diff options
| author | Silvino Silva <silvino@bk.ru> | 2018-03-10 14:55:29 +0000 |
|---|---|---|
| committer | Silvino Silva <silvino@bk.ru> | 2018-03-10 14:55:29 +0000 |
| commit | 7e21c0085fec669979039856ea3754ac9573bbf3 (patch) | |
| tree | ad9eba621c0a05a161de6a7ef8a3118de03d49e9 /core/linux.html | |
| parent | 4d8088a7f539a80144f1b426b529ccd7441b9ccb (diff) | |
| download | doc-7e21c0085fec669979039856ea3754ac9573bbf3.tar.gz | |
core linux better config documentation
Diffstat (limited to 'core/linux.html')
| -rw-r--r-- | core/linux.html | 731 |
1 files changed, 622 insertions, 109 deletions
diff --git a/core/linux.html b/core/linux.html index 3be6d77..de41572 100644 --- a/core/linux.html +++ b/core/linux.html @@ -1,4 +1,4 @@ - <!DOCTYPE html> +<!DOCTYPE html> <html dir="ltr" lang="en"> <head> <meta charset='utf-8'> @@ -16,26 +16,17 @@ <a href="https://www.kernel.org/">Linux Non-Libre</a> pages for more links and information.</p> - <h2 id="#linuxlibre">2.1.1. Port Linux Libre</h2> - - <p>Default crux configuration can be obtained from iso, - kernel port depend on <a href="reboot.html#dracut">dracut</a>, grub2 - and grub2-efi. You don't need them to build with pkgmk, to install - boot related tools use prt-get;</p> - + <p>Spectre-meltdown checker;</p> <pre> - $ prt-get depinst linux-gnu + https://github.com/speed47/spectre-meltdown-checker/ </pre> - <h2 id="kinstall">2.1.2. Manual Install</h2> + <h2 id="download">2.1.1. Download Linux Libre</h2> <p>Download Linux Source from <a href="http://linux-libre.fsfla.org/pub/linux-libre/releases/">linux libre</a>, or using the port system;</p> - <p>Linux-gnu port comes with default config that is a good starting - point to personalize according to your needs.</p> - <pre> $ mkdir ~/kernel $ cd ~/kernel @@ -75,15 +66,34 @@ $ patch -p1 < ../enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch </pre> - <p>Configure kernel according to your current kernel - hardware support;</p> + <p>Cleaning targets:</p> + + <pre> + clean - Remove most generated files but keep the config and + enough build support to build external modules + mrproper - Remove all generated files + config + various backup files + distclean - mrproper + remove editor backup and patch files + </pre> + + <p>Prepare sources for configuration;</p> + + <pre> + $ make distclean + </pre> + + <h2 id="configure">2.1.2. Configure</h2> + + <p>Port linux-gnu port comes with default configuration file that is + a good starting point to tune kernel according to your needs. To + automatically configure kernel with support to your hardware + based on modules loaded by current kernel run.</p> <pre> $ make localmodconfig </pre> - <p>Get information about your hardware, for example information - about which graphic module (driver) is in use + <p>To get more information about the hardware, for example + information about which graphic module (driver) is in use as root run;</p> <pre> @@ -91,101 +101,602 @@ Kernel driver in use: i915 </pre> - <p>Before start compiling check configuration;</p> + <p>Make configuration targets;</p> + + <pre> + config - Update current config utilising a line-oriented program + nconfig - Update current config utilising a ncurses menu based program + menuconfig - Update current config utilising a menu based program + xconfig - Update current config utilising a Qt based