats (DocBook):
htmldocs - HTML
pdfdocs - PDF
psdocs - Postscript
xmldocs - XML DocBook
mandocs - man pages
installmandocs - install man pages generated by mandocs
cleandocs - clean all generated DocBook files
Architecture specific targets (x86):
* bzImage - Compressed kernel image (arch/x86/boot/bzImage)
install - Install kernel using
(your) ~/bin/installkernel or
(distribution) /sbin/installkernel or
install to $(INSTALL_PATH) and run lilo
fdimage - Create 1.4MB boot floppy image (arch/x86/boot/fdimage)
fdimage144 - Create 1.4MB boot floppy image (arch/x86/boot/fdimage)
fdimage288 - Create 2.8MB boot floppy image (arch/x86/boot/fdimage)
isoimage - Create a boot CD-ROM image (arch/x86/boot/image.iso)
bzdisk/fdimage*/isoimage also accept:
FDARGS="..." arguments for the booted kernel
FDINITRD=file initrd for the booted kernel
i386_defconfig - Build for i386
x86_64_defconfig - Build for x86_64
make V=0|1 [targets] 0 => quiet build (default), 1 => verbose build
make V=2 [targets] 2 => give reason for rebuild of target
make O=dir [targets] Locate all output files in "dir", including .config
make C=1 [targets] Check all c source with $CHECK (sparse by default)
make C=2 [targets] Force check of all c source with $CHECK
make RECORDMCOUNT_WARN=1 [targets] Warn about ignored mcount sections
make W=n [targets] Enable extra gcc checks, n=1,2,3 where
1: warnings which may be relevant and do not occur too often
2: warnings which occur quite often but may still be relevant
3: more obscure warnings, can most likely be ignored
Multiple levels can be combined with W=12 or W=123
</pre>
<pre>
$ make -j $(nproc) bzImage modules
</pre>
<h2 id="install">2.1.5. Install</h2>
<pre>
modules_install - Install all modules to INSTALL_MOD_PATH (default: /)
firmware_install- Install all firmware to INSTALL_FW_PATH
(default: $(INSTALL_MOD_PATH)/lib/firmware)
modules_prepare - Set up for building external modules
headers_install - Install sanitised kernel headers to INSTALL_HDR_PATH
</pre>
<pre>
$ sudo make modules_install
$ sudo cp arch/x86/boot/bzImage /boot/vmlinuz-4.9.86-gnu
$ sudo cp System.map /boot/System.map-4.9.86-gnu
</pre>
<p>Update grub;</p>
<pre>
# grub-mkconfig -o /boot/grub/grub.cfg
</pre>
<h2 id="remove">2.1.6. Remove</h2>
<pre>
$ sudo rm -r /lib/modules/4.9.86-gnu
$ sudo rm /boot/vmlinuz-4.9.86-gnu
$ sudo rm /boot/System.map-4.9.86-gnu
</pre>
<a href="index.html">Core OS Index</a>
<p>This is part of the Hive System Documentation.
Copyright (C) 2018
Hive Team.
See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
for copying conditions.</p>
</body>
</html>