diff options
| -rw-r--r-- | chapter10/kernel.xml | 448 |
1 files changed, 220 insertions, 228 deletions
diff --git a/chapter10/kernel.xml b/chapter10/kernel.xml index 7c64e0983..159394aa0 100644 --- a/chapter10/kernel.xml +++ b/chapter10/kernel.xml @@ -96,242 +96,234 @@ information about configuring and building the kernel can be found at <ulink url="http://www.kroah.com/lkn/"/> </para> - <caution> - <para>A good starting place for setting up the kernel configuration is to - run <command>make defconfig</command>. This will set the base - configuration to a good state that takes your current system architecture - into account.</para> - - <para>Do not disable any option enabled by <command>make - defconfig</command> unless the following note explicitly makes it - disabled or you really know what you are doing.</para> - </caution> + <para> + Set up a minimal base configuration: + </para> + + <screen role="nodump"><userinput>cat > lfs.config << EOF<literal> +# Many packages expect SysV IPC or POSIX message queue +CONFIG_SYSVIPC=y +CONFIG_POSIX_MQUEUE=y + +# Mainstream x86 system contains multiple CPU cores. This is needed to use +# all the cores. +CONFIG_SMP=y + +# Many packages expect the basic network functionality is available, even +# if the system has no NIC at all. +CONFIG_NET=y +CONFIG_PACKET=y +CONFIG_UNIX=y +CONFIG_INET=y +CONFIG_IPV6=y + +# Mainstream x86 system use PCIe as the system bus for peripherals. +CONFIG_PCI=y +CONFIG_PCIEPORTBUS=y + +# Enable devtmpfs which is necessary for udev, and mount it at early boot +# stage so we don't need to create static device nodes in /dev. +CONFIG_DEVTMPFS=y +CONFIG_DEVTMPFS_MOUNT=y + +# LFS uses ext4 file system. Don't set it to m or you'll need an initramfs. +# Also Enable Access Control List feature needed by the Acl package. +CONFIG_EXT4_FS=y +CONFIG_EXT4_FS_POSIX_ACL=y + +# Allow to execute ELF executables and scripts. All executables in a LFS +# system are either ELF or a script. +CONFIG_BINFMT_ELF=y +CONFIG_BINFMT_SCRIPT=y + +# Allow to use framebuffer console if your BIOS provides a framebuffer. +# Otherwise the VGA console (forced to y with CONFIG_EXPERT=n) can be used +# as a fallback. Some of them can be set to m, but doing so may cause debug +# difficulties in case the boot fails before loading modules. +CONFIG_SYSFB_SIMPLEFB=y +CONFIG_FB=y +CONFIG_DRM=y +CONFIG_DRM_FBDEV_EMULATION=y +CONFIG_DRM_SIMPLEDRM=y + +# Enable NVME disk and disk controller support, SATA disk support, and AHCI +# SATA controller support. They should be enough for accessing the disk +# for a mainstream x86 system. Do not set them to m, or an initramfs will +# be needed for boot. +CONFIG_BLK_DEV_NVME=y +CONFIG_SCSI=y +CONFIG_BLK_DEV_SD=y +CONFIG_ATA=y +CONFIG_SATA_AHCI=y + +# Enable kernel modules. If you think it's not necessary, you can omit it +# and change all "m" below to "y". +CONFIG_MODULES=y + +# Enable PS/2 and USB keyboards, and the USB controllers on mainstream x86 +# systems. +CONFIG_INPUT_KEYBOARD=y +CONFIG_KEYBOARD_ATKBD=m +CONFIG_USB_SUPPORT=y +CONFIG_USB=m +CONFIG_USB_PCI=y +CONFIG_USB_HID=m +CONFIG_HID_GENERIC=m +CONFIG_USB_XHCI_HCD=m +CONFIG_USB_EHCI_HCD=m +CONFIG_USB_OHCI_HCD=m +CONFIG_USB_OHCI_HCD_PCI=m +CONFIG_USB_UHCI_HCD=m + +# Enable ASLR and SSP for the kernel. We've already protected the entire +# userspace with them (via --enable-default-{pie,ssp} in GCC configuration) +# so it does not make too much sense to leave the kernel alone. +CONFIG_RELOCATABLE=y +CONFIG_RANDOMIZE_BASE=y +CONFIG_STACKPROTECTOR=y +CONFIG_STACKPROTECTOR_STRONG=y + +# Enable ACPI or the system will not shutdown or reboot correctly. +CONFIG_ACPI=y + +# Enable CMOS RTC shipped in mainstream x86 systems, so the system time +# will be correct once LFS is boot. +CONFIG_RTC_CLASS=y +CONFIG_RTC_INTF_DEV=y +CONFIG_RTC_DRV_CMOS=y + +# Not strictly needed, but it seems a nice optimization. +CONFIG_JUMP_LABEL=y + +</literal>EOF</userinput></screen> + + <para> + Now enable some additional settings depending on if you are building + a 32-bit or 64-bit system: + </para> + +<screen role='nodump'><userinput>if [ $(uname -m) = x86_64 ]; then + cat >> lfs.config << EOF<literal> +# Enable building a 64-bit kernel. +CONFIG_64BIT=y + +# Enable x2apic which is recommended by Intel on supported systems. +# It also prevents a