front-end + gconfig - Update current config utilising a GTK+ based front-end + oldconfig - Update current config utilising a provided .config as base + localmodconfig - Update current config disabling modules not loaded + localyesconfig - Update current config converting local mods to core + silentoldconfig - Same as oldconfig, but quietly, additionally update deps + defconfig - New config with default from ARCH supplied defconfig + savedefconfig - Save current config as ./defconfig (minimal config) + allnoconfig - New config where all options are answered with no + allyesconfig - New config where all options are accepted with yes + allmodconfig - New config selecting modules when possible + alldefconfig - New config with all symbols set to default + randconfig - New config with random answer to all options + listnewconfig - List new options + olddefconfig - Same as silentoldconfig but sets new symbols to their default value + kvmconfig - Enable additional options for kvm guest kernel support + xenconfig - Enable additional options for xen dom0 and guest kernel support + tinyconfig - Configure the tiniest possible kernel + </pre> + + <p>Following configuration try's to be generic about the hardware + support while addressing the requirements of applications such as + qemu, docker, etc. For more information about hardening options read + <a href="https://kernsec.org">kernsec.org</a>. Configure kernel + using ncurses;</p> <pre> $ make nconfig </pre> + <pre> + CONFIG_BUG_ON_DATA_CORRUPTION=y + + # Perform extensive checks on reference counting. + CONFIG_REFCOUNT_FULL=y + + # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. + CONFIG_FORTIFY_SOURCE=y + + </pre> + + <h3 id="general">2.1.2.1 General Setup</h3> + <dl> + <dt>CONFIG_POSIX_MQUEUE=y</dt> + <dd>POSIX Message Queues</dd> + + <dt>CONFIG_VMAP_STACK=y</dt> + <dd>Use a virtually-mapped stack</dd> + <dd>Adds guard pages to kernel stacks (not all architectures + support this yet).</dd> + + <dt>CONFIG_CGROUPS=y</dt> + <dd>Control Group support</dd> + + <dt>CONFIG_MEMCG=y</dt> + <dd>Memory controller</dd> + + <dt>CONFIG_MEMCG_SWAP=y</dt> + <dd>Swap controller</dd> + + <dt>CONFIG_MEMCG_SWAP_ENABLED=y</dt> + <dd>Swap controller enabled by default</dd> + + <dt>CONFIG_BLK_CGROUP=y</dt> + <dd>IO controller</dd> + + <dt>CGROUP_SCHED=y</dt> + <dd>CPU controller</dd> + + <dt>FAIR_GROUP_SCHED=y</dt> + <dd>Group scheduling for SCHED_OTHER</dd> + + <dt>CONFIG_CFS_BANDWIDTH=y</dt> + <dd>CPU bandwidth provisioning for FAIR_GROUP_SCHED</dd> + + <dt>CONFIG_RT_GROUP_SCHED=y</dt> + <dd>Group scheduling for SCHED_RR/FIFO</dd> + + <dt>CONFIG_CGROUP_PIDS=y</dt> + <dd>PIDs controller</dd> + + <dd>Freezer controller</dd> + <dd>HugeTLB controller</dd> + <dd>Cpuset controller</dd> + <dd>Include legacy /proc/<pid>/cpuset file</dd> + <dd>Device controller</dd> + <dd>Simple CPU accounting controller</dd> + <dd>Perf controller</dd> + </dl> + + <h4>Namespaces support</h4> + <dl> + <dd>UTS namespace</dd> + <dd>IPC namespace</dd> + <dd>User namespace</dd> + <dd>PID Namespaces</dd> + <dd>Network namespace</dd> + </dl> + + <dl> + + <dt>CONFIG_COMPAT_BRK=n</dt> + <dd>Disable heap randomization</dd> + <dd>Dangerous; enabling this disables brk ASLR.</dd> + + <dt>CONFIG_SLAB_FREELIST_RANDOM=y</dt> + <dd>Randomize allocator freelists, harden metadata.