diff options
| author | Silvino Silva <silvino@bk.ru> | 2018-03-10 14:55:29 +0000 |
|---|---|---|
| committer | Silvino Silva <silvino@bk.ru> | 2018-03-10 14:55:29 +0000 |
| commit | 7e21c0085fec669979039856ea3754ac9573bbf3 (patch) | |
| tree | ad9eba621c0a05a161de6a7ef8a3118de03d49e9 /core | |
| parent | 4d8088a7f539a80144f1b426b529ccd7441b9ccb (diff) | |
| download | doc-7e21c0085fec669979039856ea3754ac9573bbf3.tar.gz | |
core linux better config documentation
Diffstat (limited to 'core')
| -rw-r--r-- | core/index.html | 283 | ||||
| -rw-r--r-- | core/linux.html | 731 | ||||
| -rw-r--r-- | core/reboot.html | 14 |
3 files changed, 786 insertions, 242 deletions
diff --git a/core/index.html b/core/index.html index 217ae01..7818109 100644 --- a/core/index.html +++ b/core/index.html @@ -1,139 +1,162 @@ <!DOCTYPE html> <html dir="ltr" lang="en"> <head> - <meta charset='utf-8'> - <title>c9 Core OS</title> + <meta charset='utf-8'> + <title>c9 Core OS</title> </head> <body> - <a href="../index.html">Documentation Index</a> - - <h1>c9 Core OS</h1> - - <p>c9 Core OS covers installation and configuration of - basic functionality of Crux 3.3 Gnu\Linux operating system. - This documentation try's to follow Crux HandBook installation - method diverges, for example, by only installing and - documenting gpt and grub2.<p> - - <p>Read <a href="https://crux.nu/Main/Handbook3-3">Crux HandBook</a>, - you can ask for help on freenode #crux. Check <a href="scripts/">scripts</a> - folder the install process is automated and <a href="ports/">ports</a> - for extra ports used during the installation.</p> - - <h2>1. Install Crux 3.3 Gnu/Linux</h2> - - <ul> - <li><a href="install.html">1.1. Install Crux 3.3</a> - <ul> - <li><a href="install.html#step1">1.1.1. Download</a></li> - <li><a href="install.html#step2">1.1.2. Prepare target</a></li> - <li><a href="install.html#step3">1.1.3. Prepare install</a></li> - <li><a href="install.html#step4">1.1.4. Install</a></li> - <li><a href="install.html#step5">1.1.5. Install extra packages</a></li> - <li><a href="install.html#step6">1.1.6. Install extra ports</a></li> - <li><a href="install.html#step7">1.1.7. DNS Resolver</a></li> - <li><a href="install.html#step8">1.1.8. Install Handbook</a></li> - <li><a href="install.html#step9">1.1.9. Install Skeletons</a></li> - </ul> - </li> - - <li><a href ="configure.html">1.2. Configure</a> - <ul> - <li><a href="configure.html#hostname">1.2.1. Set hostname and hosts</a></li> - <li><a href="configure.html#time">1.2.2. Set timezone</a></li> - <li><a href="configure.html#locale">1.2.3. Set lacale</a></li> - <li><a href="configure.html#user">1.2.4. Users</a></li> - <li><a href="configure.html#fstab">1.2.5. File system table</a></li> - <li><a href="configure.html#rcconf">1.2.6. Initialization Scripts</a></li> - </ul> - </li> - - <li><a href="ports.html">1.3. Ports</a> - <ul> - <li><a href="ports.html#filesystem">1.3.1. Ports Layout</a></li> - <li><a href="ports.html#fakeroot">1.3.2. Build as user</a></li> - <li><a href="ports.html#pkgmk">1.3.3. Configure pkgmk</a></li> - <li><a href="ports.html#prtget">1.3.4. Configure prt-get</a></li> - </ul> - </li> - - <li><a href="reboot.html">1.4. Prepare for reboot</a> - <ul> - <li><a href="reboot.html#linux">1.4.1. Kernel</a></li> - <li><a href="reboot.html#dracut">1.4.2. Dracut</a></li> - <li><a href="reboot.html#grub">1.4.3. Grub</a></li> - <li><a href="reboot.html#checkup">1.4.4. Checkup</a></li> - </ul> - </li> - </ul> - - <h2>2. System Administration</h2> - - <ul> - - <li><a href="linux.html">2.1. Linux Kernel</a> - <ul> - <li><a href="linux.html#linuxlibre">2.1.1. Port Linux libre</a></li> - <li><a href="linux.html#kinstall">2.1.2. Manual install</a></li> - <li><a href="linux.html#kuninstall">2.1.3. Manual remove</a></li> - </ul> - </li> - <li><a href="hardening.html">2.2. Hardening</a> - <ul> - <li><a href="apparmor.html">2.2.1. AppArmor</a></li> - <li><a href="sysctl.html">2.2.2. Sysctl</a></li> - <li><a href="toolchain.html">2.2.3. Toolchain</a></li> - <li><a href="samhain.html">2.2.4. Samhain</a></li> - </ul> - </li> - <li><a href="network.html">2.3. Network</a> - <ul> - <li><a href="network.html#resolv">2.3.1. Resolver</a></li> - <li><a href="network.html#static">2.3.2. Static ip</a></li> - <li><a href="network.html#iptables">2.3.3. Iptables</a></li> - <li><a href="network.html#wpa">2.3.4. Wpa and dhcpd</a></li> - </ul> - </li> - - <li><a href="package.html">2.4. Package Management</a> - <ul> - <li><a href="package.html#sysup">2.4.1. Update system</a></li> - <li><a href="package.html#depinst">2.4.2. Install ports and dependencies</a></li> - <li><a href="package.html#ports">2.4.3. Ports collections</a></li> - <li><a href="package.html#info">2.4.3. Show port information</a></li> - <li><a href="package.html#depends">2.4.4. Show port dependencies</a></li> - <li><a