Core OS Index

2.1. Kernel Linux

Linux is a monolith kernel, a big one ! Visit Linux Libre and Linux Non-Libre pages for more links and information.

Spectre-meltdown checker;

        https://github.com/speed47/spectre-meltdown-checker/
        

2.1.1. Download Linux Libre

Download Linux Source from linux libre, or using the port system;

        $ mkdir ~/kernel
        $ cd ~/kernel
        $ cd linux-4.9.86/
        

Gcc graysky2 kernel_gcc_patch (master.zip) that adds more cpu options (FLAGS) for native builds. Check Pkgfile for instructions how linux-gnu port is built.

Check version on Makefile;

        VERSION = 4
        PATCHLEVEL = 9
        SUBLEVEL = 86
        EXTRAVERSION = -gnu
        NAME = Roaring Lionus
        

Change cpu optimization patch;

        depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
        

to;

        depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
        

Apply additional cpu optimizations patch;

        $ patch -p1 < ../enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch
        

Cleaning targets:

        clean           - Remove most generated files but keep the config and
                    enough build support to build external modules
        mrproper        - Remove all generated files + config + various backup files
        distclean       - mrproper + remove editor backup and patch files
        

Prepare sources for configuration;

        $ make distclean
        

2.1.2. Configure

Port linux-gnu port comes with default configuration file that is a good starting point to tune kernel according to your needs. To automatically configure kernel with support to your hardware based on modules loaded by current kernel run.

        $ make localmodconfig
        

To get more information about the hardware, for example information about which graphic module (driver) is in use as root run;

        # lspci -nnk | grep -i vga -A3 | grep 'in use'
        Kernel driver in use: i915
        

Make configuration targets;

        config          - Update current config utilising a line-oriented program
        nconfig         - Update current config utilising a ncurses menu based program
        menuconfig      - Update current config utilising a menu based program
        xconfig         - Update current config utilising a Qt based front-end
        gconfig         - Update current config utilising a GTK+ based front-end
        oldconfig       - Update current config utilising a provided .config as base
        localmodconfig  - Update current config disabling modules not loaded
        localyesconfig  - Update current config converting local mods to core
        silentoldconfig - Same as oldconfig, but quietly, additionally update deps
        defconfig       - New config with default from ARCH supplied defconfig
        savedefconfig   - Save current config as ./defconfig (minimal config)
        allnoconfig     - New config where all options are answered with no
        allyesconfig    - New config where all options are accepted with yes
        allmodconfig    - New config selecting modules when possible
        alldefconfig    - New config with all symbols set to default
        randconfig      - New config with random answer to all options
        listnewconfig   - List new options
        olddefconfig    - Same as silentoldconfig but sets new symbols to their default value
        kvmconfig       - Enable additional options for kvm guest kernel support
        xenconfig       - Enable additional options for xen dom0 and guest kernel support
        tinyconfig      - Configure the tiniest possible kernel
        

Following configuration try's to be generic about the hardware support while addressing the requirements of applications such as qemu, docker, etc. For more information about hardening options read kernsec.org. Configure kernel using ncurses;

        $ make nconfig
        
            CONFIG_BUG_ON_DATA_CORRUPTION=y

            # Perform extensive checks on reference counting.
            CONFIG_REFCOUNT_FULL=y

            # Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.
            CONFIG_FORTIFY_SOURCE=y

        

2.1.2.1 General Setup

CONFIG_POSIX_MQUEUE=y
POSIX Message Queues
CONFIG_VMAP_STACK=y
Use a virtually-mapped stack
Adds guard pages to kernel stacks (not all architectures support this yet).
CONFIG_CGROUPS=y
Control Group support
CONFIG_MEMCG=y
Memory controller
CONFIG_MEMCG_SWAP=y
Swap controller
CONFIG_MEMCG_SWAP_ENABLED=y
Swap controller enabled by default
CONFIG_BLK_CGROUP=y
IO controller
CGROUP_SCHED=y
CPU controller
FAIR_GROUP_SCHED=y
Group scheduling for SCHED_OTHER
CONFIG_CFS_BANDWIDTH=y
CPU bandwidth provisioning for FAIR_GROUP_SCHED
CONFIG_RT_GROUP_SCHED=y
Group scheduling for SCHED_RR/FIFO
CONFIG_CGROUP_PIDS=y
PIDs controller
Freezer controller
HugeTLB controller
Cpuset controller
Include legacy /proc//cpuset file
Device controller
Simple CPU accounting controller
Perf controller

