Core OS Index
2.1. Kernel Linux
Linux is a monolith kernel, a big one ! Visit
Linux Libre
and
Linux Non-Libre pages for more links
and information.
Spectre-meltdown checker;
https://github.com/speed47/spectre-meltdown-checker/
2.1.1. Download Linux Libre
Download Linux Source from
linux libre,
or using the port system;
$ mkdir ~/kernel
$ cd ~/kernel
$ cd linux-4.9.86/
Gcc graysky2 kernel_gcc_patch (master.zip)
that adds more cpu options (FLAGS) for native builds.
Check Pkgfile
for instructions how linux-gnu port is built.
Check version on Makefile;
VERSION = 4
PATCHLEVEL = 9
SUBLEVEL = 86
EXTRAVERSION = -gnu
NAME = Roaring Lionus
Change cpu optimization patch;
depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
to;
depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
Apply additional cpu optimizations patch;
$ patch -p1 < ../enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch
Cleaning targets:
clean - Remove most generated files but keep the config and
enough build support to build external modules
mrproper - Remove all generated files + config + various backup files
distclean - mrproper + remove editor backup and patch files
Prepare sources for configuration;
$ make distclean
Port linux-gnu port comes with default configuration file that is
a good starting point to tune kernel according to your needs. To
automatically configure kernel with support to your hardware
based on modules loaded by current kernel run.
$ make localmodconfig
To get more information about the hardware, for example
information about which graphic module (driver) is in use
as root run;
# lspci -nnk | grep -i vga -A3 | grep 'in use'
Kernel driver in use: i915
Make configuration targets;
config - Update current config utilising a line-oriented program
nconfig - Update current config utilising a ncurses menu based program
menuconfig - Update current config utilising a menu based program
xconfig - Update current config utilising a Qt based front-end
gconfig - Update current config utilising a GTK+ based front-end
oldconfig - Update current config utilising a provided .config as base
localmodconfig - Update current config disabling modules not loaded
localyesconfig - Update current config converting local mods to core
silentoldconfig - Same as oldconfig, but quietly, additionally update deps
defconfig - New config with default from ARCH supplied defconfig
savedefconfig - Save current config as ./defconfig (minimal config)
allnoconfig - New config where all options are answered with no
allyesconfig - New config where all options are accepted with yes
allmodconfig - New config selecting modules when possible
alldefconfig - New config with all symbols set to default
randconfig - New config with random answer to all options
listnewconfig - List new options
olddefconfig - Same as silentoldconfig but sets new symbols to their default value
kvmconfig - Enable additional options for kvm guest kernel support
xenconfig - Enable additional options for xen dom0 and guest kernel support
tinyconfig - Configure the tiniest possible kernel
Following configuration try's to be generic about the hardware
support while addressing the requirements of applications such as
qemu, docker, etc. For more information about hardening options read
kernsec.org. Configure kernel
using ncurses;
$ make nconfig
CONFIG_BUG_ON_DATA_CORRUPTION=y
# Perform extensive checks on reference counting.
CONFIG_REFCOUNT_FULL=y
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.
CONFIG_FORTIFY_SOURCE=y
2.1.2.1 General Setup
- CONFIG_POSIX_MQUEUE=y
- POSIX Message Queues
- CONFIG_VMAP_STACK=y
- Use a virtually-mapped stack
- Adds guard pages to kernel stacks (not all architectures
support this yet).
- CONFIG_CGROUPS=y
- Control Group support
- CONFIG_MEMCG=y
- Memory controller
- CONFIG_MEMCG_SWAP=y
- Swap controller
- CONFIG_MEMCG_SWAP_ENABLED=y
- Swap controller enabled by default
- CONFIG_BLK_CGROUP=y
- IO controller
- CGROUP_SCHED=y
- CPU controller
- FAIR_GROUP_SCHED=y
- Group scheduling for SCHED_OTHER
- CONFIG_CFS_BANDWIDTH=y
- CPU bandwidth provisioning for FAIR_GROUP_SCHED
- CONFIG_RT_GROUP_SCHED=y
- Group scheduling for SCHED_RR/FIFO
- CONFIG_CGROUP_PIDS=y
- PIDs controller
- Freezer controller
- HugeTLB controller
- Cpuset controller
- Include legacy /proc//cpuset file
- Device controller
- Simple CPU accounting controller
- Perf controller
Namespaces support
- UTS namespace
- IPC namespace
- User namespace
- PID Namespaces
- Network namespace
- CONFIG_COMPAT_BRK=n
- Disable heap randomization
- Dangerous; enabling this disables brk ASLR.