href="package.html#printf">2.4.5. Print information</a></li> - </ul> - </li> - - <li><a href="tty-terminal.html">2.5. Terminals and shells</a> - <ul> - <li><a href="dash.html">2.5.1. Dash</a></li> - <li><a href="bash.html">2.5.2. Bash</a></li> - <li><a href="tmux.html">2.5.3. Tmux</a></li> - </ul> - </li> - <li><a href="exim.html">2.6. Exim</a> - <ul> - <li><a href="exim.html#conf">2.6.1. Exim configuration</a></li> - <li><a href="exim.html#cert">2.6.2. Certificates</a></li> - <li><a href="exim.html#alias">2.6.3. Aliases</a></li> - <li><a href="exim.html#smarthost">2.6.4. Smarthost</a></li> - <li><a href="exim.html#fetchmail">2.6.5. Fetchmail</a></li> - </ul> - </li> - - </ul> - - <a href="../index.html">Documentation Index</a> - - <p> - This is part of the c9-doc Manual. - Copyright (C) 2017 - c9 team. - See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> - for copying conditions.</p> + <a href="../index.html">Documentation Index</a> + + <h1>c9 Core OS</h1> + + <p>c9 Core OS covers installation and configuration of + basic functionality of Crux 3.3 Gnu\Linux operating system. + This documentation try's to follow Crux HandBook installation + method diverges, for example, by only installing and + documenting gpt and grub2.<p> + + <p>Read <a href="https://crux.nu/Main/Handbook3-3">Crux HandBook</a>, + you can ask for help on freenode #crux. Check <a href="scripts/">scripts</a> + folder the install process is automated and <a href="ports/">ports</a> + for extra ports used during the installation.</p> + + <h2>1. Install Crux 3.3 Gnu/Linux</h2> + + <ul> + <li><a href="install.html">1.1. Install Crux 3.3</a> + <ul> + <li><a href="install.html#step1">1.1.1. Download</a></li> + <li><a href="install.html#step2">1.1.2. Prepare target</a></li> + <li><a href="install.html#step3">1.1.3. Prepare install</a></li> + <li><a href="install.html#step4">1.1.4. Install</a></li> + <li><a href="install.html#step5">1.1.5. Install extra packages</a></li> + <li><a href="install.html#step6">1.1.6. Install extra ports</a></li> + <li><a href="install.html#step7">1.1.7. DNS Resolver</a></li> + <li><a href="install.html#step8">1.1.8. Install Handbook</a></li> + <li><a href="install.html#step9">1.1.9. Install Skeletons</a></li> + </ul> + </li> + + <li><a href ="configure.html">1.2. Configure</a> + <ul> + <li><a href="configure.html#hostname">1.2.1. Set hostname and hosts</a></li> + <li><a href="configure.html#time">1.2.2. Set timezone</a></li> + <li><a href="configure.html#locale">1.2.3. Set lacale</a></li> + <li><a href="configure.html#user">1.2.4. Users</a></li> + <li><a href="configure.html#fstab">1.2.5. File system table</a></li> + <li><a href="configure.html#rcconf">1.2.6. Initialization Scripts</a></li> + </ul> + </li> + + <li><a href="ports.html">1.3. Ports</a> + <ul> + <li><a href="ports.html#filesystem">1.3.1. Ports Layout</a></li> + <li><a href="ports.html#fakeroot">1.3.2. Build as user</a></li> + <li><a href="ports.html#pkgmk">1.3.3. Configure pkgmk</a></li> + <li><a href="ports.html#prtget">1.3.4. Configure prt-get</a></li> + </ul> + </li> + + <li><a href="reboot.html">1.4. Prepare for reboot</a> + <ul> + <li><a href="reboot.html#linux">1.4.1. Kernel</a></li> + <li><a href="reboot.html#dracut">1.4.2. Dracut</a></li> + <li><a href="reboot.html#grub">1.4.3. Grub</a></li> + <li><a href="reboot.html#checkup">1.4.4. Checkup</a></li> + </ul> + </li> + </ul> + + <h2>2. System Administration</h2> + + <ul> + + <li><a href="linux.html">2.1. Linux Kernel</a> + <ul> + <li><a href="linux.html#download">2.1.1. Download</a></li> + + <li><a href="linux.html#configure">2.1.2. Configure</a> + <ul> + <li><a href="linux.html#general">2.1.2.1. General Setup</a></li> + <li><a href="linux.html#mod">2.1.2.2, Enable loadable module support</a></li> + <li><a href="linux.html#block">2.1.2.3. Enable the block layer</a></li> + <li><a href="linux.html#proc">2.1.2.4. Processor type and features</a></li> + <li><a href="linux.html#acpi">2.1.2.5 Power management and ACPI options</a></li> + <li><a href="linux.html#bus">2.1.2.6. Bus options (PCI etc.)</a></li> + <li><a href="linux.html#exec">2.1.2.7. Executable file formats / Emulations</a></li> + <li><a href="linux.html#net">2.1.2.8. Networking support</a></li> + <li><a href="linux.html#drivers">2.1.2.9. Device Drivers</a></li> + <li><a href="linux.html#firm">2.1.2.10. Firmware Drivers</a></li> + <li><a href="linux.html#fs">2.1.2.11. File systems</a></li> + <li><a href="linux.html#hack">2.1.2.12. Kernel hacking</a></li> + <li><a href="linux.html#sec">2.1.2.13. Security options</a></li> + <li><a href="linux.html#crypt">2.1.2.14. Cryptographic API</a></li> + <li><a href="linux.html#virt">2.1.2.15. Virtualization</a></li> + <li><a href="linux.html#lib">2.1.2.16. Library routines</a></li> + </ul> + + </li> + <li><a href="linux.html#build">2.1.3. Build</a></li> + <li><a