</dd> + + <dt>CONFIG_SLAB_FREELIST_HARDENED=y</dt> + <dd>Randomize allocator freelists, harden metadata.</dd> + + <dt>CONFIG_SLUB_DEBUG=y<dt> + <dd>Enable SLUB debugging support</dd> + <dd>Allow allocator validation checking to be enabled + (see "slub_debug=P" below).</dd> + + <dt>CONFIG_CC_STACKPROTECTOR=y</dt> + <dd>Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.</dd> + + <dt>CONFIG_CC_STACKPROTECTOR_STRONG=y</dt> + <dd>Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.</dd> + </dl> + + + <h3 id="mod">2.1.2.2 Enable loadable module support</h3> + <dl> + + <dt>CONFIG_MODULES=y</dt> + <dd>Enable loadable module support + <dd>Keep root from altering kernel memory via loadable modules. + set CONFIG_MODULES=n</dd> + <dd>But if CONFIG_MODULE=y is needed, at least they must be + signed with a per-build key.<dd> + + <dt>CONFIG_DEBUG_SET_MODULE_RONX=y</dt> + <dd>(prior to v4.11)</dd> + + <dt>CONFIG_STRICT_MODULE_RWX=y</dt> + <dd>(since v4.11)</dd> + + <dt>CONFIG_MODULE_SIG=y</dt> + <dd>Module signature verification</dd> + + <dt>CONFIG_MODULE_SIG_FORCE=y</dt> + <dd>Require modules to be validly signed</dd> + + <dt>CONFIG_MODULE_SIG_ALL=y</dt> + <dd>Automatically sign all modules</dd> + + <dt>CONFIG_MODULE_SIG_SHA512=y</dt> + <dd>Sign modules with SHA-512</dd> + </dl> + + <h3 id="block">2.1.2.3 Enable the block layer</h3> + <dl> + <dt>BLK_DEV_THROTTLING=y</dt> + <dd>Block layer bio throttling support</dd> + + <dt>IOSCHED_CFQ=y</dt> + <dd>CFQ IO scheduler</dd> + + <dt>CONFIG_CFQ_GROUP_IOSCHED=y</dt> + <dd>CFQ Group Scheduling support</dd> + </dl> + + <h3 id="proc">2.1.2.4 Processor type and features</h3> + + <dl> + <dt>CONFIG_DEFAULT_MMAP_MIN_ADDR=65536</dt> + <dd>Low address space to protect from user allocation</dd> + <dd>Disallow allocating the first 64k of memory.</dd> + + <dt>X86_VSYSCALL_EMULATION=n</dt> + <dd>Enable vsyscall emulation</dd> + <dd>Required by programs before 2013, some programs my + require.</dd> + <dd>Remove additional attack surface, unless you really + need them.</dd> + + <dt>CONFIG_SECCOMP=y</dt> + <dd>Enable seccomp to safely compute untrusted bytecode</dd> + <dd>Provide userspace with seccomp BPF API for syscall attack surface reduction.</dd> + + <dt>CONFIG_SECCOMP_FILTER=y</dt> + <dd>Provide userspace with seccomp BPF API for syscall attack surface reduction.</dd> + + <dt>CONFIG_KEXEC=n</dt> + <dd>kexec system call</dd> + <dd>Dangerous; enabling this allows replacement + of running kernel.</dd> + + <dt>CONFIG_RANDOMIZE_BASE=y</dt> + <dd>Randomize the address of the kernel image (KASLR)</dd> + + <dt>CONFIG_RANDOMIZE_MEMORY=y</dt> + <dd>Randomize the kernel memory sections</dd> + + <dt>CONFIG_LEGACY_VSYSCALL_NONE=y</dt> + <dd>vsyscall table for legacy applications (None)</dd> + <dd>Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.</dd> + + <dt>CONFIG_COMPAT_VDSO=n</dt> + <dd>Disable the 32-bit vDSO (needed for glibc 2.3.3)</dd> + <dd>Dangerous; enabling this disables VDSO ASLR.</dd> + + <dt>CONFIG_MODIFY_LDT_SYSCALL=n</dt> + <dd>Enable the LDT (local descriptor table)</dd> + <dd>Remove additional attack surface, unless you really need them.</dd> + </dl> + + <h3 id="acpi">2.1.2.5 Power management and ACPI options</h3> + + <dl> + <dt>CONFIG_HIBERNATION=n</dt> + <dd>Hibernation (aka 'suspend to disk')</dd> + <dd>Dangerous; enabling this allows replacement of running + kernel.