1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
|
<!DOCTYPE html>
<html dir="ltr" lang="en">
<head>
<meta charset='utf-8'>
<title>2.1. Kernel Linux</title>
</head>
<body>
<a href="index.html">Core OS Index</a>
<h1 id="kernel">2.1. Kernel Linux</h1>
<p>Linux is a monolith kernel, a big one ! Visit
<a href="http://www.fsfla.org/ikiwiki/selibre/linux-libre/">Linux Libre</a>
and
<a href="https://www.kernel.org/">Linux Non-Libre</a> pages for more links
and information.</p>
<p>Spectre-meltdown checker;</p>
<pre>
https://github.com/speed47/spectre-meltdown-checker/
</pre>
<h2 id="download">2.1.1. Download Linux Libre</h2>
<p>Download Linux Source from
<a href="http://linux-libre.fsfla.org/pub/linux-libre/releases/">linux libre</a>,
or using the port system;</p>
<pre>
$ mkdir ~/kernel
$ cd ~/kernel
$ cd linux-4.9.86/
</pre>
<p>Gcc <a href="https://github.com/graysky2/kernel_gcc_patch/">graysky2</a> kernel_gcc_patch (<a href="https://github.com/graysky2/kernel_gcc_patch/archive/master.zip">master.zip</a>)
that adds more cpu options (FLAGS) for native builds.
Check <a href="ports/linux-gnu/Pkgfile">Pkgfile</a>
for instructions how linux-gnu port is built.</p>
<p>Check version on Makefile;</p>
<pre>
VERSION = 4
PATCHLEVEL = 9
SUBLEVEL = 86
EXTRAVERSION = -gnu
NAME = Roaring Lionus
</pre>
<p>Change cpu optimization patch;</p>
<pre>
depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
</pre>
<p>to;</p>
<pre>
depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
</pre>
<p>Apply additional cpu optimizations patch;</p>
<pre>
$ patch -p1 < ../enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch
</pre>
<p>Cleaning targets:</p>
<pre>
clean - Remove most generated files but keep the config and
enough build support to build external modules
mrproper - Remove all generated files + config + various backup files
distclean - mrproper + remove editor backup and patch files
</pre>
<p>Prepare sources for configuration;</p>
<pre>
$ make distclean
</pre>
<h2 id="configure">2.1.2. Configure</h2>
<p>Port linux-gnu port comes with default configuration file that is
a good starting point to tune kernel according to your needs. To
automatically configure kernel with support to your hardware
based on modules loaded by current kernel run.</p>
<pre>
$ make localmodconfig
</pre>
<p>To get more information about the hardware, for example
information about which graphic module (driver) is in use
as root run;</p>
<pre>
# lspci -nnk | grep -i vga -A3 | grep 'in use'
Kernel driver in use: i915
</pre>
<p>Make configuration targets;</p>
<pre>
config - Update current config utilising a line-oriented program
nconfig - Update current config utilising a ncurses menu based program
menuconfig - Update current config utilising a menu based program
xconfig - Update current config utilising a Qt based front-end
gconfig - Update current config utilising a GTK+ based front-end
oldconfig - Update current config utilising a provided .config as base
localmodconfig - Update current config disabling modules not loaded
localyesconfig - Update current config converting local mods to core
silentoldconfig - Same as oldconfig, but quietly, additionally update deps
defconfig - New config with default from ARCH supplied defconfig
savedefconfig - Save current config as ./defconfig (minimal config)
allnoconfig - New config where all options are answered with no
allyesconfig - New config where all options are accepted with yes
allmodconfig - New config selecting modules when possible
alldefconfig - New config with all symbols set to default
randconfig - New config with random answer to all options
listnewconfig - List new options
olddefconfig - Same as silentoldconfig but sets new symbols to their default value
kvmconfig - Enable additional options for kvm guest kernel support
xenconfig - Enable additional options for xen dom0 and guest kernel support
tinyconfig - Configure the tiniest possible kernel
</pre>
<p>Following configuration try's to be generic about the hardware
support while addressing the requirements of applications such as
qemu, docker, etc. For more information about hardening options read
<a href="https://kernsec.org">kernsec.org</a>. Configure kernel
using ncurses;</p>
<pre>
$ make nconfig
</pre>
<pre>
CONFIG_BUG_ON_DATA_CORRUPTION=y
# Perform extensive checks on reference counting.
CONFIG_REFCOUNT_FULL=y
# Check for memory copies that might overflow a structure in str*() and mem*() functions both at build-time and run-time.
