From a3628fc49db4d88ff3e4067268650710d1da3f6f Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Fri, 12 Feb 2021 03:59:34 +0000 Subject: initial openbsd support --- core/linux.html | 866 -------------------------------------------------------- 1 file changed, 866 deletions(-) delete mode 100644 core/linux.html (limited to 'core/linux.html') diff --git a/core/linux.html b/core/linux.html deleted file mode 100644 index 9d568e9..0000000 --- a/core/linux.html +++ /dev/null @@ -1,866 +0,0 @@ - - - - - 2.1. Kernel Linux - - - - Core OS Index - -

2.1. Kernel Linux

- -

Linux is a monolith kernel, a big one ! Visit - Linux Libre - and - Linux Non-Libre pages for more links - and information.

- -

Spectre-meltdown checker;

-        https://github.com/speed47/spectre-meltdown-checker/
-

- -

2.1.1. Download Linux Libre

- -

Download Linux Source from - linux libre, - or using the port system;

- -

-        $ mkdir ~/kernel
-        $ cd ~/kernel
-        $ cd linux-4.9.86/
-

- -

Gcc graysky2 kernel_gcc_patch (master.zip) - that adds more cpu options (FLAGS) for native builds. - Check Pkgfile - for instructions how linux-gnu port is built.

- -

Check version on Makefile;

- -

-        VERSION = 4
-        PATCHLEVEL = 9
-        SUBLEVEL = 86
-        EXTRAVERSION = -gnu
-        NAME = Roaring Lionus
-

- -

Change cpu optimization patch;

- -

-        depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
-

- -

to;

- -

-        depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
-

- -

Apply additional cpu optimizations patch;

- -

-        $ patch -p1 < ../enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch
-

- -

Cleaning targets:

- -

-        clean           - Remove most generated files but keep the config and
-                    enough build support to build external modules
-        mrproper        - Remove all generated files + config + various backup files
-        distclean       - mrproper + remove editor backup and patch files
-

- -

Prepare sources for configuration;

- -

-        $ make distclean
-

- -

2.1.2. Configure

- -

Port linux-gnu port comes with default configuration file that is - a good starting point to tune kernel according to your needs. To - automatically configure kernel with support to your hardware - based on modules loaded by current kernel run.

- -

-        $ make localmodconfig
-

- -

To get more information about the hardware, for example - information about which graphic module (driver) is in use - as root run;

- -

-        # lspci -nnk | grep -i vga -A3 | grep 'in use'
-        Kernel driver in use: i915
-

- -

Make configuration targets;

- -

-        config          - Update current config utilising a line-oriented program
-        nconfig         - Update current config utilising a ncurses menu based program
-        menuconfig      - Update current config utilising a menu based program
-        xconfig         - Update current config utilising a Qt based front-end
-        gconfig         - Update current config utilising a GTK+ based front-end
-        oldconfig       - Update current config utilising a provided .config as base
-        localmodconfig  - Update current config disabling modules not loaded
-        localyesconfig  - Update current config converting local mods to core
-        silentoldconfig - Same as oldconfig, but quietly, additionally update deps
-        defconfig       - New config with default from ARCH supplied defconfig
-        savedefconfig   - Save current config as ./defconfig (minimal config)
-        allnoconfig     - New config where all options are answered with no
-        allyesconfig    - New config where all options are accepted with yes
-        allmodconfig    - New config selecting modules when possible
-        alldefconfig    - New config with all symbols set to default
-        randconfig      - New config with random answer to all options
-        listnewconfig   - List new options
-        olddefconfig    - Same as silentoldconfig but sets new symbols to their default value
-        kvmconfig       - Enable additional options for kvm guest kernel support
-        xenconfig       - Enable additional options for xen dom0 and guest kernel support
-        tinyconfig      - Configure the tiniest possible kernel
-

- -

Following configuration try's to be generic about the hardware - support while addressing the requirements of applications such as - qemu, docker, etc. For more information about hardening options read - kernsec.org. Configure kernel - using ncurses;