href="linux.html#install">2.1.5. Install</a></li> + <li><a href="linux.html#remove">2.1.6. Remove</a></li> + </ul> + </li> + <li><a href="hardening.html">2.2. Hardening</a> + <ul> + <li><a href="apparmor.html">2.2.1. AppArmor</a></li> + <li><a href="sysctl.html">2.2.2. Sysctl</a></li> + <li><a href="toolchain.html">2.2.3. Toolchain</a></li> + <li><a href="samhain.html">2.2.4. Samhain</a></li> + </ul> + </li> + <li><a href="network.html">2.3. Network</a> + <ul> + <li><a href="network.html#resolv">2.3.1. Resolver</a></li> + <li><a href="network.html#static">2.3.2. Static ip</a></li> + <li><a href="network.html#iptables">2.3.3. Iptables</a></li> + <li><a href="network.html#wpa">2.3.4. Wpa and dhcpd</a></li> + </ul> + </li> + + <li><a href="package.html">2.4. Package Management</a> + <ul> + <li><a href="package.html#sysup">2.4.1. Update system</a></li> + <li><a href="package.html#depinst">2.4.2. Install ports and dependencies</a></li> + <li><a href="package.html#ports">2.4.3. Ports collections</a></li> + <li><a href="package.html#info">2.4.3. Show port information</a></li> + <li><a href="package.html#depends">2.4.4. Show port dependencies</a></li> + <li><a href="package.html#printf">2.4.5. Print information</a></li> + </ul> + </li> + + <li><a href="tty-terminal.html">2.5. Terminals and shells</a> + <ul> + <li><a href="dash.html">2.5.1. Dash</a></li> + <li><a href="bash.html">2.5.2. Bash</a></li> + <li><a href="tmux.html">2.5.3. Tmux</a></li> + </ul> + </li> + <li><a href="exim.html">2.6. Exim</a> + <ul> + <li><a href="exim.html#conf">2.6.1. Exim configuration</a></li> + <li><a href="exim.html#cert">2.6.2. Certificates</a></li> + <li><a href="exim.html#alias">2.6.3. Aliases</a></li> + <li><a href="exim.html#smarthost">2.6.4. Smarthost</a></li> + <li><a href="exim.html#fetchmail">2.6.5. Fetchmail</a></li> + </ul> + </li> + + </ul> + + <a href="../index.html">Documentation Index</a> + + <p> + This is part of the c9-doc Manual. + Copyright (C) 2017 + c9 team. + See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> + for copying conditions.</p> </body> </html> diff --git a/core/linux.html b/core/linux.html index 3be6d77..de41572 100644 --- a/core/linux.html +++ b/core/linux.html @@ -1,4 +1,4 @@ - <!DOCTYPE html> +<!DOCTYPE html> <html dir="ltr" lang="en"> <head> <meta charset='utf-8'> @@ -16,26 +16,17 @@ <a href="https://www.kernel.org/">Linux Non-Libre</a> pages for more links and information.</p> - <h2 id="#linuxlibre">2.1.1. Port Linux Libre</h2> - - <p>Default crux configuration can be obtained from iso, - kernel port depend on <a href="reboot.html#dracut">dracut</a>, grub2 - and grub2-efi. You don't need them to build with pkgmk, to install - boot related tools use prt-get;</p> - + <p>Spectre-meltdown checker;</p> <pre> - $ prt-get depinst linux-gnu + https://github.com/speed47/spectre-meltdown-checker/ </pre> - <h2 id="kinstall">2.1.2. Manual Install</h2> + <h2 id="download">2.1.1. Download Linux Libre</h2> <p>Download Linux Source from <a href="http://linux-libre.fsfla.org/pub/linux-libre/releases/">linux libre</a>, or using the port system;</p> - <p>Linux-gnu port comes with default config that is a good starting - point to personalize according to your needs.</p> - <pre> $ mkdir ~/kernel $ cd ~/kernel @@ -75,15 +66,34 @@ $ patch -p1 < ../enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch </pre> - <p>Configure kernel according to your current kernel - hardware support;</p> + <p>Cleaning targets:</p> + + <pre> + clean - Remove most generated files but keep the config and + enough build support to build external modules + mrproper - Remove all generated files + config + various backup files + distclean - mrproper + remove editor backup and patch files + </pre> + + <p>Prepare sources for configuration;</p> + + <pre> + $ make distclean + </pre> + + <h2 id="configure">2.1.2. Configure</h2> + + <p>Port linux-gnu port comes with default configuration file that is + a good starting point to tune kernel according to your needs. To + automatically configure kernel with support to your hardware + based on modules loaded by current kernel run.</p> <pre> $ make localmodconfig </pre> - <p>Get information about your hardware, for example information - about which graphic module (driver) is in use + <p>To get more information about the hardware, for example + information about which graphic module (driver) is in use as root run;</p> <pre> @@ -91,101 +101,602 @@ Kernel driver in use: i915 </pre> - <p>Before start compiling check configuration;</p> + <p>Make configuration targets;</p> + + <pre> + config - Update current config utilising a line-oriented program + nconfig - Update current config utilising a ncurses menu based program + menuconfig - Update current config utilising a menu based program + xconfig - Update current config utilising a Qt based front-end + gconfig - Update current config