CONFIG_FORTIFY_SOURCE=y
</pre>
<h3 id="general">2.1.2.1 General Setup</h3>
<dl>
<dt>CONFIG_POSIX_MQUEUE=y</dt>
<dd>POSIX Message Queues</dd>
<dt>CONFIG_VMAP_STACK=y</dt>
<dd>Use a virtually-mapped stack</dd>
<dd>Adds guard pages to kernel stacks (not all architectures
support this yet).</dd>
<dt>CONFIG_CGROUPS=y</dt>
<dd>Control Group support</dd>
<dt>CONFIG_MEMCG=y</dt>
<dd>Memory controller</dd>
<dt>CONFIG_MEMCG_SWAP=y</dt>
<dd>Swap controller</dd>
<dt>CONFIG_MEMCG_SWAP_ENABLED=y</dt>
<dd>Swap controller enabled by default</dd>
<dt>CONFIG_BLK_CGROUP=y</dt>
<dd>IO controller</dd>
<dt>CGROUP_SCHED=y</dt>
<dd>CPU controller</dd>
<dt>FAIR_GROUP_SCHED=y</dt>
<dd>Group scheduling for SCHED_OTHER</dd>
<dt>CONFIG_CFS_BANDWIDTH=y</dt>
<dd>CPU bandwidth provisioning for FAIR_GROUP_SCHED</dd>
<dt>CONFIG_RT_GROUP_SCHED=y</dt>
<dd>Group scheduling for SCHED_RR/FIFO</dd>
<dt>CONFIG_CGROUP_PIDS=y</dt>
<dd>PIDs controller</dd>
<dd>Freezer controller</dd>
<dd>HugeTLB controller</dd>
<dd>Cpuset controller</dd>
<dd>Include legacy /proc/<pid>/cpuset file</dd>
<dd>Device controller</dd>
<dd>Simple CPU accounting controller</dd>
<dd>Perf controller</dd>
</dl>
<h4>Namespaces support</h4>
<dl>
<dd>UTS namespace</dd>
<dd>IPC namespace</dd>
<dd>User namespace</dd>
<dd>PID Namespaces</dd>
<dd>Network namespace</dd>
</dl>
<dl>
<dt>CONFIG_COMPAT_BRK=n</dt>
<dd>Disable heap randomization</dd>
<dd>Dangerous; enabling this disables brk ASLR.</dd>
<dt>CONFIG_SLAB_FREELIST_RANDOM=y</dt>
<dd>Randomize allocator freelists, harden metadata.</dd>
<dt>CONFIG_SLAB_FREELIST_HARDENED=y</dt>
<dd>Randomize allocator freelists, harden metadata.</dd>
<dt>CONFIG_SLUB_DEBUG=y<dt>
<dd>Enable SLUB debugging support</dd>
<dd>Allow allocator validation checking to be enabled
(see "slub_debug=P" below).</dd>
<dt>CONFIG_CC_STACKPROTECTOR=y</dt>
<dd>Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.</dd>
<dt>CONFIG_CC_STACKPROTECTOR_STRONG=y</dt>
<dd>Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.</dd>
</dl>
<h3 id="mod">2.1.2.2 Enable loadable module support</h3>
<dl>
<dt>CONFIG_MODULES=y</dt>
<dd>Enable loadable module support
<dd>Keep root from altering kernel memory via loadable modules.