</dd> + + <dt>CONFIG_ACPI_CUSTOM_METHOD=n</dt> + <dd>Allow ACPI methods to be inserted/replaced at run time</dd> + <dd>Dangerous; enabling this allows direct physical + memory writing.</dd> + </dl> + + + <h3 id="bus">2.1.2.6 Bus options (PCI etc.)</h3> + <h3 id="exec">2.1.2.7 Executable file formats / Emulations</h3> + <dl> + + <dt>CONFIG_BINFMT_MISC=n</dt> + <dd>Kernel support for MISC binaries</dd> + <dd>Easily confused by misconfigured userspace, keep off.</dd> + + <dt>CONFIG_IA32_EMULATION</dt> + <dd>Remove additional attack surface, unless you really need them.</dd> + <dt>CONFIG_X86_X32</dt> + <dd>Remove additional attack surface, unless you really need them.</dd> + </dl> + + <h3 id="net">2.1.2.8 Networking support</h3> + <h4>Networking options</h4> + <dl> + <dt>CONFIG_INET_DIAG=m</dt> + <dd>INET: socket monitoring interface</dd> + <dd>Support for INET (TCP, DCCP, etc) socket monitoring + interface used by native Linux tools such as ss. ss is + included in iproute2</dd> + <dd>Prior to v4.1, assists heap memory attacks; + best to keep interface disabled.</dd> + + <dt>CONFIG_BRIDGE=y</dt> + <dd>802.1d Ethernet Bridging</dd> + + <dt>CONFIG_NET_SCHED=y</dt> + <dd>QoS and/or fair queueing</dd> + + <dt>CONFIG_NET_CLS_CGROUP=y</dt> + <dd>Control Group Classifier</dd> + + <dt>CONFIG_VSOCKETS=y</dt> + <dd>Virtual Socket protocol</dd> + + <dt>CONFIG_VIRTIO_VSOCKETS=y<dt> + <dd>virtio transport for Virtual Sockets</dd> + + <dt>CONFIG_NET_L3_MASTER_DEV=y</dt> + <dd>L3 Master device support</dd> + + <dt>CONFIG_CGROUP_NET_PRIO=y</dt> + <dd>Network priority cgroup</dd> + + <dt>CGROUP_NET_CLASSID=y</dt> + <dd>Network classid cgroup</dd> + + </dl> + + <dl> + <dt>CONFIG_NETFILTER=y</dt> + <dd>Network packet filtering framework (Netfilter)</dd> + + <dt>CONFIG_NETFILTER_ADVANCED=y</dt> + <dd>Advanced netfilter configuration</dd> + + <dt>BRIDGE_NETFILTER=y</dt> + <dd>Bridged IP/ARP packets filtering</dd> + + <dt>NF_CONNTRACK=y</dt> + <dd>Netfilter connection tracking support</dd> + + <dt>NETFILTER_XT_MATCH_ADDRTYPE=y</dt> + <dd>"addrtype" address type match support</dd> + + <dt>NETFILTER_XT_MATCH_CONNTRACK=y</dt> + <dd>"conntrack" connection tracking match support</dd> + + <dt>CONFIG_NETFILTER_XT_MATCH_IPVS=y</dt> + <dd>"ipvs" match support</dd> + + <dt>CONFIG_IP_VS=y</dt> + <dd>IP virtual server support</dd> + + <dt>IP_VS_PROTO_TCP=y</dt> + <dd>TCP load balancing support</dd> + + <dt>IP_VS_PROTO_UDP=y</dt> + <dd>UDP load balancing support</dd> + + <dt>IP_VS_RR=y</dt> + <dd>round-robin scheduling</dd> + + <dt>IP_VS_NFCT=y</dt> + <dd>Netfilter connection tracking</dd> + + <dt>CONFIG_NF_CONNTRACK_IPV4=y</dt> + <dd>IPv4 connection tracking support (required for NAT)</dd> + + <dt>NF_NAT_IPV4=y</dt> + <dd>IPv4 NAT</dd> + + <dt>NF_NAT_MASQUERADE_IPV4=y</dt> + <dd>IPv4 masquerade support</dd> + + <dt>IP_NF_IPTABLES=y</dt> + <dd>IP tables support (required for filtering/masq/NAT)</dd> + + <dt>IP_NF_FILTER=y</dt> + <dd>Packet filtering</dd> + + <dt>CONFIG_IP_NF_NAT=y</dt> + <dd>iptables NAT support</dd> + + <dt>IP_NF_TARGET_MASQUERADE=y</dt> + <dd>MASQUERADE target support</dd> + + <dt>IP_NF_TARGET_NETMAP=y</dt> + <dd>NETMAP target support</dd> + + <dt>IP_NF_TARGET_REDIRECT=y</dt> + <dd>REDIRECT target support</dd> + + <dt>CONFIG_SYN_COOKIES=y</dt> + <dd>IP: TCP syncookie support</dd> + <dd>Provides some protections against SYN flooding.