utilising a GTK+ based front-end + oldconfig - Update current config utilising a provided .config as base + localmodconfig - Update current config disabling modules not loaded + localyesconfig - Update current config converting local mods to core + silentoldconfig - Same as oldconfig, but quietly, additionally update deps + defconfig - New config with default from ARCH supplied defconfig + savedefconfig - Save current config as ./defconfig (minimal config) + allnoconfig - New config where all options are answered with no + allyesconfig - New config where all options are accepted with yes + allmodconfig - New config selecting modules when possible + alldefconfig - New config with all symbols set to default + randconfig - New config with random answer to all options + listnewconfig - List new options + olddefconfig - Same as silentoldconfig but sets new symbols to their default value + kvmconfig - Enable additional options for kvm guest kernel support + xenconfig - Enable additional options for xen dom0 and guest kernel support + tinyconfig - Configure the tiniest possible kernel + </pre> + + <p>Following configuration try's to be generic about the hardware + support while addressing the requirements of applications such as + qemu, docker, etc. For more information about hardening options read + <a href="https://kernsec.org">kernsec.org</a>. Configure kernel + using ncurses;</p> <pre> $ make nconfig </pre> + <pre> + CONFIG_BUG_ON_DATA_CORRUPTION=y + + # Perform extensive checks on reference counting. + CONFIG_REFCOUNT_FULL=y + + # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time. + CONFIG_FORTIFY_SOURCE=y + + </pre> + + <h3 id="general">2.1.2.1 General Setup</h3> + <dl> + <dt>CONFIG_POSIX_MQUEUE=y</dt> + <dd>POSIX Message Queues</dd> + + <dt>CONFIG_VMAP_STACK=y</dt> + <dd>Use a virtually-mapped stack</dd> + <dd>Adds guard pages to kernel stacks (not all architectures + support this yet).</dd> + + <dt>CONFIG_CGROUPS=y</dt> + <dd>Control Group support</dd> + + <dt>CONFIG_MEMCG=y</dt> + <dd>Memory controller</dd> + + <dt>CONFIG_MEMCG_SWAP=y</dt> + <dd>Swap controller</dd> + + <dt>CONFIG_MEMCG_SWAP_ENABLED=y</dt> + <dd>Swap controller enabled by default</dd> + + <dt>CONFIG_BLK_CGROUP=y</dt> + <dd>IO controller</dd> + + <dt>CGROUP_SCHED=y</dt> + <dd>CPU controller</dd> + + <dt>FAIR_GROUP_SCHED=y</dt> + <dd>Group scheduling for SCHED_OTHER</dd> + + <dt>CONFIG_CFS_BANDWIDTH=y</dt> + <dd>CPU bandwidth provisioning for FAIR_GROUP_SCHED</dd> + + <dt>CONFIG_RT_GROUP_SCHED=y</dt> + <dd>Group scheduling for SCHED_RR/FIFO</dd> + + <dt>CONFIG_CGROUP_PIDS=y</dt> + <dd>PIDs controller</dd> + + <dd>Freezer controller</dd> + <dd>HugeTLB controller</dd> + <dd>Cpuset controller</dd> + <dd>Include legacy /proc/<pid>/cpuset file</dd> + <dd>Device controller</dd> + <dd>Simple CPU accounting controller</dd> + <dd>Perf controller</dd> + </dl> + + <h4>Namespaces support</h4> + <dl> + <dd>UTS namespace</dd> + <dd>IPC namespace</dd> + <dd>User namespace</dd> + <dd>PID Namespaces</dd> + <dd>Network namespace</dd> + </dl> + + <dl> + + <dt>CONFIG_COMPAT_BRK=n</dt> + <dd>Disable heap randomization</dd> + <dd>Dangerous; enabling this disables brk ASLR.</dd> + + <dt>CONFIG_SLAB_FREELIST_RANDOM=y</dt> + <dd>Randomize allocator freelists, harden metadata.</dd> + + <dt>CONFIG_SLAB_FREELIST_HARDENED=y</dt> + <dd>Randomize allocator freelists, harden metadata.</dd> + + <dt>CONFIG_SLUB_DEBUG=y<dt> + <dd>Enable SLUB debugging support</dd> + <dd>Allow allocator validation checking to be enabled + (see "slub_debug=P" below).</dd> + + <dt>CONFIG_CC_STACKPROTECTOR=y</dt> + <dd>Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.</dd> + + <dt>CONFIG_CC_STACKPROTECTOR_STRONG=y</dt> + <dd>Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.</dd> + </dl> + + + <h3 id="mod">2.1.2.2 Enable loadable module support</h3> + <dl> + + <dt>CONFIG_MODULES=y</dt> + <dd>Enable loadable module support + <dd>Keep root from altering kernel memory via loadable modules. + set CONFIG_MODULES=n</dd> + <dd>But if CONFIG_MODULE=y is needed, at least they must be + signed with a per-build key.<dd> + + <dt>CONFIG_DEBUG_SET_MODULE_RONX=y</dt> + <dd>(prior to v4.11)</dd> + + <dt>CONFIG_STRICT_MODULE_RWX=y</dt> + <dd>(since v4.11)</dd> + + <dt>CONFIG_MODULE_SIG=y</dt> + <dd>Module signature verification</dd> + + <dt>CONFIG_MODULE_SIG_FORCE=y</dt> + <dd>Require modules to be validly signed</dd> + + <dt>CONFIG_MODULE_SIG_ALL=y</dt> + <dd>Automatically sign all modules</dd> + + <dt>CONFIG_MODULE_SIG_SHA512=y</dt> + <dd>Sign modules with SHA-512</dd> + </dl> + + <h3 id="block">2.1.2.3 Enable the block layer</h3> + <dl> + <dt>BLK_DEV_THROTTLING=y</dt> + <dd>Block layer bio throttling support</dd> + + <dt>IOSCHED_CFQ=y</dt> + <dd>CFQ IO scheduler</dd> + + <dt>CONFIG_CFQ_GROUP_IOSCHED=y</dt> + <dd>CFQ Group Scheduling support</dd> + </dl> + + <h3 id="proc">2.1.2.4 Processor type and features</h3> + + <dl> + <dt>CONFIG_DEFAULT_MMAP_MIN_ADDR=65536</dt> + <dd>Low address space to protect from user allocation</dd> + <dd>Disallow allocating the first 64k of memory.