set CONFIG_MODULES=n</dd>
<dd>But if CONFIG_MODULE=y is needed, at least they must be
signed with a per-build key.<dd>
<dt>CONFIG_DEBUG_SET_MODULE_RONX=y</dt>
<dd>(prior to v4.11)</dd>
<dt>CONFIG_STRICT_MODULE_RWX=y</dt>
<dd>(since v4.11)</dd>
<dt>CONFIG_MODULE_SIG=y</dt>
<dd>Module signature verification</dd>
<dt>CONFIG_MODULE_SIG_FORCE=y</dt>
<dd>Require modules to be validly signed</dd>
<dt>CONFIG_MODULE_SIG_ALL=y</dt>
<dd>Automatically sign all modules</dd>
<dt>CONFIG_MODULE_SIG_SHA512=y</dt>
<dd>Sign modules with SHA-512</dd>
</dl>
<h3 id="block">2.1.2.3 Enable the block layer</h3>
<dl>
<dt>BLK_DEV_THROTTLING=y</dt>
<dd>Block layer bio throttling support</dd>
<dt>IOSCHED_CFQ=y</dt>
<dd>CFQ IO scheduler</dd>
<dt>CONFIG_CFQ_GROUP_IOSCHED=y</dt>
<dd>CFQ Group Scheduling support</dd>
</dl>
<h3 id="proc">2.1.2.4 Processor type and features</h3>
<dl>
<dt>CONFIG_DEFAULT_MMAP_MIN_ADDR=65536</dt>
<dd>Low address space to protect from user allocation</dd>
<dd>Disallow allocating the first 64k of memory.</dd>
<dt>X86_VSYSCALL_EMULATION=n</dt>
<dd>Enable vsyscall emulation</dd>
<dd>Required by programs before 2013, some programs my
require.</dd>
<dd>Remove additional attack surface, unless you really
need them.</dd>
<dt>CONFIG_SECCOMP=y</dt>
<dd>Enable seccomp to safely compute untrusted bytecode</dd>
<dd>Provide userspace with seccomp BPF API for syscall attack surface reduction.</dd>
<dt>CONFIG_SECCOMP_FILTER=y</dt>
<dd>Provide userspace with seccomp BPF API for syscall attack surface reduction.</dd>
<dt>CONFIG_KEXEC=n</dt>
<dd>kexec system call</dd>
<dd>Dangerous; enabling this allows replacement
of running kernel.</dd>
<dt>CONFIG_RANDOMIZE_BASE=y</dt>
<dd>Randomize the address of the kernel image (KASLR)</dd>
<dt>CONFIG_RANDOMIZE_MEMORY=y</dt>
<dd>Randomize the kernel memory sections</dd>
<dt>CONFIG_LEGACY_VSYSCALL_NONE=y</dt>
<dd>vsyscall table for legacy applications (None)</dd>
<dd>Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.</dd>
<dt>CONFIG_COMPAT_VDSO=n</dt>
<dd>Disable the 32-bit vDSO (needed for glibc 2.3.3)</dd>
<dd>Dangerous; enabling this disables VDSO ASLR.</dd>
<dt>CONFIG_MODIFY_LDT_SYSCALL=n</dt>
<dd>Enable the LDT (local descriptor table)</dd>
<dd>Remove additional attack surface, unless you really need them.</dd>
</dl>
<h3 id="acpi">2.1.2.5 Power management and ACPI options</h3>
<dl>
<dt>CONFIG_HIBERNATION=n</dt>
<dd>Hibernation (aka 'suspend to disk')</dd>
<dd>Dangerous; enabling this allows replacement of running
kernel.</dd>
<dt>CONFIG_ACPI_CUSTOM_METHOD=n</dt>
<dd>Allow ACPI methods to be inserted/replaced at run time</dd>
<dd>Dangerous; enabling this allows direct physical
memory writing.</dd>
</dl>
<h3 id="bus">2.1.2.6 Bus options (PCI etc.)</h3>
<h3 id="exec">2.1.2.7 Executable file formats / Emulations</h3>
<dl>
<dt>CONFIG_BINFMT_MISC=n</dt>
<dd>Kernel support for MISC binaries</dd>
<dd>Easily confused by misconfigured userspace, keep off.</dd>
<dt>CONFIG_IA32_EMULATION</dt>
<dd>Remove additional attack surface, unless you really need them.</dd>
<dt>CONFIG_X86_X32</dt>
<dd>Remove additional attack surface, unless you really need them.</dd>
</dl>
<h3 id="net">2.1.2.8 Networking support</h3>
<h4>Networking options</h4>
<dl>