- CONFIG_SLAB_FREELIST_RANDOM=y
- Randomize allocator freelists, harden metadata.
- CONFIG_SLAB_FREELIST_HARDENED=y
- Randomize allocator freelists, harden metadata.
- CONFIG_SLUB_DEBUG=y
-
- Enable SLUB debugging support
- Allow allocator validation checking to be enabled
(see "slub_debug=P" below).
- CONFIG_CC_STACKPROTECTOR=y
- Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
- CONFIG_CC_STACKPROTECTOR_STRONG=y
- Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
2.1.2.2 Enable loadable module support
- CONFIG_MODULES=y
- Enable loadable module support
- Keep root from altering kernel memory via loadable modules.
set CONFIG_MODULES=n
- But if CONFIG_MODULE=y is needed, at least they must be
signed with a per-build key.
-
- CONFIG_DEBUG_SET_MODULE_RONX=y
- (prior to v4.11)
- CONFIG_STRICT_MODULE_RWX=y
- (since v4.11)
- CONFIG_MODULE_SIG=y
- Module signature verification
- CONFIG_MODULE_SIG_FORCE=y
- Require modules to be validly signed
- CONFIG_MODULE_SIG_ALL=y
- Automatically sign all modules
- CONFIG_MODULE_SIG_SHA512=y
- Sign modules with SHA-512
2.1.2.3 Enable the block layer
- BLK_DEV_THROTTLING=y
- Block layer bio throttling support
- IOSCHED_CFQ=y
- CFQ IO scheduler
- CONFIG_CFQ_GROUP_IOSCHED=y
- CFQ Group Scheduling support
2.1.2.4 Processor type and features
- CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
- Low address space to protect from user allocation
- Disallow allocating the first 64k of memory.
- X86_VSYSCALL_EMULATION=n
- Enable vsyscall emulation
- Required by programs before 2013, some programs my
require.
- Remove additional attack surface, unless you really
need them.
- CONFIG_SECCOMP=y
- Enable seccomp to safely compute untrusted bytecode
- Provide userspace with seccomp BPF API for syscall attack surface reduction.
- CONFIG_SECCOMP_FILTER=y
- Provide userspace with seccomp BPF API for syscall attack surface reduction.
- CONFIG_KEXEC=n
- kexec system call
- Dangerous; enabling this allows replacement
of running kernel.
- CONFIG_RANDOMIZE_BASE=y
- Randomize the address of the kernel image (KASLR)
- CONFIG_RANDOMIZE_MEMORY=y
- Randomize the kernel memory sections
- CONFIG_LEGACY_VSYSCALL_NONE=y
- vsyscall table for legacy applications (None)
- Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.
- CONFIG_COMPAT_VDSO=n
- Disable the 32-bit vDSO (needed for glibc 2.3.3)
- Dangerous; enabling this disables VDSO ASLR.
- CONFIG_MODIFY_LDT_SYSCALL=n
- Enable the LDT (local descriptor table)
- Remove additional attack surface, unless you really need them.
2.1.2.5 Power management and ACPI options
- CONFIG_HIBERNATION=n
- Hibernation (aka 'suspend to disk')
- Dangerous; enabling this allows replacement of running
kernel.
- CONFIG_ACPI_CUSTOM_METHOD=n
- Allow ACPI methods to be inserted/replaced at run time
- Dangerous; enabling this allows direct physical
memory writing.
2.1.2.6 Bus options (PCI etc.)
2.1.2.7 Executable file formats / Emulations
- CONFIG_BINFMT_MISC=n
- Kernel support for MISC binaries
- Easily confused by misconfigured userspace, keep off.
- CONFIG_IA32_EMULATION
- Remove additional attack surface, unless you really need them.
- CONFIG_X86_X32
- Remove additional attack surface, unless you really need them.
2.1.2.8 Networking support
Networking options
- CONFIG_INET_DIAG=m
- INET: socket monitoring interface
- Support for INET (TCP, DCCP, etc) socket monitoring
interface used by native Linux tools such as ss. ss is
included in iproute2
- Prior to v4.1, assists heap memory attacks;
best to keep interface disabled.