kernel panic when the BIOS forcefully enables x2apic. +CONFIG_PCI_MSI=y +CONFIG_IOMMU_SUPPORT=y +CONFIG_IRQ_REMAP=y +CONFIG_X86_X2APIC=y + +</literal>EOF +else + cat >> lfs.config << EOF<literal> +# Enable using more than 4GB memory because mainstream x86 systems often +# contains more. +CONFIG_HIGHMEM64G=y + +# Enable the system calls with 32-bit time_t. This is necessary until the +# year 2037 problem solved in all packages. +CONFIG_COMPAT_32BIT_TIME=y + +</literal>EOF +fi</userinput></screen> + + <para revision='systemd'> + Enable some features needed by Systemd: + </para> + + <screen role="nodump" revision="systemd"><userinput>cat >> lfs.config <<EOF<literal> +CONFIG_PSI=y +CONFIG_CGROUPS=y +CONFIG_MEMCG=y +CONFIG_SECCOMP=y +CONFIG_NETDEVICES=y +CONFIG_DMIID=y +CONFIG_INOTIFY_USER=y +CONFIG_AUTOFS_FS=m +CONFIG_TMPFS=y +CONFIG_TMPFS_POSIX_ACL=y + +</literal>EOF</userinput></screen> + + <para> + Now create the <filename>.config</filename> file with our settings + in <filename>lfs.config</filename>, but other options disabled: + </para> + +<screen role="nodump"><userinput>KCONFIG_ALLCONFIG=lfs.config make allnoconfig</userinput></screen> + + <para> + Check if our settings are set correctly: + </para> + +<screen role="nodump"><userinput>for i in $(sed '/^#/d' lfs.config); do + grep $i .config -q || echo "$i is not set correctly" +done</userinput></screen> + + <para> + Enable mitigations against hardware vulnerabilities in mainstream x86 + systems. Even if you want to disable them (only do so if you know + what you are doing), it would be better to use + <option>mitigations=off</option> in the kernel command line instead of + disabling them at build time: + </para> + +<screen role="nodump"><userinput>echo "CONFIG_SPECULATION_MITIGATIONS=y" >> .config +make olddefconfig</userinput></screen> <note> - <para>Be sure to enable/disable/set the following features or the system might - not work correctly or boot at all:</para> - - <screen role="nodump" revision="sysv">Processor type and features ---> - [*] Build a relocatable kernel [CONFIG_RELOCATABLE] - [*] Randomize the address of the kernel image (KASLR) [CONFIG_RANDOMIZE_BASE] -General setup ---> - [ ] Compile the kernel with warnings as errors [CONFIG_WERROR] - < > Enable kernel headers through /sys/kernel/kheaders.tar.xz [CONFIG_IKHEADERS] - [ ] Configure standard kernel features (expert users) [CONFIG_EXPERT] -General architecture-dependent options ---> - [*] Stack Protector buffer overflow detection [CONFIG_STACKPROTECTOR] - [*] Strong Stack Protector [CONFIG_STACKPROTECTOR_STRONG] -Device Drivers ---> - Graphics support ---> - Frame buffer Devices ---> - <*> Support for frame buffer devices ---> - Console display driver support ---> - [*] Framebuffer Console support [CONFIG_FRAMEBUFFER_CONSOLE] - Generic Driver Options ---> - [ ] Support for uevent helper [CONFIG_UEVENT_HELPER] - [*] Maintain a devtmpfs filesystem to mount at /dev [CONFIG_DEVTMPFS] - [*] Automount devtmpfs at /dev, after the kernel mounted the rootfs [CONFIG_DEVTMPFS_MOUNT]</screen> - - <screen role="nodump" revision="systemd">Processor type and features ---> - [*] Build a relocatable kernel [CONFIG_RELOCATABLE] - [*] Randomize the address of the kernel image (KASLR) [CONFIG_RANDOMIZE_BASE] -General setup ---> - [ ] Compile the kernel with warnings as errors [CONFIG_WERROR] - [ ] Auditing Support [CONFIG_AUDIT] - CPU/Task time and stats accounting ---> - [*] Pressure stall information tracking [CONFIG_PSI] - < > Enable kernel headers through /sys/kernel/kheaders.tar.xz [CONFIG_IKHEADERS] - [*] Control Group support [CONFIG_CGROUPS] ---> - [*] Memory controller [CONFIG_MEMCG] - [ ] Enable deprecated sysfs features to support old userspace tools [CONFIG_SYSFS_DEPRECATED] - [ ] Configure standard kernel features (expert users) [CONFIG_EXPERT] -General architecture-dependent options ---> - [*] Enable seccomp to safely compute untrusted bytecode [CONFIG_SECCOMP] - [*] Stack Protector buffer overflow detection [CONFIG_STACKPROTECTOR] - [*] Strong Stack Protector [CONFIG_STACKPROTECTOR_STRONG] -Networking support ---> - Networking options ---> - <*> The IPv6 protocol [CONFIG_IPV6] -Device Drivers ---> - Generic Driver Options ---> - [ ] Support for uevent helper [CONFIG_UEVENT_HELPER] - [*] Maintain a devtmpfs filesystem