<dt>CONFIG_INET_DIAG=m</dt>
<dd>INET: socket monitoring interface</dd>
<dd>Support for INET (TCP, DCCP, etc) socket monitoring
interface used by native Linux tools such as ss. ss is
included in iproute2</dd>
<dd>Prior to v4.1, assists heap memory attacks;
best to keep interface disabled.</dd>
<dt>CONFIG_BRIDGE=y</dt>
<dd>802.1d Ethernet Bridging</dd>
<dt>CONFIG_NET_SCHED=y</dt>
<dd>QoS and/or fair queueing</dd>
<dt>CONFIG_NET_CLS_CGROUP=y</dt>
<dd>Control Group Classifier</dd>
<dt>CONFIG_VSOCKETS=y</dt>
<dd>Virtual Socket protocol</dd>
<dt>CONFIG_VIRTIO_VSOCKETS=y<dt>
<dd>virtio transport for Virtual Sockets</dd>
<dt>CONFIG_NET_L3_MASTER_DEV=y</dt>
<dd>L3 Master device support</dd>
<dt>CONFIG_CGROUP_NET_PRIO=y</dt>
<dd>Network priority cgroup</dd>
<dt>CGROUP_NET_CLASSID=y</dt>
<dd>Network classid cgroup</dd>
</dl>
<dl>
<dt>CONFIG_NETFILTER=y</dt>
<dd>Network packet filtering framework (Netfilter)</dd>
<dt>CONFIG_NETFILTER_ADVANCED=y</dt>
<dd>Advanced netfilter configuration</dd>
<dt>BRIDGE_NETFILTER=y</dt>
<dd>Bridged IP/ARP packets filtering</dd>
<dt>NF_CONNTRACK=y</dt>
<dd>Netfilter connection tracking support</dd>
<dt>NETFILTER_XT_MATCH_ADDRTYPE=y</dt>
<dd>"addrtype" address type match support</dd>
<dt>NETFILTER_XT_MATCH_CONNTRACK=y</dt>
<dd>"conntrack" connection tracking match support</dd>
<dt>CONFIG_NETFILTER_XT_MATCH_IPVS=y</dt>
<dd>"ipvs" match support</dd>
<dt>CONFIG_IP_VS=y</dt>
<dd>IP virtual server support</dd>
<dt>IP_VS_PROTO_TCP=y</dt>
<dd>TCP load balancing support</dd>
<dt>IP_VS_PROTO_UDP=y</dt>
<dd>UDP load balancing support</dd>
<dt>IP_VS_RR=y</dt>
<dd>round-robin scheduling</dd>
<dt>IP_VS_NFCT=y</dt>
<dd>Netfilter connection tracking</dd>
<dt>CONFIG_NF_CONNTRACK_IPV4=y</dt>
<dd>IPv4 connection tracking support (required for NAT)</dd>
<dt>NF_NAT_IPV4=y</dt>
<dd>IPv4 NAT</dd>
<dt>NF_NAT_MASQUERADE_IPV4=y</dt>
<dd>IPv4 masquerade support</dd>
<dt>IP_NF_IPTABLES=y</dt>
<dd>IP tables support (required for filtering/masq/NAT)</dd>
<dt>IP_NF_FILTER=y</dt>
<dd>Packet filtering</dd>
<dt>CONFIG_IP_NF_NAT=y</dt>
<dd>iptables NAT support</dd>
<dt>IP_NF_TARGET_MASQUERADE=y</dt>
<dd>MASQUERADE target support</dd>
<dt>IP_NF_TARGET_NETMAP=y</dt>
<dd>NETMAP target support</dd>
<dt>IP_NF_TARGET_REDIRECT=y</dt>
<dd>REDIRECT target support</dd>
<dt>CONFIG_SYN_COOKIES=y</dt>
<dd>IP: TCP syncookie support</dd>
<dd>Provides some protections against SYN flooding.</dd>
</dl>
<h3 id="drivers">2.1.2.9 Device Drivers</h3>
<h4>Multiple devices driver support (RAID and LVM)</h4>
<dl>
<dt>CONFIG_MD=y</dt>
<dd>Multiple devices driver support (RAID and LVM)</dd>
<dt>CONFIG_BLK_DEV_DM=y</dt>
<dd>Device mapper support</dd>
<dt>DM_THIN_PROVISIONING=y</dt>
<dd>Thin provisioning target<dd>
</dl>
<h4>Network device support</h4>
<dl>
<dt>CONFIG_NETDEVICES=y</dt>
<dd>Network device support</dd>
<dt>NET_CORE=y</dt>
<dd>Network core driver support</dd>
<dt>CONFIG_DUMMY=y</dt>
<dd>Dummy net driver support</dd>
<dt>CONFIG_MACVLAN=y</dt>
<dd>MAC-VLAN support</dd>
<dd>This allows one to create virtual interfaces that map
packets to or from specific MAC addresses to a particular
interface. Macvlan devices can be added using the "ip" command
from the route2 package starting with the iproute2.</dd>