- -

-        $ make nconfig
-

- -

-            CONFIG_BUG_ON_DATA_CORRUPTION=y
-
-            # Perform extensive checks on reference counting.
-            CONFIG_REFCOUNT_FULL=y
-
-            # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.
-            CONFIG_FORTIFY_SOURCE=y
-
-

- -

2.1.2.1 General Setup

CONFIG_POSIX_MQUEUE=y: POSIX Message Queues
CONFIG_VMAP_STACK=y: Use a virtually-mapped stack; Adds guard pages to kernel stacks (not all architectures - support this yet).
CONFIG_CGROUPS=y: Control Group support
CONFIG_MEMCG=y: Memory controller
CONFIG_MEMCG_SWAP=y: Swap controller
CONFIG_MEMCG_SWAP_ENABLED=y: Swap controller enabled by default
CONFIG_BLK_CGROUP=y: IO controller
CGROUP_SCHED=y: CPU controller
FAIR_GROUP_SCHED=y: Group scheduling for SCHED_OTHER
CONFIG_CFS_BANDWIDTH=y: CPU bandwidth provisioning for FAIR_GROUP_SCHED
CONFIG_RT_GROUP_SCHED=y: Group scheduling for SCHED_RR/FIFO
CONFIG_CGROUP_PIDS=y: PIDs controller; Freezer controller; HugeTLB controller; Cpuset controller; Include legacy /proc//cpuset file; Device controller; Simple CPU accounting controller; Perf controller

- -

Namespaces support

UTS namespace

IPC namespace

User namespace

PID Namespaces

Network namespace

- - -

CONFIG_COMPAT_BRK=n: Disable heap randomization; Dangerous; enabling this disables brk ASLR.
CONFIG_SLAB_FREELIST_RANDOM=y: Randomize allocator freelists, harden metadata.
CONFIG_SLAB_FREELIST_HARDENED=y: Randomize allocator freelists, harden metadata.
CONFIG_SLUB_DEBUG=y
-: Enable SLUB debugging support; Allow allocator validation checking to be enabled - (see "slub_debug=P" below).
CONFIG_CC_STACKPROTECTOR=y: Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
CONFIG_CC_STACKPROTECTOR_STRONG=y: Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.

- - -

2.1.2.2 Enable loadable module support

CONFIG_MODULES=y: Enable loadable module support -; Keep root from altering kernel memory via loadable modules. - set CONFIG_MODULES=n; But if CONFIG_MODULE=y is needed, at least they must be - signed with a per-build key.; - -
CONFIG_DEBUG_SET_MODULE_RONX=y: (prior to v4.11)
CONFIG_STRICT_MODULE_RWX=y: (since v4.11)
CONFIG_MODULE_SIG=y: Module signature verification
CONFIG_MODULE_SIG_FORCE=y: Require modules to be validly signed
CONFIG_MODULE_SIG_ALL=y: Automatically sign all modules
CONFIG_MODULE_SIG_SHA512=y: Sign modules with SHA-512

- -

2.1.2.3 Enable the block layer

BLK_DEV_THROTTLING=y: Block layer bio throttling support
IOSCHED_CFQ=y: CFQ IO scheduler
CONFIG_CFQ_GROUP_IOSCHED=y: CFQ Group Scheduling support

- -

2.1.2.4 Processor type and features

- -

CONFIG_DEFAULT_MMAP_MIN_ADDR=65536: Low address space to protect from user allocation; Disallow allocating the first 64k of memory.
X86_VSYSCALL_EMULATION=n: Enable vsyscall emulation; Required by programs before 2013, some programs my - require.; Remove additional attack surface, unless you really - need them.
CONFIG_SECCOMP=y: Enable seccomp to safely compute untrusted bytecode; Provide userspace with seccomp BPF API for syscall attack surface reduction.
CONFIG_SECCOMP_FILTER=y: Provide userspace with seccomp BPF API for syscall attack surface reduction.
CONFIG_KEXEC=n: kexec system call; Dangerous; enabling this allows replacement - of running kernel.
CONFIG_RANDOMIZE_BASE=y: Randomize the address of the kernel image (KASLR)
CONFIG_RANDOMIZE_MEMORY=y: Randomize the kernel memory sections
CONFIG_LEGACY_VSYSCALL_NONE=y: vsyscall table for legacy applications (None); Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.
CONFIG_COMPAT_VDSO=n: Disable the 32-bit vDSO (needed for glibc 2.3.3); Dangerous; enabling this disables VDSO ASLR.
CONFIG_MODIFY_LDT_SYSCALL=n: Enable the LDT (local descriptor table); Remove additional attack surface, unless you really need them.