</dd> + + </dl> + + <h3 id="drivers">2.1.2.9 Device Drivers</h3> + + <h4>Multiple devices driver support (RAID and LVM)</h4> + + <dl> + <dt>CONFIG_MD=y</dt> + <dd>Multiple devices driver support (RAID and LVM)</dd> + <dt>CONFIG_BLK_DEV_DM=y</dt> + <dd>Device mapper support</dd> + <dt>DM_THIN_PROVISIONING=y</dt> + <dd>Thin provisioning target<dd> + </dl> + + <h4>Network device support</h4> + + <dl> + <dt>CONFIG_NETDEVICES=y</dt> + <dd>Network device support</dd> + + <dt>NET_CORE=y</dt> + <dd>Network core driver support</dd> + + <dt>CONFIG_DUMMY=y</dt> + <dd>Dummy net driver support</dd> + + <dt>CONFIG_MACVLAN=y</dt> + <dd>MAC-VLAN support</dd> + <dd>This allows one to create virtual interfaces that map + packets to or from specific MAC addresses to a particular + interface. Macvlan devices can be added using the "ip" command + from the route2 package starting with the iproute2.</dd> + <dd>ip link add link <real dev> [ address MAC ] [ NAME ] type macvlan"</dd> + + <dt>CONFIG_VXLAN=y</dt> + <dd>Virtual eXtensible Local Area Network (VXLAN)</dd> + + <dt>CONFIG_TUN=y</dt> + <dd>Universal TUN/TAP device driver support</dd> + + <dt>CONFIG_VETH=y</dt> + <dd>Virtual ethernet pair device</dd> + + + <dt>IPVLAN=n</dt> + <dd>IP-VLAN support</dd> + <dd>Requires ipv6</dd> + </dl> + + <h4>Character devices</h4> + <dl> + <dt>CONFIG_DEVMEM=n</dt> + <dd>/dev/mem virtual device support</dd> + <dd>Do not allow direct physical memory access (but if you must have it, at least enable CONFIG_STRICT_DEVMEM mode...)</dd> + + <dd>Enable TTY</dd> + <dd>Unix98 PTY support</dd> + + <dt>CONFIG_LEGACY_PTYS=n</dt> + <dd>Legacy (BSD) PTY support</dd> + <dd>Use the modern PTY interface (devpts) only.</dd> + + <dd>Support multiple instances of devpts</dd> + + <dt>CONFIG_DEVKMEM=n</dt> + <dd>/dev/kmem virtual device support</dd> + <dd>Dangerous; enabling this allows direct kernel + memory writing.</dd> + </dl> + + <h3 id="firm">2.1.2.10 Firmware Drivers</h3> + <h3 id="fs">2.1.2.11 File systems</h3> + <dl> + <dd>Overlay filesystem support</dd> + + <dt>CONFIG_PROC_KCORE=n</dt> + <dd>/proc/kcore support</dd> + <dd>Dangerous; exposes kernel text image layout.</dd> + + <dd>HugeTLB file system support</dd> + + </dl> + + <h3 id="hack">2.1.2.12 Kernel hacking</h3> + + <dl> + <dt>CONFIG_DEBUG=y</dt> + <dt>CONFIG_DEBUG_RODATA=y</dt> + + <dt>CONFIG_DEBUG_KERNEL=y</dt> + <dd>Kernel debugging</dd> + <dd>Make sure kernel page tables have safe permissions.</dd> + + <dt>CONFIG_STRICT_KERNEL_RWX=y</dt> + <dd>since v4.11</dd> + <dd>Make sure kernel page tables have safe permissions.</dd> + + <dt>CONFIG_PANIC_ON_OOPS=y</dt> + <dd>Panic on Oops</dd> + <dd>This feature is useful to ensure that the kernel does not do + anything erroneous after an oops which could result in data + corruption or other issues.</dd> + + <dt>CONFIG_PANIC_TIMEOUT=-1</dt> + <dd>Reboot devices immediately if kernel experiences an Oops.</dd> + + <dt>CONFIG_SCHED_STACK_END_CHECK=y</dt> + <dd>Detect stack corruption on calls to schedule()</dd> + <dd>Perform additional validation of various commonly targeted structures.</dd> + + <dt>CONFIG_DEBUG_LIST=y</dt> + <dd>Debug linked list manipulation</dd> + <dd>Perform additional validation of various commonly targeted structures.</dd> + + <dt>CONFIG_DEBUG_SG=y</dt> + <dd>Debug SG table operations</dd> + <dd>Perform additional validation of various commonly targeted structures.