Namespaces support

UTS namespace
IPC namespace
User namespace
PID Namespaces
Network namespace
CONFIG_COMPAT_BRK=n
Disable heap randomization
Dangerous; enabling this disables brk ASLR.
CONFIG_SLAB_FREELIST_RANDOM=y
Randomize allocator freelists, harden metadata.
CONFIG_SLAB_FREELIST_HARDENED=y
Randomize allocator freelists, harden metadata.
CONFIG_SLUB_DEBUG=y
Enable SLUB debugging support
Allow allocator validation checking to be enabled (see "slub_debug=P" below).
CONFIG_CC_STACKPROTECTOR=y
Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
CONFIG_CC_STACKPROTECTOR_STRONG=y
Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.

2.1.2.2 Enable loadable module support

CONFIG_MODULES=y
Enable loadable module support
Keep root from altering kernel memory via loadable modules. set CONFIG_MODULES=n
But if CONFIG_MODULE=y is needed, at least they must be signed with a per-build key.
CONFIG_DEBUG_SET_MODULE_RONX=y
(prior to v4.11)
CONFIG_STRICT_MODULE_RWX=y
(since v4.11)
CONFIG_MODULE_SIG=y
Module signature verification
CONFIG_MODULE_SIG_FORCE=y
Require modules to be validly signed
CONFIG_MODULE_SIG_ALL=y
Automatically sign all modules
CONFIG_MODULE_SIG_SHA512=y
Sign modules with SHA-512

2.1.2.3 Enable the block layer

BLK_DEV_THROTTLING=y
Block layer bio throttling support
IOSCHED_CFQ=y
CFQ IO scheduler
CONFIG_CFQ_GROUP_IOSCHED=y
CFQ Group Scheduling support

2.1.2.4 Processor type and features

CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
Low address space to protect from user allocation
Disallow allocating the first 64k of memory.
X86_VSYSCALL_EMULATION=n
Enable vsyscall emulation
Required by programs before 2013, some programs my require.
Remove additional attack surface, unless you really need them.
CONFIG_SECCOMP=y
Enable seccomp to safely compute untrusted bytecode
Provide userspace with seccomp BPF API for syscall attack surface reduction.
CONFIG_SECCOMP_FILTER=y
Provide userspace with seccomp BPF API for syscall attack surface reduction.
CONFIG_KEXEC=n
kexec system call
Dangerous; enabling this allows replacement of running kernel.
CONFIG_RANDOMIZE_BASE=y
Randomize the address of the kernel image (KASLR)
CONFIG_RANDOMIZE_MEMORY=y
Randomize the kernel memory sections
CONFIG_LEGACY_VSYSCALL_NONE=y
vsyscall table for legacy applications (None)
Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.
CONFIG_COMPAT_VDSO=n
Disable the 32-bit vDSO (needed for glibc 2.3.3)
Dangerous; enabling this disables VDSO ASLR.
CONFIG_MODIFY_LDT_SYSCALL=n
Enable the LDT (local descriptor table)
Remove additional attack surface, unless you really need them.

2.1.2.5 Power management and ACPI options

CONFIG_HIBERNATION=n
Hibernation (aka 'suspend to disk')
Dangerous; enabling this allows replacement of running kernel.
CONFIG_ACPI_CUSTOM_METHOD=n
Allow ACPI methods to be inserted/replaced at run time
Dangerous; enabling this allows direct physical memory writing.

2.1.2.6 Bus options (PCI etc.)

2.1.2.7 Executable file formats / Emulations

CONFIG_BINFMT_MISC=n
Kernel support for MISC binaries
Easily confused by misconfigured userspace, keep off.
CONFIG_IA32_EMULATION
Remove additional attack surface, unless you really need them.
CONFIG_X86_X32
Remove additional attack surface, unless you really need them.