<dd>ip link add link <real dev> [ address MAC ] [ NAME ] type macvlan"</dd>
<dt>CONFIG_VXLAN=y</dt>
<dd>Virtual eXtensible Local Area Network (VXLAN)</dd>
<dt>CONFIG_TUN=y</dt>
<dd>Universal TUN/TAP device driver support</dd>
<dt>CONFIG_VETH=y</dt>
<dd>Virtual ethernet pair device</dd>
<dt>IPVLAN=n</dt>
<dd>IP-VLAN support</dd>
<dd>Requires ipv6</dd>
</dl>
<h4>Character devices</h4>
<dl>
<dt>CONFIG_DEVMEM=n</dt>
<dd>/dev/mem virtual device support</dd>
<dd>Do not allow direct physical memory access (but if you must have it, at least enable CONFIG_STRICT_DEVMEM mode...)</dd>
<dd>Enable TTY</dd>
<dd>Unix98 PTY support</dd>
<dt>CONFIG_LEGACY_PTYS=n</dt>
<dd>Legacy (BSD) PTY support</dd>
<dd>Use the modern PTY interface (devpts) only.</dd>
<dd>Support multiple instances of devpts</dd>
<dt>CONFIG_DEVKMEM=n</dt>
<dd>/dev/kmem virtual device support</dd>
<dd>Dangerous; enabling this allows direct kernel
memory writing.</dd>
</dl>
<h3 id="firm">2.1.2.10 Firmware Drivers</h3>
<h3 id="fs">2.1.2.11 File systems</h3>
<dl>
<dd>Overlay filesystem support</dd>
<dt>CONFIG_PROC_KCORE=n</dt>
<dd>/proc/kcore support</dd>
<dd>Dangerous; exposes kernel text image layout.</dd>
<dd>HugeTLB file system support</dd>
</dl>
<h3 id="hack">2.1.2.12 Kernel hacking</h3>
<dl>
<dt>CONFIG_DEBUG=y</dt>
<dt>CONFIG_DEBUG_RODATA=y</dt>
<dt>CONFIG_DEBUG_KERNEL=y</dt>
<dd>Kernel debugging</dd>
<dd>Make sure kernel page tables have safe permissions.</dd>
<dt>CONFIG_STRICT_KERNEL_RWX=y</dt>
<dd>since v4.11</dd>
<dd>Make sure kernel page tables have safe permissions.</dd>
<dt>CONFIG_PANIC_ON_OOPS=y</dt>
<dd>Panic on Oops</dd>
<dd>This feature is useful to ensure that the kernel does not do
anything erroneous after an oops which could result in data
corruption or other issues.</dd>
<dt>CONFIG_PANIC_TIMEOUT=-1</dt>
<dd>Reboot devices immediately if kernel experiences an Oops.</dd>
<dt>CONFIG_SCHED_STACK_END_CHECK=y</dt>
<dd>Detect stack corruption on calls to schedule()</dd>
<dd>Perform additional validation of various commonly targeted structures.</dd>
<dt>CONFIG_DEBUG_LIST=y</dt>
<dd>Debug linked list manipulation</dd>
<dd>Perform additional validation of various commonly targeted structures.</dd>
<dt>CONFIG_DEBUG_SG=y</dt>
<dd>Debug SG table operations</dd>
<dd>Perform additional validation of various commonly targeted structures.</dd>
<dt>CONFIG_DEBUG_NOTIFIERS=y</dt>
<dd>Debug notifier call chains</dd>
<dd>Perform additional validation of various commonly
targeted structures.</dd>
<dt>CONFIG_DEBUG_CREDENTIALS=y</dt>
<dd>Debug credential management</dd>
<dd>Perform additional validation of various commonly
targeted structures.</dd>
<dt>CONFIG_STRICT_DEVMEM=y</dt>
<dd>Filter access to /dev/mem</dd>
<dd>Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)</dd>
<dt>CONFIG_IO_STRICT_DEVMEM=y</dt>
<dd>Filter I/O access to /dev/mem</dd>
<dd>Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)</dd>
<dt>CONFIG_DEBUG_WX=y</dt>
<dd>Warn on W+X mappings at boot</dd>
<dd>Report any dangerous memory permissions
(not available on all archs).</dd>
</dl>
<h4>Compile-time checks and compiler options</h4>
<dl>
<dt>CONFIG_DEBUG_FS=y</dt>
<dd>Debug Filesystem</dd>
</dl>
<h4>Memory Debugging</h4>
<dl>