to mount at /dev [CONFIG_DEVTMPFS] - [*] Automount devtmpfs at /dev, after the kernel mounted the rootfs [CONFIG_DEVTMPFS_MOUNT] - Firmware Loader ---> - [ ] Enable the firmware sysfs fallback mechanism [CONFIG_FW_LOADER_USER_HELPER] - Firmware Drivers ---> - [*] Export DMI identification via sysfs to userspace [CONFIG_DMIID] - Graphics support ---> - Frame buffer Devices ---> - <*> Support for frame buffer devices ---> - Console display driver support ---> - [*] Framebuffer Console support [CONFIG_FRAMEBUFFER_CONSOLE] -File systems ---> - [*] Inotify support for userspace [CONFIG_INOTIFY_USER] - Pseudo filesystems ---> - [*] Tmpfs POSIX Access Control Lists [CONFIG_TMPFS_POSIX_ACL]</screen> - - <para>Enable some additional features if you are building a 64-bit - system. If you are using menuconfig, enable them in the order of - <parameter>CONFIG_PCI_MSI</parameter> first, then - <parameter>CONFIG_IRQ_REMAP</parameter>, at last - <parameter>CONFIG_X86_X2APIC</parameter> because an option only - shows up after its dependencies are selected.</para> - - <screen role="nodump">Processor type and features ---> - [*] Support x2apic [CONFIG_X86_X2APIC] -Device Drivers ---> - [*] PCI Support ---> [CONFIG_PCI] - [*] Message Signaled Interrupts (MSI and MSI-X) [CONFIG_PCI_MSI] - [*] IOMMU Hardware Support ---> [CONFIG_IOMMU_SUPPORT] - [*] Support for Interrupt Remapping [CONFIG_IRQ_REMAP]</screen> - </note> - - <note revision="systemd"> - <para>While "The IPv6 Protocol" is not strictly - required, it is highly recommended by the systemd developers.</para> + <para> + In the instructions above, a <quote>mainstream x86 system</quote> + means a x86 system manufactured in 2010 or more recent. All these + systems should have 64-bit capability (though still compatible with + 32-bit distros). + </para> + + <para> + If your system is older, it may contain a non-AHCI ATA controller. + Then you need to set <option>CONFIG_ATA_SFF=y</option>, + <option>CONFIG_ATA_BMDMA=y</option>, and a suitable driver for the + ATA controller (for example, <option>CONFIG_ATA_PIIX=y</option> + for old Intel chipsets and QEMU virtual machines). + </para> + + <para> + If your system is older and it contains 4GB or smaller RAM, and you + are building a 32-bit LFS system, remove + <parameter>CONFIG_HIGHMEM64G=y</parameter> or the kernel may fail + to boot. + </para> </note> - <para revision="sysv">There are several other options that may be desired - depending on the requirements for the system. For a list of options needed - for BLFS packages, see the <ulink - url="&lfs-root;blfs/view/&short-version;/longindex.html#kernel-config-index">BLFS - Index of Kernel Settings</ulink> - (&lfs-root;blfs/view/&short-version;/longindex.html#kernel-config-index).</para> + <para> + The instructions above has created a minimal configuration enough + for booting LFS on a mainstream x86 system with a functional Linux + console. For other peripherals (NICs, mice, etc.), it's obviously + impossible to cover all the drivers for them here. And there are also + other configuation options you may want to tweak. Now you should run + <command>make menuconfig</command> to invoke a menu-driven + configuration interface and manually adapt the configuration for your + need, or run <command>make localmodconfig</command> to enable all + configuration options for kernel modules already loaded by the host + distro (they should likely cover the drivers for the peripherals + already connected onto the system). Some examples of kernel + configurations (for the systems of LFS editors) can be viewed at + <ulink url='about:blank'>TODO</ulink>. + </para> <note> - <para>If your host hardware is using UEFI and you wish to boot the - LFS system with it, you should adjust some kernel configuration - following <ulink url="&blfs-book;postlfs/grub-setup.html#uefi-kernel"> - the BLFS page</ulink>.</para> + <para> + Do not set <option>CONFIG_WERROR=y</option> or + <option>CONFIG_IKHEADERS=y</option>, or the kernel may fail to + build. Do not set <option>CONFIG_SYSFS_DEPRECATED=y</option>, + <option>CONFIG_UEVENT_HELPER=y</option>, or + <option>CONFIG_FW_LOADER_USER_HELPER=y</option>, or the system may + fail to boot. Do not set <option>CONFIG_EXPERT=y</option> + unless you really know what you are doing. + </para> </note> - <variablelist> - <title>The rationale for the above configuration items:</title> - - <varlistentry> - <term><parameter>Randomize the address of the kernel image (KASLR)</parameter></term> - <listitem> - <para>Enable ASLR for kernel image, to mitigate some attacks based - on fixed addresses of sensitive data or code in the kernel.