2.1.2.8 Networking support

Networking options

CONFIG_INET_DIAG=m
INET: socket monitoring interface
Support for INET (TCP, DCCP, etc) socket monitoring interface used by native Linux tools such as ss. ss is included in iproute2
Prior to v4.1, assists heap memory attacks; best to keep interface disabled.
CONFIG_BRIDGE=y
802.1d Ethernet Bridging
CONFIG_NET_SCHED=y
QoS and/or fair queueing
CONFIG_NET_CLS_CGROUP=y
Control Group Classifier
CONFIG_VSOCKETS=y
Virtual Socket protocol
CONFIG_VIRTIO_VSOCKETS=y
virtio transport for Virtual Sockets
CONFIG_NET_L3_MASTER_DEV=y
L3 Master device support
CONFIG_CGROUP_NET_PRIO=y
Network priority cgroup
CGROUP_NET_CLASSID=y
Network classid cgroup
CONFIG_NETFILTER=y
Network packet filtering framework (Netfilter)
CONFIG_NETFILTER_ADVANCED=y
Advanced netfilter configuration
BRIDGE_NETFILTER=y
Bridged IP/ARP packets filtering
NF_CONNTRACK=y
Netfilter connection tracking support
NETFILTER_XT_MATCH_ADDRTYPE=y
"addrtype" address type match support
NETFILTER_XT_MATCH_CONNTRACK=y
"conntrack" connection tracking match support
CONFIG_NETFILTER_XT_MATCH_IPVS=y
"ipvs" match support
CONFIG_IP_VS=y
IP virtual server support
IP_VS_PROTO_TCP=y
TCP load balancing support
IP_VS_PROTO_UDP=y
UDP load balancing support
IP_VS_RR=y
round-robin scheduling
IP_VS_NFCT=y
Netfilter connection tracking
CONFIG_NF_CONNTRACK_IPV4=y
IPv4 connection tracking support (required for NAT)
NF_NAT_IPV4=y
IPv4 NAT
NF_NAT_MASQUERADE_IPV4=y
IPv4 masquerade support
IP_NF_IPTABLES=y
IP tables support (required for filtering/masq/NAT)
IP_NF_FILTER=y
Packet filtering
CONFIG_IP_NF_NAT=y
iptables NAT support
IP_NF_TARGET_MASQUERADE=y
MASQUERADE target support
IP_NF_TARGET_NETMAP=y
NETMAP target support
IP_NF_TARGET_REDIRECT=y
REDIRECT target support
CONFIG_SYN_COOKIES=y
IP: TCP syncookie support
Provides some protections against SYN flooding.

2.1.2.9 Device Drivers

Block devices

CONFIG_VIRTIO_BLK=y
This is the virtual block driver for virtio.
For QEMU based VMMs.
BLK_DEV_NBD=y
Network block device support.

SCSI device support

CONFIG_SCSI_VIRTIO=y
This is the virtual HBA driver for virtio. If the kernel will used in a virtual machine.

Multiple devices driver support (RAID and LVM)

CONFIG_MD=y
Multiple devices driver support (RAID and LVM)
CONFIG_BLK_DEV_DM=y
Device mapper support
DM_THIN_PROVISIONING=y
Thin provisioning target

Network device support

CONFIG_NETDEVICES=y
Network device support
NET_CORE=y
Network core driver support
CONFIG_DUMMY=y
Dummy net driver support
CONFIG_MACVLAN=y
MAC-VLAN support
This allows one to create virtual interfaces that map packets to or from specific MAC addresses to a particular interface. Macvlan devices can be added using the "ip" command from the route2 package starting with the iproute2.
ip link add link [ address MAC ] [ NAME ] type macvlan"
CONFIG_VXLAN=y
Virtual eXtensible Local Area Network (VXLAN)
BLK_DEV_NBD=y
Network block device support.
CONFIG_TUN=y
Universal TUN/TAP device driver support
CONFIG_VETH=y
Virtual ethernet pair device.
CONFIG_VIRTIO_NET=y
Virtio network driver.
IPVLAN=n
IP-VLAN support
Requires ipv6

Character devices

CONFIG_DEVMEM=n
/dev/mem virtual device support
Do not allow direct physical memory access (but if you must have it, at least enable CONFIG_STRICT_DEVMEM mode...)
Enable TTY
Unix98 PTY support
CONFIG_LEGACY_PTYS=n
Legacy (BSD) PTY support
Use the modern PTY interface (devpts) only.
Support multiple instances of devpts
CONFIG_DEVKMEM=n
/dev/kmem virtual device support
Dangerous; enabling this allows direct kernel memory writing.