- -

2.1.2.5 Power management and ACPI options

- -

CONFIG_HIBERNATION=n: Hibernation (aka 'suspend to disk'); Dangerous; enabling this allows replacement of running - kernel.
CONFIG_ACPI_CUSTOM_METHOD=n: Allow ACPI methods to be inserted/replaced at run time; Dangerous; enabling this allows direct physical - memory writing.

- - -

2.1.2.6 Bus options (PCI etc.)

2.1.2.7 Executable file formats / Emulations

CONFIG_BINFMT_MISC=n: Kernel support for MISC binaries; Easily confused by misconfigured userspace, keep off.
CONFIG_IA32_EMULATION: Remove additional attack surface, unless you really need them.
CONFIG_X86_X32: Remove additional attack surface, unless you really need them.

- -

2.1.2.8 Networking support

Networking options

CONFIG_INET_DIAG=m: INET: socket monitoring interface; Support for INET (TCP, DCCP, etc) socket monitoring - interface used by native Linux tools such as ss. ss is - included in iproute2; Prior to v4.1, assists heap memory attacks; - best to keep interface disabled.
CONFIG_BRIDGE=y: 802.1d Ethernet Bridging
CONFIG_NET_SCHED=y: QoS and/or fair queueing
CONFIG_NET_CLS_CGROUP=y: Control Group Classifier
CONFIG_VSOCKETS=y: Virtual Socket protocol
CONFIG_VIRTIO_VSOCKETS=y
-: virtio transport for Virtual Sockets
CONFIG_NET_L3_MASTER_DEV=y: L3 Master device support
CONFIG_CGROUP_NET_PRIO=y: Network priority cgroup
CGROUP_NET_CLASSID=y: Network classid cgroup

- -

CONFIG_NETFILTER=y: Network packet filtering framework (Netfilter)
CONFIG_NETFILTER_ADVANCED=y: Advanced netfilter configuration
BRIDGE_NETFILTER=y: Bridged IP/ARP packets filtering
NF_CONNTRACK=y: Netfilter connection tracking support
NETFILTER_XT_MATCH_ADDRTYPE=y: "addrtype" address type match support
NETFILTER_XT_MATCH_CONNTRACK=y: "conntrack" connection tracking match support
CONFIG_NETFILTER_XT_MATCH_IPVS=y: "ipvs" match support
CONFIG_IP_VS=y: IP virtual server support
IP_VS_PROTO_TCP=y: TCP load balancing support
IP_VS_PROTO_UDP=y: UDP load balancing support
IP_VS_RR=y: round-robin scheduling
IP_VS_NFCT=y: Netfilter connection tracking
CONFIG_NF_CONNTRACK_IPV4=y: IPv4 connection tracking support (required for NAT)
NF_NAT_IPV4=y: IPv4 NAT
NF_NAT_MASQUERADE_IPV4=y: IPv4 masquerade support
IP_NF_IPTABLES=y: IP tables support (required for filtering/masq/NAT)
IP_NF_FILTER=y: Packet filtering
CONFIG_IP_NF_NAT=y: iptables NAT support
IP_NF_TARGET_MASQUERADE=y: MASQUERADE target support
IP_NF_TARGET_NETMAP=y: NETMAP target support
IP_NF_TARGET_REDIRECT=y: REDIRECT target support
CONFIG_SYN_COOKIES=y: IP: TCP syncookie support; Provides some protections against SYN flooding.