</para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <parameter> - Compile the kernel with warnings as errors - </parameter> - </term> - <listitem> - <para>This may cause building failure if the compiler and/or - configuration are different from those of the kernel - developers.</para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <parameter> - Enable kernel headers through /sys/kernel/kheaders.tar.xz - </parameter> - </term> - <listitem> - <para>This will require <command>cpio</command> building the kernel. - <command>cpio</command> is not installed by LFS.</para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <parameter> - Configure standard kernel features (expert users) - </parameter> - </term> - <listitem> - <para>This will make some options show up in the configuration - interface but changing those options may be dangerous. Do not use - this unless you know what you are doing.</para> - </listitem> - </varlistentry> - - <varlistentry> - <term><parameter>Strong Stack Protector</parameter></term> - <listitem> - <para>Enable SSP for the kernel. We've enabled it for the entire - userspace with <parameter>--enable-default-ssp</parameter> - configuring GCC, but the kernel does not use GCC default setting - for SSP. We enable it explicitly here.</para> - </listitem> - </varlistentry> - - <varlistentry> - <term><parameter>Support for uevent helper</parameter></term> - <listitem> - <para>Having this option set may interfere with device - management when using Udev/Eudev. </para> - </listitem> - </varlistentry> - - <varlistentry> - <term><parameter>Maintain a devtmpfs</parameter></term> - <listitem> - <para>This will create automated device nodes which are populated by the - kernel, even without Udev running. Udev then runs on top of this, - managing permissions and adding symlinks. This configuration - item is required for all users of Udev/Eudev.</para> - </listitem> - </varlistentry> - - <varlistentry> - <term><parameter>Automount devtmpfs at /dev</parameter></term> - <listitem> - <para>This will mount the kernel view of the devices on /dev - upon switching to root filesystem just before starting - init.</para> - </listitem> - </varlistentry> - - <varlistentry> - <term><parameter>Framebuffer Console support</parameter></term> - <listitem> - <para>This is needed to display the Linux console on a frame - buffer device. To allow the kernel to print debug messages at an - early boot stage, it shouldn't be built as a kernel module - unless an initramfs will be used. And, if - <option>CONFIG_DRM</option> (Direct Rendering Manager) is enabled, - it's likely <option>CONFIG_DRM_FBDEV_EMULATION</option> (Enable - legacy fbdev support for your modesetting driver) should be - enabled as well.</para> - </listitem> - </varlistentry> - - <varlistentry> - <term><parameter>Support x2apic</parameter></term> - <listitem> - <para>Support running the interrupt controller of 64-bit x86 - processors in x2APIC mode. x2APIC may be enabled by firmware on - 64-bit x86 systems, and a kernel without this option enabled will - panic on boot if x2APIC is enabled by firmware. This option has - has no effect, but also does no harm if x2APIC is disabled by the - firmware.</para> - </listitem> - </varlistentry> - - </variablelist> - - <para>Alternatively, <command>make oldconfig</command> may be more - appropriate in some situations. See the <filename>README</filename> - file for more information.</para> - - <para>If desired, skip kernel configuration by copying the kernel - config file, <filename>.config</filename>, from the host system - (assuming it is available) to the unpacked <filename - class="directory">linux-&linux-version;</filename> directory. However, - we do not recommend this option. It is often better to explore all the - configuration menus and create the kernel configuration from - scratch.</para> - <para>Compile the kernel image and modules:</para> <screen><userinput remap="make">make</userinput></screen> |