</dd> + + <dt>X86_VSYSCALL_EMULATION=n</dt> + <dd>Enable vsyscall emulation</dd> + <dd>Required by programs before 2013, some programs my + require.</dd> + <dd>Remove additional attack surface, unless you really + need them.</dd> + + <dt>CONFIG_SECCOMP=y</dt> + <dd>Enable seccomp to safely compute untrusted bytecode</dd> + <dd>Provide userspace with seccomp BPF API for syscall attack surface reduction.</dd> + + <dt>CONFIG_SECCOMP_FILTER=y</dt> + <dd>Provide userspace with seccomp BPF API for syscall attack surface reduction.</dd> + + <dt>CONFIG_KEXEC=n</dt> + <dd>kexec system call</dd> + <dd>Dangerous; enabling this allows replacement + of running kernel.</dd> + + <dt>CONFIG_RANDOMIZE_BASE=y</dt> + <dd>Randomize the address of the kernel image (KASLR)</dd> + + <dt>CONFIG_RANDOMIZE_MEMORY=y</dt> + <dd>Randomize the kernel memory sections</dd> + + <dt>CONFIG_LEGACY_VSYSCALL_NONE=y</dt> + <dd>vsyscall table for legacy applications (None)</dd> + <dd>Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.</dd> + + <dt>CONFIG_COMPAT_VDSO=n</dt> + <dd>Disable the 32-bit vDSO (needed for glibc 2.3.3)</dd> + <dd>Dangerous; enabling this disables VDSO ASLR.</dd> + + <dt>CONFIG_MODIFY_LDT_SYSCALL=n</dt> + <dd>Enable the LDT (local descriptor table)</dd> + <dd>Remove additional attack surface, unless you really need them.</dd> + </dl> + + <h3 id="acpi">2.1.2.5 Power management and ACPI options</h3> + + <dl> + <dt>CONFIG_HIBERNATION=n</dt> + <dd>Hibernation (aka 'suspend to disk')</dd> + <dd>Dangerous; enabling this allows replacement of running + kernel.</dd> + + <dt>CONFIG_ACPI_CUSTOM_METHOD=n</dt> + <dd>Allow ACPI methods to be inserted/replaced at run time</dd> + <dd>Dangerous; enabling this allows direct physical + memory writing.</dd> + </dl> + + + <h3 id="bus">2.1.2.6 Bus options (PCI etc.)</h3> + <h3 id="exec">2.1.2.7 Executable file formats / Emulations</h3> + <dl> + + <dt>CONFIG_BINFMT_MISC=n</dt> + <dd>Kernel support for MISC binaries</dd> + <dd>Easily confused by misconfigured userspace, keep off.</dd> + + <dt>CONFIG_IA32_EMULATION</dt> + <dd>Remove additional attack surface, unless you really need them.</dd> + <dt>CONFIG_X86_X32</dt> + <dd>Remove additional attack surface, unless you really need them.</dd> + </dl> + + <h3 id="net">2.1.2.8 Networking support</h3> + <h4>Networking options</h4> + <dl> + <dt>CONFIG_INET_DIAG=m</dt> + <dd>INET: socket monitoring interface</dd> + <dd>Support for INET (TCP, DCCP, etc) socket monitoring + interface used by native Linux tools such as ss. ss is + included in iproute2</dd> + <dd>Prior to v4.1, assists heap memory attacks; + best to keep interface disabled.</dd> + + <dt>CONFIG_BRIDGE=y</dt> + <dd>802.1d Ethernet Bridging</dd> + + <dt>CONFIG_NET_SCHED=y</dt> + <dd>QoS and/or fair queueing</dd> + + <dt>CONFIG_NET_CLS_CGROUP=y</dt> + <dd>Control Group Classifier</dd> + + <dt>CONFIG_VSOCKETS=y</dt> + <dd>Virtual Socket protocol</dd> + + <dt>CONFIG_VIRTIO_VSOCKETS=y<dt> + <dd>virtio transport for Virtual Sockets</dd> + + <dt>CONFIG_NET_L3_MASTER_DEV=y</dt> + <dd>L3 Master device support</dd> + + <dt>CONFIG_CGROUP_NET_PRIO=y</dt> + <dd>Network priority cgroup</dd> + + <dt>CGROUP_NET_CLASSID=y</dt> + <dd>Network classid cgroup</dd> + + </dl> + + <dl> + <dt>CONFIG_NETFILTER=y</dt> + <dd>Network packet filtering framework (Netfilter)</dd> + + <dt>CONFIG_NETFILTER_ADVANCED=y</dt> + <dd>Advanced netfilter configuration</dd> + + <dt>BRIDGE_NETFILTER=y</dt> + <dd>Bridged IP/ARP packets filtering</dd> + + <dt>NF_CONNTRACK=y</dt> + <dd>Netfilter connection tracking support</dd> + + <dt>NETFILTER_XT_MATCH_ADDRTYPE=y</dt> + <dd>"addrtype" address type match support</dd> + + <dt>NETFILTER_XT_MATCH_CONNTRACK=y</dt> + <dd>"conntrack" connection tracking match support</dd> + + <dt>CONFIG_NETFILTER_XT_MATCH_IPVS=y</dt> + <dd>"ipvs" match support</dd> + + <dt>CONFIG_IP_VS=y</dt> + <dd>IP virtual server support</dd> + + <dt>IP_VS_PROTO_TCP=y</dt> + <dd>TCP load balancing support</dd> + + <dt>IP_VS_PROTO_UDP=y</dt> + <dd>UDP load balancing support</dd> + + <dt>IP_VS_RR=y</dt> + <dd>round-robin scheduling</dd> + + <dt>IP_VS_NFCT=y</dt> + <dd>Netfilter connection tracking</dd> + + <dt>CONFIG_NF_CONNTRACK_IPV4=y</dt> + <dd>IPv4 connection tracking support (required for NAT)</dd> + + <dt>NF_NAT_IPV4=y</dt> + <dd>IPv4 NAT</dd> + + <dt>NF_NAT_MASQUERADE_IPV4=y</dt> + <dd>IPv4 masquerade support</dd> + + <dt>IP_NF_IPTABLES=y</dt> + <dd>IP tables support (required for filtering/masq/NAT)</dd> + + <dt>IP_NF_FILTER=y</dt> + <dd>Packet filtering</dd> + + <dt>CONFIG_IP_NF_NAT=y</dt> + <dd>iptables NAT support</dd> + + <dt>IP_NF_TARGET_MASQUERADE=y</dt> + <dd>MASQUERADE target support</dd> + + <dt>IP_NF_TARGET_NETMAP=y</dt> + <dd>NETMAP target support</dd> + + <dt>IP_NF_TARGET_REDIRECT=y</dt> + <dd>REDIRECT target support</dd> + + <dt>CONFIG_SYN_COOKIES=y</dt> + <dd>IP: TCP syncookie support</dd> + <dd>Provides some protections against SYN flooding.