</dd> + + <dt>CONFIG_DEBUG_NOTIFIERS=y</dt> + <dd>Debug notifier call chains</dd> + <dd>Perform additional validation of various commonly + targeted structures.</dd> + + <dt>CONFIG_DEBUG_CREDENTIALS=y</dt> + <dd>Debug credential management</dd> + <dd>Perform additional validation of various commonly + targeted structures.</dd> + + <dt>CONFIG_STRICT_DEVMEM=y</dt> + <dd>Filter access to /dev/mem</dd> + <dd>Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)</dd> + + <dt>CONFIG_IO_STRICT_DEVMEM=y</dt> + <dd>Filter I/O access to /dev/mem</dd> + <dd>Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)</dd> + + <dt>CONFIG_DEBUG_WX=y</dt> + <dd>Warn on W+X mappings at boot</dd> + <dd>Report any dangerous memory permissions + (not available on all archs).</dd> + + + </dl> + + <h4>Compile-time checks and compiler options</h4> + <dl> + <dt>CONFIG_DEBUG_FS=y</dt> + <dd>Debug Filesystem</dd> + + </dl> + + <h4>Memory Debugging</h4> + <dl> + <dt>CONFIG_PAGE_POISONING=y</dt> + <dd>Poison pages after freeing</dd> + <dd>Wipe higher-level memory allocations when they are freed + (needs "page_poison=1" command line below).</dd> + + <dt>CONFIG_PAGE_POISONING_NO_SANITY=y</dt> + <dd>Only poison, don't sanity check</dd> + <dd>(If you can afford even more performance penalty, + leave CONFIG_PAGE_POISONING_NO_SANITY=n)</dd> + + <dt>CONFIG_PAGE_POISONING_ZERO=y</dt> + <dd>Use zero for poisoning instead of random data</dd> + + </dl> + + <h3 id="sec">2.1.2.13 Security options</h3> + + <dl> + <dd>Enable access key retention support</dd> + <dd>Enable register of persistent per-UID keyrings</dd> + <dd>ENCRYPTED KEYS</dd> + <dd>Diffie-Hellman operations on retained keys</dd> + + <dt>CONFIG_SECURITY=y</dt> + <dd>Enable different security models</dd> + <dd>Provide userspace with ptrace ancestry protections.</dd> + + <dt>CONFIG_HARDENED_USERCOPY=y</dt> + <dd>Harden memory copies between kernel and userspace</dd> + <dd>Perform usercopy bounds checking.</dd> + + <dt>SECURITY_SELINUX=n</dt> + <dd>NSA SELinux Support</dd> + <dt>CONFIG_SECURITY_SELINUX_DISABLE=n</dt> + <dd>NSA SELinux runtime disable</dd> + <dd>If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.</dd> + + <dt>CONFIG_SECURITY_APPARMOR=y</dt> + <dd>AppArmor support</dd> + <dd>This enables the AppArmor security module. Rquired userspace + tools (if they are not included in your distribution) and further + information may be found at <a href="apparmor.html">AppArmor</a></dd> + <dt>CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1</dt> + <dd>AppArmor boot parameter default value</dd> + + <dt>CONFIG_SECURITY_YAMA=y</dt> + <dd>Yama support</dd> + <dd>Provide userspace with ptrace ancestry protections.</dd> + </dl> + + <h3 id="crypt">2.1.2.14 Cryptographic API</h3> + <h3 id="virt">2.1.2.15 Virtualization</h3> + + <dl> + <dt>CONFIG_KVM=y</dt> + <dd>Kernel-based Virtual Machine (KVM) support</dd> + + <dt>CONFIG_KVM_INTEL=y</dt> + <dd>KVM for Intel processors support</dd> + <dd>Provides support for KVM on Intel processors equipped with the VT extensions.</dd> + + <dt>CONFIG_KVM_AMD=y</dt> + <dd>KVM for AMD processors support</dd> + <dd>Provides support for KVM on AMD processors equipped with the + AMD-V (SVM) extensions.