- -

2.1.2.9 Device Drivers

- -

Block devices

CONFIG_VIRTIO_BLK=y: This is the virtual block driver for virtio.; For QEMU based VMMs.
BLK_DEV_NBD=y: Network block device support.

- -

SCSI device support

CONFIG_SCSI_VIRTIO=y: This is the virtual HBA driver for virtio. - If the kernel will used in a virtual machine.

- -

Multiple devices driver support (RAID and LVM)

- -

CONFIG_MD=y: Multiple devices driver support (RAID and LVM)
CONFIG_BLK_DEV_DM=y: Device mapper support
DM_THIN_PROVISIONING=y: Thin provisioning target; -

- -

Network device support

- -

CONFIG_NETDEVICES=y: Network device support
NET_CORE=y: Network core driver support
CONFIG_DUMMY=y: Dummy net driver support
CONFIG_MACVLAN=y: MAC-VLAN support; This allows one to create virtual interfaces that map - packets to or from specific MAC addresses to a particular - interface. Macvlan devices can be added using the "ip" command - from the route2 package starting with the iproute2.; ip link add link [ address MAC ] [ NAME ] type macvlan"
CONFIG_VXLAN=y: Virtual eXtensible Local Area Network (VXLAN)
BLK_DEV_NBD=y: Network block device support.
CONFIG_TUN=y: Universal TUN/TAP device driver support
CONFIG_VETH=y: Virtual ethernet pair device.
CONFIG_VIRTIO_NET=y: Virtio network driver.
IPVLAN=n: IP-VLAN support; Requires ipv6

- -

Character devices

CONFIG_DEVMEM=n: /dev/mem virtual device support; Do not allow direct physical memory access (but if you must have it, at least enable CONFIG_STRICT_DEVMEM mode...); Enable TTY; Unix98 PTY support
CONFIG_LEGACY_PTYS=n: Legacy (BSD) PTY support; Use the modern PTY interface (devpts) only.; Support multiple instances of devpts
CONFIG_DEVKMEM=n: /dev/kmem virtual device support; Dangerous; enabling this allows direct kernel - memory writing.

- -

Virtio drivers

CONFIG_VIRTIO_PCI=y: PCI driver for virtio devices

- -

2.1.2.10 Firmware Drivers

2.1.2.11 File systems

Overlay filesystem support
CONFIG_PROC_KCORE=n: /proc/kcore support; Dangerous; exposes kernel text image layout.; HugeTLB file system support
CONFIG_FUSE_FS=y: FUSE (Filesystem in Userspace) support

- -

2.1.2.12 Kernel hacking

- -

CONFIG_DEBUG=y
CONFIG_DEBUG_RODATA=y
CONFIG_DEBUG_KERNEL=y: Kernel debugging; Make sure kernel page tables have safe permissions.
CONFIG_STRICT_KERNEL_RWX=y: since v4.11; Make sure kernel page tables have safe permissions.
CONFIG_PANIC_ON_OOPS=y: Panic on Oops; This feature is useful to ensure that the kernel does not do - anything erroneous after an oops which could result in data - corruption or other issues.
CONFIG_PANIC_TIMEOUT=-1: Reboot devices immediately if kernel experiences an Oops.
CONFIG_SCHED_STACK_END_CHECK=y: Detect stack corruption on calls to schedule(); Perform additional validation of various commonly targeted structures.
CONFIG_DEBUG_LIST=y: Debug linked list manipulation; Perform additional validation of various commonly targeted structures.
CONFIG_DEBUG_SG=y: Debug SG table operations; Perform additional validation of various commonly targeted structures.
CONFIG_DEBUG_NOTIFIERS=y: Debug notifier call chains; Perform additional validation of various commonly - targeted structures.
CONFIG_DEBUG_CREDENTIALS=y: Debug credential management; Perform additional validation of various commonly - targeted structures.
CONFIG_STRICT_DEVMEM=y: Filter access to /dev/mem; Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)
CONFIG_IO_STRICT_DEVMEM=y: Filter I/O access to /dev/mem; Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)
CONFIG_DEBUG_WX=y: Warn on W+X mappings at boot; Report any dangerous memory permissions - (not available on all archs).