</dd> + + </dl> + + <h3 id="drivers">2.1.2.9 Device Drivers</h3> + + <h4>Multiple devices driver support (RAID and LVM)</h4> + + <dl> + <dt>CONFIG_MD=y</dt> + <dd>Multiple devices driver support (RAID and LVM)</dd> + <dt>CONFIG_BLK_DEV_DM=y</dt> + <dd>Device mapper support</dd> + <dt>DM_THIN_PROVISIONING=y</dt> + <dd>Thin provisioning target<dd> + </dl> + + <h4>Network device support</h4> + + <dl> + <dt>CONFIG_NETDEVICES=y</dt> + <dd>Network device support</dd> + + <dt>NET_CORE=y</dt> + <dd>Network core driver support</dd> + + <dt>CONFIG_DUMMY=y</dt> + <dd>Dummy net driver support</dd> + + <dt>CONFIG_MACVLAN=y</dt> + <dd>MAC-VLAN support</dd> + <dd>This allows one to create virtual interfaces that map + packets to or from specific MAC addresses to a particular + interface. Macvlan devices can be added using the "ip" command + from the route2 package starting with the iproute2.</dd> + <dd>ip link add link <real dev> [ address MAC ] [ NAME ] type macvlan"</dd> + + <dt>CONFIG_VXLAN=y</dt> + <dd>Virtual eXtensible Local Area Network (VXLAN)</dd> + + <dt>CONFIG_TUN=y</dt> + <dd>Universal TUN/TAP device driver support</dd> + + <dt>CONFIG_VETH=y</dt> + <dd>Virtual ethernet pair device</dd> + + + <dt>IPVLAN=n</dt> + <dd>IP-VLAN support</dd> + <dd>Requires ipv6</dd> + </dl> + + <h4>Character devices</h4> + <dl> + <dt>CONFIG_DEVMEM=n</dt> + <dd>/dev/mem virtual device support</dd> + <dd>Do not allow direct physical memory access (but if you must have it, at least enable CONFIG_STRICT_DEVMEM mode...)</dd> + + <dd>Enable TTY</dd> + <dd>Unix98 PTY support</dd> + + <dt>CONFIG_LEGACY_PTYS=n</dt> + <dd>Legacy (BSD) PTY support</dd> + <dd>Use the modern PTY interface (devpts) only.</dd> + + <dd>Support multiple instances of devpts</dd> + + <dt>CONFIG_DEVKMEM=n</dt> + <dd>/dev/kmem virtual device support</dd> + <dd>Dangerous; enabling this allows direct kernel + memory writing.</dd> + </dl> + + <h3 id="firm">2.1.2.10 Firmware Drivers</h3> + <h3 id="fs">2.1.2.11 File systems</h3> + <dl> + <dd>Overlay filesystem support</dd> + + <dt>CONFIG_PROC_KCORE=n</dt> + <dd>/proc/kcore support</dd> + <dd>Dangerous; exposes kernel text image layout.</dd> + + <dd>HugeTLB file system support</dd> + + </dl> + + <h3 id="hack">2.1.2.12 Kernel hacking</h3> + + <dl> + <dt>CONFIG_DEBUG=y</dt> + <dt>CONFIG_DEBUG_RODATA=y</dt> + + <dt>CONFIG_DEBUG_KERNEL=y</dt> + <dd>Kernel debugging</dd> + <dd>Make sure kernel page tables have safe permissions.</dd> + + <dt>CONFIG_STRICT_KERNEL_RWX=y</dt> + <dd>since v4.11</dd> + <dd>Make sure kernel page tables have safe permissions.</dd> + + <dt>CONFIG_PANIC_ON_OOPS=y</dt> + <dd>Panic on Oops</dd> + <dd>This feature is useful to ensure that the kernel does not do + anything erroneous after an oops which could result in data + corruption or other issues.</dd> + + <dt>CONFIG_PANIC_TIMEOUT=-1</dt> + <dd>Reboot devices immediately if kernel experiences an Oops.</dd> + + <dt>CONFIG_SCHED_STACK_END_CHECK=y</dt> + <dd>Detect stack corruption on calls to schedule()</dd> + <dd>Perform additional validation of various commonly targeted structures.</dd> + + <dt>CONFIG_DEBUG_LIST=y</dt> + <dd>Debug linked list manipulation</dd> + <dd>Perform additional validation of various commonly targeted structures.</dd> + + <dt>CONFIG_DEBUG_SG=y</dt> + <dd>Debug SG table operations</dd> + <dd>Perform additional validation of various commonly targeted structures.</dd> + + <dt>CONFIG_DEBUG_NOTIFIERS=y</dt> + <dd>Debug notifier call chains</dd> + <dd>Perform additional validation of various commonly + targeted structures.</dd> + + <dt>CONFIG_DEBUG_CREDENTIALS=y</dt> + <dd>Debug credential management</dd> + <dd>Perform additional validation of various commonly + targeted structures.</dd> + + <dt>CONFIG_STRICT_DEVMEM=y</dt> + <dd>Filter access to /dev/mem</dd> + <dd>Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)</dd> + + <dt>CONFIG_IO_STRICT_DEVMEM=y</dt> + <dd>Filter I/O access to /dev/mem</dd> + <dd>Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)</dd> + + <dt>CONFIG_DEBUG_WX=y</dt> + <dd>Warn on W+X mappings at boot</dd> + <dd>Report any dangerous memory permissions + (not available on all archs).</dd> + + + </dl> + + <h4>Compile-time checks and compiler options</h4> + <dl> + <dt>CONFIG_DEBUG_FS=y</dt> + <dd>Debug Filesystem</dd> + + </dl> + + <h4>Memory Debugging</h4> + <dl> + <dt>CONFIG_PAGE_POISONING=y</dt> + <dd>Poison pages after freeing</dd> + <dd>Wipe higher-level memory allocations when they are freed + (needs "page_poison=1" command line below).