- CONFIG_BRIDGE=y
- 802.1d Ethernet Bridging
- CONFIG_NET_SCHED=y
- QoS and/or fair queueing
- CONFIG_NET_CLS_CGROUP=y
- Control Group Classifier
- CONFIG_VSOCKETS=y
- Virtual Socket protocol
- CONFIG_VIRTIO_VSOCKETS=y
-
- virtio transport for Virtual Sockets
- CONFIG_NET_L3_MASTER_DEV=y
- L3 Master device support
- CONFIG_CGROUP_NET_PRIO=y
- Network priority cgroup
- CGROUP_NET_CLASSID=y
- Network classid cgroup
- CONFIG_NETFILTER=y
- Network packet filtering framework (Netfilter)
- CONFIG_NETFILTER_ADVANCED=y
- Advanced netfilter configuration
- BRIDGE_NETFILTER=y
- Bridged IP/ARP packets filtering
- NF_CONNTRACK=y
- Netfilter connection tracking support
- NETFILTER_XT_MATCH_ADDRTYPE=y
- "addrtype" address type match support
- NETFILTER_XT_MATCH_CONNTRACK=y
- "conntrack" connection tracking match support
- CONFIG_NETFILTER_XT_MATCH_IPVS=y
- "ipvs" match support
- CONFIG_IP_VS=y
- IP virtual server support
- IP_VS_PROTO_TCP=y
- TCP load balancing support
- IP_VS_PROTO_UDP=y
- UDP load balancing support
- IP_VS_RR=y
- round-robin scheduling
- IP_VS_NFCT=y
- Netfilter connection tracking
- CONFIG_NF_CONNTRACK_IPV4=y
- IPv4 connection tracking support (required for NAT)
- NF_NAT_IPV4=y
- IPv4 NAT
- NF_NAT_MASQUERADE_IPV4=y
- IPv4 masquerade support
- IP_NF_IPTABLES=y
- IP tables support (required for filtering/masq/NAT)
- IP_NF_FILTER=y
- Packet filtering
- CONFIG_IP_NF_NAT=y
- iptables NAT support
- IP_NF_TARGET_MASQUERADE=y
- MASQUERADE target support
- IP_NF_TARGET_NETMAP=y
- NETMAP target support
- IP_NF_TARGET_REDIRECT=y
- REDIRECT target support
- CONFIG_SYN_COOKIES=y
- IP: TCP syncookie support
- Provides some protections against SYN flooding.
2.1.2.9 Device Drivers
Block devices
- CONFIG_VIRTIO_BLK=y
- This is the virtual block driver for virtio.
- For QEMU based VMMs.
- BLK_DEV_NBD=y
- Network block device support.
SCSI device support
- CONFIG_SCSI_VIRTIO=y
- This is the virtual HBA driver for virtio.
If the kernel will used in a virtual machine.
Multiple devices driver support (RAID and LVM)
- CONFIG_MD=y
- Multiple devices driver support (RAID and LVM)
- CONFIG_BLK_DEV_DM=y
- Device mapper support
- DM_THIN_PROVISIONING=y
- Thin provisioning target
-
Network device support
- CONFIG_NETDEVICES=y
- Network device support
- NET_CORE=y
- Network core driver support
- CONFIG_DUMMY=y
- Dummy net driver support
- CONFIG_MACVLAN=y
- MAC-VLAN support
- This allows one to create virtual interfaces that map
packets to or from specific MAC addresses to a particular
interface. Macvlan devices can be added using the "ip" command
from the route2 package starting with the iproute2.
- ip link add link [ address MAC ] [ NAME ] type macvlan"
- CONFIG_VXLAN=y
- Virtual eXtensible Local Area Network (VXLAN)
- BLK_DEV_NBD=y
- Network block device support.
- CONFIG_TUN=y
- Universal TUN/TAP device driver support
- CONFIG_VETH=y
- Virtual ethernet pair device.
- CONFIG_VIRTIO_NET=y
- Virtio network driver.
- IPVLAN=n
- IP-VLAN support
- Requires ipv6
Character devices
- CONFIG_DEVMEM=n
- /dev/mem virtual device support
- Do not allow direct physical memory access (but if you must have it, at least enable CONFIG_STRICT_DEVMEM mode...)
- Enable TTY
- Unix98 PTY support
- CONFIG_LEGACY_PTYS=n
- Legacy (BSD) PTY support
- Use the modern PTY interface (devpts) only.
- Support multiple instances of devpts
- CONFIG_DEVKMEM=n
- /dev/kmem virtual device support
- Dangerous; enabling this allows direct kernel
memory writing.
Virtio drivers
- CONFIG_VIRTIO_PCI=y
- PCI driver for virtio devices
2.1.2.10 Firmware Drivers
2.1.2.11 File systems
- Overlay filesystem support
- CONFIG_PROC_KCORE=n
- /proc/kcore support
- Dangerous; exposes kernel text image layout.