- -

Compile-time checks and compiler options

CONFIG_DEBUG_FS=y: Debug Filesystem

- -

Memory Debugging

CONFIG_PAGE_POISONING=y: Poison pages after freeing; Wipe higher-level memory allocations when they are freed - (needs "page_poison=1" command line below).
CONFIG_PAGE_POISONING_NO_SANITY=y: Only poison, don't sanity check; (If you can afford even more performance penalty, - leave CONFIG_PAGE_POISONING_NO_SANITY=n)
CONFIG_PAGE_POISONING_ZERO=y: Use zero for poisoning instead of random data

- -

2.1.2.13 Security options

- -

Enable access key retention support; Enable register of persistent per-UID keyrings; ENCRYPTED KEYS; Diffie-Hellman operations on retained keys
CONFIG_SECURITY=y: Enable different security models; Provide userspace with ptrace ancestry protections.
CONFIG_HARDENED_USERCOPY=y: Harden memory copies between kernel and userspace; Perform usercopy bounds checking.
SECURITY_SELINUX=n: NSA SELinux Support
CONFIG_SECURITY_SELINUX_DISABLE=n: NSA SELinux runtime disable; If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.
CONFIG_SECURITY_APPARMOR=y: AppArmor support; This enables the AppArmor security module. Rquired userspace - tools (if they are not included in your distribution) and further - information may be found at AppArmor
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1: AppArmor boot parameter default value
CONFIG_SECURITY_YAMA=y: Yama support; Provide userspace with ptrace ancestry protections.

- -

2.1.2.14 Cryptographic API

- -

CONFIG_CRYPTO_LRW: Liskov Rivest Wagner, a tweakable, non malleable, non movable - narrow block cipher mode for dm-crypt.
CONFIG_CRYPTO_RMD160=y
CONFIG_CRYPTO_RMD256=y
CONFIG_CRYPTO_RMD320=y: RIPEMD 160/256/320 digest algorithm
CONFIG_CRYPTO_SHA256=y: SHA224 and SHA256 digest algorithm; - -
CONFIG_CRYPTO_SHA512=y: SHA384 and SHA512 digest algorithms
CONFIG_CRYPTO_WP512=y: Whirlpool digest algorithms
CONFIG_CRYPTO_DES3_EDE_X86_64=y: DES and Triple DES EDE cipher algorithms; - -
CONFIG_CRYPTO_SERPENT=y: Serpent cipher algorithm
CONFIG_CRYPTO_TWOFISH=y
-: Twofish cipher algorithm

- -

-	    *   MD4 digest algorithm
-	    *   MD5 digest algorithm
-	    *   SHA1 digest algorithm
-	    *   Blowfish cipher algorithm
-	    *   AES cipher algorithms
-	    *   CAST5 (CAST-128) cipher algorithm
-	    *   CAST6 (CAST-256) cipher algorithm 
-	    *   Deflate compression algorithm
-

- -

2.1.2.15 Virtualization

- -

CONFIG_KVM=y: Kernel-based Virtual Machine (KVM) support
CONFIG_KVM_INTEL=y: KVM for Intel processors support; Provides support for KVM on Intel processors equipped with the VT extensions.
CONFIG_KVM_AMD=y: KVM for AMD processors support; Provides support for KVM on AMD processors equipped with the - AMD-V (SVM) extensions.
CONFIG_KVM_DEVICE_ASSIGNMENT=n: KVM legacy PCI device assignment support (DEPRECATED)
CONFIG_VHOST_NET=y: Host kernel accelerator for virtio net; - -
CONFIG_VHOST_VSOCK=y: vhost virtio-vsock driver
CONFIG_VHOST_CROSS_ENDIAN_LEGACY=y: Cross-endian support for vhost

- -

2.1.2.16 Library routines

- -

2.1.3. Build

- -

Make targets;