</dd> + + <dt>CONFIG_PAGE_POISONING_NO_SANITY=y</dt> + <dd>Only poison, don't sanity check</dd> + <dd>(If you can afford even more performance penalty, + leave CONFIG_PAGE_POISONING_NO_SANITY=n)</dd> + + <dt>CONFIG_PAGE_POISONING_ZERO=y</dt> + <dd>Use zero for poisoning instead of random data</dd> + + </dl> + + <h3 id="sec">2.1.2.13 Security options</h3> + + <dl> + <dd>Enable access key retention support</dd> + <dd>Enable register of persistent per-UID keyrings</dd> + <dd>ENCRYPTED KEYS</dd> + <dd>Diffie-Hellman operations on retained keys</dd> + + <dt>CONFIG_SECURITY=y</dt> + <dd>Enable different security models</dd> + <dd>Provide userspace with ptrace ancestry protections.</dd> + + <dt>CONFIG_HARDENED_USERCOPY=y</dt> + <dd>Harden memory copies between kernel and userspace</dd> + <dd>Perform usercopy bounds checking.</dd> + + <dt>SECURITY_SELINUX=n</dt> + <dd>NSA SELinux Support</dd> + <dt>CONFIG_SECURITY_SELINUX_DISABLE=n</dt> + <dd>NSA SELinux runtime disable</dd> + <dd>If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.</dd> + + <dt>CONFIG_SECURITY_APPARMOR=y</dt> + <dd>AppArmor support</dd> + <dd>This enables the AppArmor security module. Rquired userspace + tools (if they are not included in your distribution) and further + information may be found at <a href="apparmor.html">AppArmor</a></dd> + <dt>CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1</dt> + <dd>AppArmor boot parameter default value</dd> + + <dt>CONFIG_SECURITY_YAMA=y</dt> + <dd>Yama support</dd> + <dd>Provide userspace with ptrace ancestry protections.</dd> + </dl> + + <h3 id="crypt">2.1.2.14 Cryptographic API</h3> + <h3 id="virt">2.1.2.15 Virtualization</h3> + + <dl> + <dt>CONFIG_KVM=y</dt> + <dd>Kernel-based Virtual Machine (KVM) support</dd> + + <dt>CONFIG_KVM_INTEL=y</dt> + <dd>KVM for Intel processors support</dd> + <dd>Provides support for KVM on Intel processors equipped with the VT extensions.</dd> + + <dt>CONFIG_KVM_AMD=y</dt> + <dd>KVM for AMD processors support</dd> + <dd>Provides support for KVM on AMD processors equipped with the + AMD-V (SVM) extensions.</dd> + + <dt>CONFIG_KVM_DEVICE_ASSIGNMENT=n</dt> + <dd>KVM legacy PCI device assignment support (DEPRECATED)</dd> + + <dt>CONFIG_VHOST_NET=y</dt> + <dd>Host kernel accelerator for virtio net<dd> + + <dt>CONFIG_VHOST_VSOCK=y</dt> + <dd>vhost virtio-vsock driver</dd> + + <dt>CONFIG_VHOST_CROSS_ENDIAN_LEGACY=y</dt> + <dd>Cross-endian support for vhost</dd> + </dl> + + <h3 id="lib">2.1.2.16 Library routines</h3> + + <h2 id="build">2.1.3. Build</h2> + <p>Make targets;</p> <pre> - $ make help - Cleaning targets: - clean - Remove most generated files but keep the config and - enough build support to build external modules - mrproper - Remove all generated files + config + various backup files - distclean - mrproper + remove editor backup and patch files - - Configuration targets: - config - Update current config utilising a line-oriented program - nconfig - Update current config utilising a ncurses menu based - program - menuconfig - Update current config utilising a menu based program - xconfig - Update current config utilising a Qt based front-end - gconfig - Update current config utilising a GTK+ based front-end - oldconfig - Update current config utilising a provided .config as base - localmodconfig - Update current config disabling modules not loaded - localyesconfig - Update current config converting local mods to core - silentoldconfig - Same as oldconfig, but quietly, additionally update deps - defconfig - New config with default from ARCH supplied defconfig - savedefconfig - Save current config as ./defconfig (minimal config) - allnoconfig - New config where all options are answered with no - allyesconfig - New config where all options are accepted with yes - allmodconfig - New config selecting modules when possible - alldefconfig - New config with all symbols set to default - randconfig - New config with random answer to all options - listnewconfig - List new options - olddefconfig - Same as silentoldconfig but sets new symbols to their - default value - kvmconfig - Enable additional options for kvm guest kernel support - xenconfig - Enable additional options for xen dom0 and guest kernel support - tinyconfig - Configure the tiniest possible kernel - Other generic targets: all - Build all targets marked with [*] * vmlinux - Build the bare kernel * modules - Build all modules - modules_install - Install all modules to INSTALL_MOD_PATH (default: /) - firmware_install- Install all firmware to INSTALL_FW_PATH - (default: $(INSTALL_MOD_PATH)/lib/firmware) - dir/ - Build all files in dir and below - dir/file.