</dd> + + <dt>CONFIG_KVM_DEVICE_ASSIGNMENT=n</dt> + <dd>KVM legacy PCI device assignment support (DEPRECATED)</dd> + + <dt>CONFIG_VHOST_NET=y</dt> + <dd>Host kernel accelerator for virtio net<dd> + + <dt>CONFIG_VHOST_VSOCK=y</dt> + <dd>vhost virtio-vsock driver</dd> + + <dt>CONFIG_VHOST_CROSS_ENDIAN_LEGACY=y</dt> + <dd>Cross-endian support for vhost</dd> + </dl> + + <h3 id="lib">2.1.2.16 Library routines</h3> + + <h2 id="build">2.1.3. Build</h2> + <p>Make targets;</p> <pre> - $ make help - Cleaning targets: - clean - Remove most generated files but keep the config and - enough build support to build external modules - mrproper - Remove all generated files + config + various backup files - distclean - mrproper + remove editor backup and patch files - - Configuration targets: - config - Update current config utilising a line-oriented program - nconfig - Update current config utilising a ncurses menu based - program - menuconfig - Update current config utilising a menu based program - xconfig - Update current config utilising a Qt based front-end - gconfig - Update current config utilising a GTK+ based front-end - oldconfig - Update current config utilising a provided .config as base - localmodconfig - Update current config disabling modules not loaded - localyesconfig - Update current config converting local mods to core - silentoldconfig - Same as oldconfig, but quietly, additionally update deps - defconfig - New config with default from ARCH supplied defconfig - savedefconfig - Save current config as ./defconfig (minimal config) - allnoconfig - New config where all options are answered with no - allyesconfig - New config where all options are accepted with yes - allmodconfig - New config selecting modules when possible - alldefconfig - New config with all symbols set to default - randconfig - New config with random answer to all options - listnewconfig - List new options - olddefconfig - Same as silentoldconfig but sets new symbols to their - default value - kvmconfig - Enable additional options for kvm guest kernel support - xenconfig - Enable additional options for xen dom0 and guest kernel support - tinyconfig - Configure the tiniest possible kernel - Other generic targets: all - Build all targets marked with [*] * vmlinux - Build the bare kernel * modules - Build all modules - modules_install - Install all modules to INSTALL_MOD_PATH (default: /) - firmware_install- Install all firmware to INSTALL_FW_PATH - (default: $(INSTALL_MOD_PATH)/lib/firmware) - dir/ - Build all files in dir and below - dir/file.[ois] - Build specified target only - dir/file.lst - Build specified mixed source/assembly target only - (requires a recent binutils and recent build (System.map)) - dir/file.ko - Build module including final link - modules_prepare - Set up for building external modules - tags/TAGS - Generate tags file for editors - cscope - Generate cscope index - gtags - Generate GNU GLOBAL index - kernelrelease - Output the release version string (use with make -s) - kernelversion - Output the version stored in Makefile (use with make -s) - image_name - Output the image name (use with make -s) - headers_install - Install sanitised kernel headers to INSTALL_HDR_PATH (default: ./usr) - Static analysers - checkstack - Generate a list of stack hogs - namespacecheck - Name space analysis on compiled kernel - versioncheck - Sanity check on version.h usage - includecheck - Check for duplicate