<dt>CONFIG_PAGE_POISONING=y</dt>
<dd>Poison pages after freeing</dd>
<dd>Wipe higher-level memory allocations when they are freed
(needs "page_poison=1" command line below).</dd>
<dt>CONFIG_PAGE_POISONING_NO_SANITY=y</dt>
<dd>Only poison, don't sanity check</dd>
<dd>(If you can afford even more performance penalty,
leave CONFIG_PAGE_POISONING_NO_SANITY=n)</dd>
<dt>CONFIG_PAGE_POISONING_ZERO=y</dt>
<dd>Use zero for poisoning instead of random data</dd>
</dl>
<h3 id="sec">2.1.2.13 Security options</h3>
<dl>
<dd>Enable access key retention support</dd>
<dd>Enable register of persistent per-UID keyrings</dd>
<dd>ENCRYPTED KEYS</dd>
<dd>Diffie-Hellman operations on retained keys</dd>
<dt>CONFIG_SECURITY=y</dt>
<dd>Enable different security models</dd>
<dd>Provide userspace with ptrace ancestry protections.</dd>
<dt>CONFIG_HARDENED_USERCOPY=y</dt>
<dd>Harden memory copies between kernel and userspace</dd>
<dd>Perform usercopy bounds checking.</dd>
<dt>SECURITY_SELINUX=n</dt>
<dd>NSA SELinux Support</dd>
<dt>CONFIG_SECURITY_SELINUX_DISABLE=n</dt>
<dd>NSA SELinux runtime disable</dd>
<dd>If SELinux can be disabled at runtime, the LSM structures cannot be read-only; keep off.</dd>
<dt>CONFIG_SECURITY_APPARMOR=y</dt>
<dd>AppArmor support</dd>
<dd>This enables the AppArmor security module. Rquired userspace
tools (if they are not included in your distribution) and further
information may be found at <a href="apparmor.html">AppArmor</a></dd>
<dt>CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1</dt>
<dd>AppArmor boot parameter default value</dd>
<dt>CONFIG_SECURITY_YAMA=y</dt>
<dd>Yama support</dd>
<dd>Provide userspace with ptrace ancestry protections.</dd>
</dl>
<h3 id="crypt">2.1.2.14 Cryptographic API</h3>
<h3 id="virt">2.1.2.15 Virtualization</h3>
<dl>
<dt>CONFIG_KVM=y</dt>
<dd>Kernel-based Virtual Machine (KVM) support</dd>
<dt>CONFIG_KVM_INTEL=y</dt>
<dd>KVM for Intel processors support</dd>
<dd>Provides support for KVM on Intel processors equipped with the VT extensions.</dd>
<dt>CONFIG_KVM_AMD=y</dt>
<dd>KVM for AMD processors support</dd>
<dd>Provides support for KVM on AMD processors equipped with the
AMD-V (SVM) extensions.</dd>
<dt>CONFIG_KVM_DEVICE_ASSIGNMENT=n</dt>
<dd>KVM legacy PCI device assignment support (DEPRECATED)</dd>
<dt>CONFIG_VHOST_NET=y</dt>
<dd>Host kernel accelerator for virtio net<dd>
<dt>CONFIG_VHOST_VSOCK=y</dt>
<dd>vhost virtio-vsock driver</dd>
<dt>CONFIG_VHOST_CROSS_ENDIAN_LEGACY=y</dt>
<dd>Cross-endian support for vhost</dd>
</dl>
<h3 id="lib">2.1.2.16 Library routines</h3>
<h2 id="build">2.1.3. Build</h2>
<p>Make targets;</p>
<pre>
Other generic targets:
all - Build all targets marked with [*]
* vmlinux - Build the bare kernel
* modules - Build all modules
(default: ./usr)
Documentation targets:
Linux kernel internal documentation in different formats (Sphinx):
htmldocs - HTML
latexdocs - LaTeX
pdfdocs - PDF
epubdocs - EPUB
xmldocs - XML
cleandocs - clean all generated files
make SPHINXDIRS="s1 s2" [target] Generate only docs of folder s1, s2
valid values for SPHINXDIRS are: development-process media gpu 80211
make SPHINX_CONF={conf-file} [target] use *additional* sphinx-build
configuration. This is e.g. useful to build with nit-picking config.