- HugeTLB file system support
- CONFIG_FUSE_FS=y
- FUSE (Filesystem in Userspace) support
2.1.2.12 Kernel hacking
- CONFIG_DEBUG=y
- CONFIG_DEBUG_RODATA=y
- CONFIG_DEBUG_KERNEL=y
- Kernel debugging
- Make sure kernel page tables have safe permissions.
- CONFIG_STRICT_KERNEL_RWX=y
- since v4.11
- Make sure kernel page tables have safe permissions.
- CONFIG_PANIC_ON_OOPS=y
- Panic on Oops
- This feature is useful to ensure that the kernel does not do
anything erroneous after an oops which could result in data
corruption or other issues.
- CONFIG_PANIC_TIMEOUT=-1
- Reboot devices immediately if kernel experiences an Oops.
- CONFIG_SCHED_STACK_END_CHECK=y
- Detect stack corruption on calls to schedule()
- Perform additional validation of various commonly targeted structures.
- CONFIG_DEBUG_LIST=y
- Debug linked list manipulation
- Perform additional validation of various commonly targeted structures.
- CONFIG_DEBUG_SG=y
- Debug SG table operations
- Perform additional validation of various commonly targeted structures.
- CONFIG_DEBUG_NOTIFIERS=y
- Debug notifier call chains
- Perform additional validation of various commonly
targeted structures.
- CONFIG_DEBUG_CREDENTIALS=y
- Debug credential management
- Perform additional validation of various commonly
targeted structures.
- CONFIG_STRICT_DEVMEM=y
- Filter access to /dev/mem
- Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)
- CONFIG_IO_STRICT_DEVMEM=y
- Filter I/O access to /dev/mem
- Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)
- CONFIG_DEBUG_WX=y
- Warn on W+X mappings at boot
- Report any dangerous memory permissions
(not available on all archs).
Compile-time checks and compiler options
- CONFIG_DEBUG_FS=y
- Debug Filesystem
Memory Debugging
- CONFIG_PAGE_POISONING=y
- Poison pages after freeing
- Wipe higher-level memory allocations when they are freed
(needs "page_poison=1" command line below).
- CONFIG_PAGE_POISONING_NO_SANITY=y
- Only poison, don't sanity check
- (If you can afford even more performance penalty,
leave CONFIG_PAGE_POISONING_NO_SANITY=n)
- CONFIG_PAGE_POISONING_ZERO=y
- Use zero for poisoning instead of random data
2.1.2.13 Security options
- Enable access key retention support
- Enable register of persistent per-UID keyrings
- ENCRYPTED KEYS
- Diffie-Hellman operations on retained keys
- CONFIG_SECURITY=y
- Enable different security models
- Provide userspace with ptrace ancestry protections.
- CONFIG_HARDENED_USERCOPY=y
- Harden memory copies between kernel and userspace
- Perform usercopy bounds checking.
- SECURITY_SELINUX=n
- NSA SELinux Support
- CONFIG_SECURITY_SELINUX_DISABLE=n
- NSA SELinux runtime disable
- If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.
- CONFIG_SECURITY_APPARMOR=y
- AppArmor support
- This enables the AppArmor security module. Rquired userspace
tools (if they are not included in your distribution) and further
information may be found at AppArmor
- CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
- AppArmor boot parameter default value
- CONFIG_SECURITY_YAMA=y
- Yama support
- Provide userspace with ptrace ancestry protections.
2.1.2.14 Cryptographic API
- CONFIG_CRYPTO_LRW
- Liskov Rivest Wagner, a tweakable, non malleable, non movable
narrow block cipher mode for dm-crypt.
- CONFIG_CRYPTO_RMD160=y
- CONFIG_CRYPTO_RMD256=y
- CONFIG_CRYPTO_RMD320=y
- RIPEMD 160/256/320 digest algorithm
- CONFIG_CRYPTO_SHA256=y
- SHA224 and SHA256 digest algorithm
-
- CONFIG_CRYPTO_SHA512=y
- SHA384 and SHA512 digest algorithms
- CONFIG_CRYPTO_WP512=y
- Whirlpool digest algorithms
- CONFIG_CRYPTO_DES3_EDE_X86_64=y
- DES and Triple DES EDE cipher algorithms
-
- CONFIG_CRYPTO_SERPENT=y
- Serpent cipher algorithm
- CONFIG_CRYPTO_TWOFISH=y
-
- Twofish cipher algorithm
* MD4 digest algorithm
* MD5 digest algorithm
* SHA1 digest algorithm
* Blowfish cipher algorithm
* AES cipher algorithms
* CAST5 (CAST-128) cipher algorithm
* CAST6 (CAST-256) cipher algorithm
* Deflate compression algorithm
2.1.2.15 Virtualization
- CONFIG_KVM=y
- Kernel-based Virtual Machine (KVM) support
- CONFIG_KVM_INTEL=y
- KVM for Intel processors support
- Provides support for KVM on Intel processors equipped with the VT extensions.