included header files - export_report - List the usages of all exported symbols - headers_check - Sanity check on exported headers - headerdep - Detect inclusion cycles in headers - coccicheck - Check with Coccinelle. - - Kernel selftest - kselftest - Build and run kernel selftest (run as root) - Build, install, and boot kernel before - running kselftest on it - kselftest-clean - Remove all generated kselftest files - kselftest-merge - Merge all the config dependencies of kselftest to existed - .config. - - Kernel packaging: - rpm-pkg - Build both source and binary RPM kernel packages - binrpm-pkg - Build only the binary kernel RPM package - deb-pkg - Build both source and binary deb kernel packages - bindeb-pkg - Build only the binary kernel deb package - tar-pkg - Build the kernel as an uncompressed tarball - targz-pkg - Build the kernel as a gzip compressed tarball - tarbz2-pkg - Build the kernel as a bzip2 compressed tarball - tarxz-pkg - Build the kernel as a xz compressed tarball - perf-tar-src-pkg - Build perf-4.9.9-gnu.tar source tarball - perf-targz-src-pkg - Build perf-4.9.9-gnu.tar.gz source tarball - perf-tarbz2-src-pkg - Build perf-4.9.9-gnu.tar.bz2 source tarball - perf-tarxz-src-pkg - Build perf-4.9.9-gnu.tar.xz source tarball - Documentation targets: Linux kernel internal documentation in different formats (Sphinx): htmldocs - HTML @@ -210,12 +721,6 @@ installmandocs - install man pages generated by mandocs cleandocs - clean all generated DocBook files - make DOCBOOKS="s1.xml s2.xml" [target] Generate only docs s1.xml s2.xml - valid values for DOCBOOKS are: z8530book.xml kernel-hacking.xml kernel-locking.xml deviceiobook.xml writing_usb_driver.xml networking.xml kernel-api.xml filesystems.xml lsm.xml usb.xml kgdb.xml gadget.xml libata.xml mtdnand.xml librs.xml rapidio.xml genericirq.xml s390-drivers.xml uio-howto.xml scsi.xml debugobjects.xml sh.xml regulator.xml alsa-driver-api.xml writing-an-alsa-driver.xml tracepoint.xml w1.xml writing_musb_glue_layer.xml crypto-API.xml iio.xml - - make DOCBOOKS="" [target] Don't generate docs from Docbook - This is useful to generate only the ReST docs (Sphinx) - Architecture specific targets (x86): * bzImage - Compressed kernel image (arch/x86/boot/bzImage) install - Install kernel using @@ -244,15 +749,23 @@ 2: warnings which occur quite often but may still be relevant 3: more obscure warnings, can most likely be ignored Multiple levels can be combined with W=12 or W=123 - - Execute "make" or "make all" to build all targets marked with [*] - For further info see the ./README file - $ </pre> <pre> $ make -j $(nproc) bzImage modules + </pre> + + <h2 id="install">2.1.5. Install</h2> + <pre> + modules_install - Install all modules to INSTALL_MOD_PATH (default: /) + firmware_install- Install all firmware to INSTALL_FW_PATH + (default: $(INSTALL_MOD_PATH)/lib/firmware) + modules_prepare - Set up for building external modules + headers_install - Install sanitised kernel headers to INSTALL_HDR_PATH + </pre> + + <pre> $ sudo make modules_install $ sudo cp arch/x86/boot/bzImage /boot/vmlinuz-4.9.86-gnu $ sudo cp System.map /boot/System.map-4.9.86-gnu @@ -264,7 +777,7 @@ # grub-mkconfig -o /boot/grub/grub.cfg </pre> - <h2 id="kuninstall">2.1.3. Manual Remove</h2> + <h2 id="remove">2.1.6. Remove</h2> <pre> $ sudo rm -r /lib/modules/4.9.86-gnu |