[ois] - Build specified target only - dir/file.lst - Build specified mixed source/assembly target only - (requires a recent binutils and recent build (System.map)) - dir/file.ko - Build module including final link - modules_prepare - Set up for building external modules - tags/TAGS - Generate tags file for editors - cscope - Generate cscope index - gtags - Generate GNU GLOBAL index - kernelrelease - Output the release version string (use with make -s) - kernelversion - Output the version stored in Makefile (use with make -s) - image_name - Output the image name (use with make -s) - headers_install - Install sanitised kernel headers to INSTALL_HDR_PATH (default: ./usr) - Static analysers - checkstack - Generate a list of stack hogs - namespacecheck - Name space analysis on compiled kernel - versioncheck - Sanity check on version.h usage - includecheck - Check for duplicate included header files - export_report - List the usages of all exported symbols - headers_check - Sanity check on exported headers - headerdep - Detect inclusion cycles in headers - coccicheck - Check with Coccinelle. - - Kernel selftest - kselftest - Build and run kernel selftest (run as root) - Build, install, and boot kernel before - running kselftest on it - kselftest-clean - Remove all generated kselftest files - kselftest-merge - Merge all the config dependencies of kselftest to existed - .config. - - Kernel packaging: - rpm-pkg - Build both source and binary RPM kernel packages - binrpm-pkg - Build only the binary kernel RPM package - deb-pkg - Build both source and binary deb kernel packages - bindeb-pkg - Build only the binary kernel deb package - tar-pkg - Build the kernel as an uncompressed tarball - targz-pkg - Build the kernel as a gzip compressed tarball - tarbz2-pkg - Build the kernel as a bzip2 compressed tarball - tarxz-pkg - Build the kernel as a xz compressed tarball - perf-tar-src-pkg - Build perf-4.9.9-gnu.tar source tarball - perf-targz-src-pkg - Build perf-4.9.9-gnu.tar.gz source tarball - perf-tarbz2-src-pkg - Build perf-4.9.9-gnu.tar.bz2 source tarball - perf-tarxz-src-pkg - Build perf-4.9.9-gnu.tar.xz source tarball - Documentation targets: Linux kernel internal documentation in different formats (Sphinx): htmldocs - HTML @@ -210,12 +721,6 @@ installmandocs - install man pages generated by mandocs cleandocs - clean all generated DocBook files - make DOCBOOKS="s1.xml s2.xml" [target] Generate only docs s1.xml s2.xml - valid values for DOCBOOKS are: z8530book.xml kernel-hacking.xml kernel-locking.xml deviceiobook.xml writing_usb_driver.xml networking.xml kernel-api.xml filesystems.xml lsm.xml usb.xml kgdb.xml gadget.xml libata.xml mtdnand.xml librs.xml rapidio.xml genericirq.xml s390-drivers.xml uio-howto.xml scsi.xml debugobjects.xml sh.xml regulator.xml alsa-driver-api.xml writing-an-alsa-driver.xml tracepoint.xml w1.xml writing_musb_glue_layer.xml crypto-API.xml iio.xml - - make DOCBOOKS="" [target] Don't generate docs from Docbook - This is useful to generate only the ReST docs (Sphinx) - Architecture specific targets (x86): * bzImage - Compressed kernel image (arch/x86/boot/bzImage) install - Install kernel using @@ -244,15 +749,23 @@ 2: warnings which occur quite often but may still be relevant 3: more obscure warnings, can most likely be ignored Multiple levels can be combined with W=12 or W=123 - - Execute "make" or "make all" to build all targets marked with [*] - For further info see the ./README file - $ </pre> <pre> $ make -j $(nproc) bzImage modules + </pre> + + <h2 id="install">2.1.5. Install</h2> + <pre> + modules_install - Install all modules to INSTALL_MOD_PATH (default: /) + firmware_install- Install all firmware to INSTALL_FW_PATH + (default: $(INSTALL_MOD_PATH)/lib/firmware) + modules_prepare - Set up for building external modules + headers_install - Install sanitised kernel headers to INSTALL_HDR_PATH + </pre> + + <pre> $ sudo make modules_install $ sudo cp arch/x86/boot/bzImage /boot/vmlinuz-4.9.86-gnu $ sudo cp System.map /boot/System.map-4.9.86-gnu @@ -264,7 +777,7 @@ # grub-mkconfig -o /boot/grub/grub.cfg </pre> - <h2 id="kuninstall">2.1.3. Manual Remove</h2> + <h2 id="remove">2.1.6. Remove</h2> <pre> $ sudo rm -r /lib/modules/4.9.86-gnu diff --git a/core/reboot.html b/core/reboot.html index c7e8d9c..ea174a2 100644 --- a/core/reboot.html +++ b/core/reboot.html @@ -33,12 +33,20 @@ <h2 id="linux">1.4.1. Kernel</h2> - <p>There is possible to install kernel using a port, - c9-ports have <a href="ports/linux-gnu">linux-gnu</a> - port of linux libre,a true source based kernel that + <p>Install <a href="ports/linux-gnu">linux-gnu</a> port, + linux libre kernel is a true source based kernel that respects your freedoms. Read <a href="linux.html">linux kernel</a> for more information.</p> + <p>Default crux configuration can be obtained from iso, + kernel port depend on <a href="reboot.html#dracut">dracut</a>, grub2 + and grub2-efi. You don't need them to build with pkgmk, to install + boot related tools use prt-get;</p> + + <pre> + $ prt-get depinst linux-gnu + </pre> + <p>If you don't have the port binary package build it;</p> <pre> |