Linux kernel internal documentation in different formats (DocBook):
htmldocs - HTML
pdfdocs - PDF
psdocs - Postscript
xmldocs - XML DocBook
mandocs - man pages
installmandocs - install man pages generated by mandocs
cleandocs - clean all generated DocBook files
Architecture specific targets (x86):
* bzImage - Compressed kernel image (arch/x86/boot/bzImage)
install - Install kernel using
(your) ~/bin/installkernel or
(distribution) /sbin/installkernel or
install to $(INSTALL_PATH) and run lilo
fdimage - Create 1.4MB boot floppy image (arch/x86/boot/fdimage)
fdimage144 - Create 1.4MB boot floppy image (arch/x86/boot/fdimage)
fdimage288 - Create 2.8MB boot floppy image (arch/x86/boot/fdimage)
isoimage - Create a boot CD-ROM image (arch/x86/boot/image.iso)
bzdisk/fdimage*/isoimage also accept:
FDARGS="..." arguments for the booted kernel
FDINITRD=file initrd for the booted kernel
i386_defconfig - Build for i386
x86_64_defconfig - Build for x86_64
make V=0|1 [targets] 0 => quiet build (default), 1 => verbose build
make V=2 [targets] 2 => give reason for rebuild of target
make O=dir [targets] Locate all output files in "dir", including .config
make C=1 [targets] Check all c source with $CHECK (sparse by default)
make C=2 [targets] Force check of all c source with $CHECK
make RECORDMCOUNT_WARN=1 [targets] Warn about ignored mcount sections
make W=n [targets] Enable extra gcc checks, n=1,2,3 where
1: warnings which may be relevant and do not occur too often
2: warnings which occur quite often but may still be relevant
3: more obscure warnings, can most likely be ignored
Multiple levels can be combined with W=12 or W=123
</pre>
<pre>
$ make -j $(nproc) bzImage modules
</pre>
<h2 id="install">2.1.5. Install</h2>
<pre>
modules_install - Install all modules to INSTALL_MOD_PATH (default: /)
firmware_install- Install all firmware to INSTALL_FW_PATH
(default: $(INSTALL_MOD_PATH)/lib/firmware)
modules_prepare - Set up for building external modules
headers_install - Install sanitised kernel headers to INSTALL_HDR_PATH
</pre>
<pre>
$ sudo make modules_install
$ sudo cp arch/x86/boot/bzImage /boot/vmlinuz-4.9.86-gnu
$ sudo cp System.map /boot/System.map-4.9.86-gnu
</pre>
<p>Update grub;</p>
<pre>
# grub-mkconfig -o /boot/grub/grub.cfg
</pre>
<h2 id="remove">2.1.6. Remove</h2>
<pre>
$ sudo rm -r /lib/modules/4.9.86-gnu
$ sudo rm /boot/vmlinuz-4.9.86-gnu
$ sudo rm /boot/System.map-4.9.86-gnu
</pre>
<a href="index.html">Core OS Index</a>
<p>This is part of the c9-doc Manual.
Copyright (C) 2018
c9 team.
See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
for copying conditions.</p>
</body>
</html>
|