Virtio drivers

CONFIG_VIRTIO_PCI=y
PCI driver for virtio devices

2.1.2.10 Firmware Drivers

2.1.2.11 File systems

Overlay filesystem support
CONFIG_PROC_KCORE=n
/proc/kcore support
Dangerous; exposes kernel text image layout.
HugeTLB file system support

2.1.2.12 Kernel hacking

CONFIG_DEBUG=y
CONFIG_DEBUG_RODATA=y
CONFIG_DEBUG_KERNEL=y
Kernel debugging
Make sure kernel page tables have safe permissions.
CONFIG_STRICT_KERNEL_RWX=y
since v4.11
Make sure kernel page tables have safe permissions.
CONFIG_PANIC_ON_OOPS=y
Panic on Oops
This feature is useful to ensure that the kernel does not do anything erroneous after an oops which could result in data corruption or other issues.
CONFIG_PANIC_TIMEOUT=-1
Reboot devices immediately if kernel experiences an Oops.
CONFIG_SCHED_STACK_END_CHECK=y
Detect stack corruption on calls to schedule()
Perform additional validation of various commonly targeted structures.
CONFIG_DEBUG_LIST=y
Debug linked list manipulation
Perform additional validation of various commonly targeted structures.
CONFIG_DEBUG_SG=y
Debug SG table operations
Perform additional validation of various commonly targeted structures.
CONFIG_DEBUG_NOTIFIERS=y
Debug notifier call chains
Perform additional validation of various commonly targeted structures.
CONFIG_DEBUG_CREDENTIALS=y
Debug credential management
Perform additional validation of various commonly targeted structures.
CONFIG_STRICT_DEVMEM=y
Filter access to /dev/mem
Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)
CONFIG_IO_STRICT_DEVMEM=y
Filter I/O access to /dev/mem
Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)
CONFIG_DEBUG_WX=y
Warn on W+X mappings at boot
Report any dangerous memory permissions (not available on all archs).

Compile-time checks and compiler options

CONFIG_DEBUG_FS=y
Debug Filesystem

Memory Debugging

CONFIG_PAGE_POISONING=y
Poison pages after freeing
Wipe higher-level memory allocations when they are freed (needs "page_poison=1" command line below).
CONFIG_PAGE_POISONING_NO_SANITY=y
Only poison, don't sanity check
(If you can afford even more performance penalty, leave CONFIG_PAGE_POISONING_NO_SANITY=n)
CONFIG_PAGE_POISONING_ZERO=y
Use zero for poisoning instead of random data

2.1.2.13 Security options

Enable access key retention support
Enable register of persistent per-UID keyrings
ENCRYPTED KEYS
Diffie-Hellman operations on retained keys
CONFIG_SECURITY=y
Enable different security models
Provide userspace with ptrace ancestry protections.
CONFIG_HARDENED_USERCOPY=y
Harden memory copies between kernel and userspace
Perform usercopy bounds checking.
SECURITY_SELINUX=n
NSA SELinux Support
CONFIG_SECURITY_SELINUX_DISABLE=n
NSA SELinux runtime disable
If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.
CONFIG_SECURITY_APPARMOR=y
AppArmor support
This enables the AppArmor security module. Rquired userspace tools (if they are not included in your distribution) and further information may be found at AppArmor
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
AppArmor boot parameter default value
CONFIG_SECURITY_YAMA=y
Yama support
Provide userspace with ptrace ancestry protections.