- -

-        Other generic targets:
-          all             - Build all targets marked with [*]
-        * vmlinux         - Build the bare kernel
-        * modules         - Build all modules
-                            (default: ./usr)
-
-        Documentation targets:
-         Linux kernel internal documentation in different formats (Sphinx):
-          htmldocs        - HTML
-          latexdocs       - LaTeX
-          pdfdocs         - PDF
-          epubdocs        - EPUB
-          xmldocs         - XML
-          cleandocs       - clean all generated files
-
-          make SPHINXDIRS="s1 s2" [target] Generate only docs of folder s1, s2
-          valid values for SPHINXDIRS are: development-process media gpu 80211
-
-          make SPHINX_CONF={conf-file} [target] use *additional* sphinx-build
-          configuration. This is e.g. useful to build with nit-picking config.
-
-         Linux kernel internal documentation in different formats (DocBook):
-          htmldocs        - HTML
-          pdfdocs         - PDF
-          psdocs          - Postscript
-          xmldocs         - XML DocBook
-          mandocs         - man pages
-          installmandocs  - install man pages generated by mandocs
-          cleandocs       - clean all generated DocBook files
-
-        Architecture specific targets (x86):
-        * bzImage      - Compressed kernel image (arch/x86/boot/bzImage)
-          install      - Install kernel using
-                          (your) ~/bin/installkernel or
-                          (distribution) /sbin/installkernel or
-                          install to $(INSTALL_PATH) and run lilo
-          fdimage      - Create 1.4MB boot floppy image (arch/x86/boot/fdimage)
-          fdimage144   - Create 1.4MB boot floppy image (arch/x86/boot/fdimage)
-          fdimage288   - Create 2.8MB boot floppy image (arch/x86/boot/fdimage)
-          isoimage     - Create a boot CD-ROM image (arch/x86/boot/image.iso)
-                          bzdisk/fdimage*/isoimage also accept:
-                          FDARGS="..."  arguments for the booted kernel
-                          FDINITRD=file initrd for the booted kernel
-
-          i386_defconfig           - Build for i386
-          x86_64_defconfig         - Build for x86_64
-
-          make V=0|1 [targets] 0 => quiet build (default), 1 => verbose build
-          make V=2   [targets] 2 => give reason for rebuild of target
-          make O=dir [targets] Locate all output files in "dir", including .config
-          make C=1   [targets] Check all c source with $CHECK (sparse by default)
-          make C=2   [targets] Force check of all c source with $CHECK
-          make RECORDMCOUNT_WARN=1 [targets] Warn about ignored mcount sections
-          make W=n   [targets] Enable extra gcc checks, n=1,2,3 where
-                        1: warnings which may be relevant and do not occur too often
-                        2: warnings which occur quite often but may still be relevant
-                        3: more obscure warnings, can most likely be ignored
-                        Multiple levels can be combined with W=12 or W=123
-

- - -

-        $ make -j $(nproc) bzImage modules
-

- -

2.1.5. Install

-          modules_install - Install all modules to INSTALL_MOD_PATH (default: /)
-          firmware_install- Install all firmware to INSTALL_FW_PATH
-                            (default: $(INSTALL_MOD_PATH)/lib/firmware)
-          modules_prepare - Set up for building external modules
-          headers_install - Install sanitised kernel headers to INSTALL_HDR_PATH
-

- -

-        $ sudo make modules_install
-        $ sudo cp arch/x86/boot/bzImage /boot/vmlinuz-4.9.86-gnu
-        $ sudo cp System.map /boot/System.map-4.9.86-gnu
-

- -

Update grub;

- -

-        # grub-mkconfig -o /boot/grub/grub.cfg
-

- -

2.1.6. Remove

- -

-        $ sudo rm -r /lib/modules/4.9.86-gnu
-        $ sudo rm /boot/vmlinuz-4.9.86-gnu
-        $ sudo rm /boot/System.map-4.9.86-gnu
-

- - Core OS Index -

- - - -- cgit 1.4.1-2-gfad0