- CONFIG_KVM_AMD=y
- KVM for AMD processors support
- Provides support for KVM on AMD processors equipped with the
AMD-V (SVM) extensions.
- CONFIG_KVM_DEVICE_ASSIGNMENT=n
- KVM legacy PCI device assignment support (DEPRECATED)
- CONFIG_VHOST_NET=y
- Host kernel accelerator for virtio net
-
- CONFIG_VHOST_VSOCK=y
- vhost virtio-vsock driver
- CONFIG_VHOST_CROSS_ENDIAN_LEGACY=y
- Cross-endian support for vhost
2.1.2.16 Library routines
2.1.3. Build
Make targets;
Other generic targets:
all - Build all targets marked with [*]
* vmlinux - Build the bare kernel
* modules - Build all modules
(default: ./usr)
Documentation targets:
Linux kernel internal documentation in different formats (Sphinx):
htmldocs - HTML
latexdocs - LaTeX
pdfdocs - PDF
epubdocs - EPUB
xmldocs - XML
cleandocs - clean all generated files
make SPHINXDIRS="s1 s2" [target] Generate only docs of folder s1, s2
valid values for SPHINXDIRS are: development-process media gpu 80211
make SPHINX_CONF={conf-file} [target] use *additional* sphinx-build
configuration. This is e.g. useful to build with nit-picking config.
Linux kernel internal documentation in different formats (DocBook):
htmldocs - HTML
pdfdocs - PDF
psdocs - Postscript
xmldocs - XML DocBook
mandocs - man pages
installmandocs - install man pages generated by mandocs
cleandocs - clean all generated DocBook files
Architecture specific targets (x86):
* bzImage - Compressed kernel image (arch/x86/boot/bzImage)
install - Install kernel using
(your) ~/bin/installkernel or
(distribution) /sbin/installkernel or
install to $(INSTALL_PATH) and run lilo
fdimage - Create 1.4MB boot floppy image (arch/x86/boot/fdimage)
fdimage144 - Create 1.4MB boot floppy image (arch/x86/boot/fdimage)
fdimage288 - Create 2.8MB boot floppy image (arch/x86/boot/fdimage)
isoimage - Create a boot CD-ROM image (arch/x86/boot/image.iso)
bzdisk/fdimage*/isoimage also accept:
FDARGS="..." arguments for the booted kernel
FDINITRD=file initrd for the booted kernel
i386_defconfig - Build for i386
x86_64_defconfig - Build for x86_64
make V=0|1 [targets] 0 => quiet build (default), 1 => verbose build
make V=2 [targets] 2 => give reason for rebuild of target
make O=dir [targets] Locate all output files in "dir", including .config
make C=1 [targets] Check all c source with $CHECK (sparse by default)
make C=2 [targets] Force check of all c source with $CHECK
make RECORDMCOUNT_WARN=1 [targets] Warn about ignored mcount sections
make W=n [targets] Enable extra gcc checks, n=1,2,3 where
1: warnings which may be relevant and do not occur too often
2: warnings which occur quite often but may still be relevant
3: more obscure warnings, can most likely be ignored
Multiple levels can be combined with W=12 or W=123
$ make -j $(nproc) bzImage modules
2.1.5. Install
modules_install - Install all modules to INSTALL_MOD_PATH (default: /)
firmware_install- Install all firmware to INSTALL_FW_PATH
(default: $(INSTALL_MOD_PATH)/lib/firmware)
modules_prepare - Set up for building external modules
headers_install - Install sanitised kernel headers to INSTALL_HDR_PATH
$ sudo make modules_install
$ sudo cp arch/x86/boot/bzImage /boot/vmlinuz-4.9.86-gnu
$ sudo cp System.map /boot/System.map-4.9.86-gnu
Update grub;
# grub-mkconfig -o /boot/grub/grub.cfg
2.1.6. Remove
$ sudo rm -r /lib/modules/4.9.86-gnu
$ sudo rm /boot/vmlinuz-4.9.86-gnu
$ sudo rm /boot/System.map-4.9.86-gnu
Core OS Index
This is part of the Hive System Documentation.
Copyright (C) 2018
Hive Team.
See the file Gnu Free Documentation License
for copying conditions.