2.1.2.14 Cryptographic API

2.1.2.15 Virtualization

CONFIG_KVM=y
Kernel-based Virtual Machine (KVM) support
CONFIG_KVM_INTEL=y
KVM for Intel processors support
Provides support for KVM on Intel processors equipped with the VT extensions.
CONFIG_KVM_AMD=y
KVM for AMD processors support
Provides support for KVM on AMD processors equipped with the AMD-V (SVM) extensions.
CONFIG_KVM_DEVICE_ASSIGNMENT=n
KVM legacy PCI device assignment support (DEPRECATED)
CONFIG_VHOST_NET=y
Host kernel accelerator for virtio net
CONFIG_VHOST_VSOCK=y
vhost virtio-vsock driver
CONFIG_VHOST_CROSS_ENDIAN_LEGACY=y
Cross-endian support for vhost

2.1.2.16 Library routines

2.1.3. Build

Make targets;

        Other generic targets:
          all             - Build all targets marked with [*]
        * vmlinux         - Build the bare kernel
        * modules         - Build all modules
                            (default: ./usr)

        Documentation targets:
         Linux kernel internal documentation in different formats (Sphinx):
          htmldocs        - HTML
          latexdocs       - LaTeX
          pdfdocs         - PDF
          epubdocs        - EPUB
          xmldocs         - XML
          cleandocs       - clean all generated files

          make SPHINXDIRS="s1 s2" [target] Generate only docs of folder s1, s2
          valid values for SPHINXDIRS are: development-process media gpu 80211

          make SPHINX_CONF={conf-file} [target] use *additional* sphinx-build
          configuration. This is e.g. useful to build with nit-picking config.

         Linux kernel internal documentation in different formats (DocBook):
          htmldocs        - HTML
          pdfdocs         - PDF
          psdocs          - Postscript
          xmldocs         - XML DocBook
          mandocs         - man pages
          installmandocs  - install man pages generated by mandocs
          cleandocs       - clean all generated DocBook files

        Architecture specific targets (x86):
        * bzImage      - Compressed kernel image (arch/x86/boot/bzImage)
          install      - Install kernel using
                          (your) ~/bin/installkernel or
                          (distribution) /sbin/installkernel or
                          install to $(INSTALL_PATH) and run lilo
          fdimage      - Create 1.4MB boot floppy image (arch/x86/boot/fdimage)
          fdimage144   - Create 1.4MB boot floppy image (arch/x86/boot/fdimage)
          fdimage288   - Create 2.8MB boot floppy image (arch/x86/boot/fdimage)
          isoimage     - Create a boot CD-ROM image (arch/x86/boot/image.iso)
                          bzdisk/fdimage*/isoimage also accept:
                          FDARGS="..."  arguments for the booted kernel
                          FDINITRD=file initrd for the booted kernel

          i386_defconfig           - Build for i386
          x86_64_defconfig         - Build for x86_64

          make V=0|1 [targets] 0 => quiet build (default), 1 => verbose build
          make V=2   [targets] 2 => give reason for rebuild of target
          make O=dir [targets] Locate all output files in "dir", including .config
          make C=1   [targets] Check all c source with $CHECK (sparse by default)
          make C=2   [targets] Force check of all c source with $CHECK
          make RECORDMCOUNT_WARN=1 [targets] Warn about ignored mcount sections
          make W=n   [targets] Enable extra gcc checks, n=1,2,3 where
                        1: warnings which may be relevant and do not occur too often
                        2: warnings which occur quite often but may still be relevant
                        3: more obscure warnings, can most likely be ignored
                        Multiple levels can be combined with W=12 or W=123
        
        $ make -j $(nproc) bzImage modules
        

2.1.5. Install

          modules_install - Install all modules to INSTALL_MOD_PATH (default: /)
          firmware_install- Install all firmware to INSTALL_FW_PATH
                            (default: $(INSTALL_MOD_PATH)/lib/firmware)
          modules_prepare - Set up for building external modules
          headers_install - Install sanitised kernel headers to INSTALL_HDR_PATH
        
        $ sudo make modules_install
        $ sudo cp arch/x86/boot/bzImage /boot/vmlinuz-4.9.86-gnu
        $ sudo cp System.map /boot/System.map-4.9.86-gnu
        

Update grub;

        # grub-mkconfig -o /boot/grub/grub.cfg
        

2.1.6. Remove

        $ sudo rm -r /lib/modules/4.9.86-gnu
        $ sudo rm /boot/vmlinuz-4.9.86-gnu
        $ sudo rm /boot/System.map-4.9.86-gnu
        
Core OS Index

This is part of the c9-doc Manual. Copyright (C) 2018 c9 team. See the file Gnu Free Documentation License for copying conditions.