From 8dfb4e04f117aec51975c79188f430975d19e7c2 Mon Sep 17 00:00:00 2001 From: Xi Ruoyao Date: Fri, 10 Mar 2023 11:04:05 +0800 Subject: kernel: Provide a minimal base configuration for mainstream x86 --- chapter10/kernel.xml | 448 +++++++++++++++++++++++++-------------------------- 1 file changed, 220 insertions(+), 228 deletions(-) diff --git a/chapter10/kernel.xml b/chapter10/kernel.xml index 7c64e0983..159394aa0 100644 --- a/chapter10/kernel.xml +++ b/chapter10/kernel.xml @@ -96,242 +96,234 @@ information about configuring and building the kernel can be found at - - A good starting place for setting up the kernel configuration is to - run make defconfig. This will set the base - configuration to a good state that takes your current system architecture - into account. - - Do not disable any option enabled by make - defconfig unless the following note explicitly makes it - disabled or you really know what you are doing. - + + Set up a minimal base configuration: + + + cat > lfs.config << EOF +# Many packages expect SysV IPC or POSIX message queue +CONFIG_SYSVIPC=y +CONFIG_POSIX_MQUEUE=y + +# Mainstream x86 system contains multiple CPU cores. This is needed to use +# all the cores. +CONFIG_SMP=y + +# Many packages expect the basic network functionality is available, even +# if the system has no NIC at all. +CONFIG_NET=y +CONFIG_PACKET=y +CONFIG_UNIX=y +CONFIG_INET=y +CONFIG_IPV6=y + +# Mainstream x86 system use PCIe as the system bus for peripherals. +CONFIG_PCI=y +CONFIG_PCIEPORTBUS=y + +# Enable devtmpfs which is necessary for udev, and mount it at early boot +# stage so we don't need to create static device nodes in /dev. +CONFIG_DEVTMPFS=y +CONFIG_DEVTMPFS_MOUNT=y + +# LFS uses ext4 file system. Don't set it to m or you'll need an initramfs. +# Also Enable Access Control List feature needed by the Acl package. +CONFIG_EXT4_FS=y +CONFIG_EXT4_FS_POSIX_ACL=y + +# Allow to execute ELF executables and scripts. All executables in a LFS +# system are either ELF or a script. +CONFIG_BINFMT_ELF=y +CONFIG_BINFMT_SCRIPT=y + +# Allow to use framebuffer console if your BIOS provides a framebuffer. +# Otherwise the VGA console (forced to y with CONFIG_EXPERT=n) can be used +# as a fallback. Some of them can be set to m, but doing so may cause debug +# difficulties in case the boot fails before loading modules. +CONFIG_SYSFB_SIMPLEFB=y +CONFIG_FB=y +CONFIG_DRM=y +CONFIG_DRM_FBDEV_EMULATION=y +CONFIG_DRM_SIMPLEDRM=y + +# Enable NVME disk and disk controller support, SATA disk support, and AHCI +# SATA controller support. They should be enough for accessing the disk +# for a mainstream x86 system. Do not set them to m, or an initramfs will +# be needed for boot. +CONFIG_BLK_DEV_NVME=y +CONFIG_SCSI=y +CONFIG_BLK_DEV_SD=y +CONFIG_ATA=y +CONFIG_SATA_AHCI=y + +# Enable kernel modules. If you think it's not necessary, you can omit it +# and change all "m" below to "y". +CONFIG_MODULES=y + +# Enable PS/2 and USB keyboards, and the USB controllers on mainstream x86 +# systems. +CONFIG_INPUT_KEYBOARD=y +CONFIG_KEYBOARD_ATKBD=m +CONFIG_USB_SUPPORT=y +CONFIG_USB=m +CONFIG_USB_PCI=y +CONFIG_USB_HID=m +CONFIG_HID_GENERIC=m +CONFIG_USB_XHCI_HCD=m +CONFIG_USB_EHCI_HCD=m +CONFIG_USB_OHCI_HCD=m +CONFIG_USB_OHCI_HCD_PCI=m +CONFIG_USB_UHCI_HCD=m + +# Enable ASLR and SSP for the kernel. We've already protected the entire +# userspace with them (via --enable-default-{pie,ssp} in GCC configuration) +# so it does not make too much sense to leave the kernel alone. +CONFIG_RELOCATABLE=y +CONFIG_RANDOMIZE_BASE=y +CONFIG_STACKPROTECTOR=y +CONFIG_STACKPROTECTOR_STRONG=y + +# Enable ACPI or the system will not shutdown or reboot correctly. +CONFIG_ACPI=y + +# Enable CMOS RTC shipped in mainstream x86 systems, so the system time +# will be correct once LFS is boot. +CONFIG_RTC_CLASS=y +CONFIG_RTC_INTF_DEV=y +CONFIG_RTC_DRV_CMOS=y + +# Not strictly needed, but it seems a nice optimization. +CONFIG_JUMP_LABEL=y + +EOF + + + Now enable some additional settings depending on if you are building + a 32-bit or 64-bit system: + + +if [ $(uname -m) = x86_64 ]; then + cat >> lfs.config << EOF +# Enable building a 64-bit kernel. +CONFIG_64BIT=y + +# Enable x2apic which is recommended by Intel on supported systems. +# It also prevents a kernel panic when the BIOS forcefully enables x2apic. +CONFIG_PCI_MSI=y +CONFIG_IOMMU_SUPPORT=y +CONFIG_IRQ_REMAP=y +CONFIG_X86_X2APIC=y + +EOF +else + cat >> lfs.config << EOF +# Enable using more than 4GB memory because mainstream x86 systems often +# contains more. +CONFIG_HIGHMEM64G=y + +# Enable the system calls with 32-bit time_t. This is necessary until the +# year 2037 problem solved in all packages. +CONFIG_COMPAT_32BIT_TIME=y + +EOF +fi + + + Enable some features needed by Systemd: + + + cat >> lfs.config <<EOF +CONFIG_PSI=y +CONFIG_CGROUPS=y +CONFIG_MEMCG=y +CONFIG_SECCOMP=y +CONFIG_NETDEVICES=y +CONFIG_DMIID=y +CONFIG_INOTIFY_USER=y +CONFIG_AUTOFS_FS=m +CONFIG_TMPFS=y +CONFIG_TMPFS_POSIX_ACL=y + +EOF + + + Now create the .config file with our settings + in lfs.config, but other options disabled: + + +KCONFIG_ALLCONFIG=lfs.config make allnoconfig + + + Check if our settings are set correctly: + + +for i in $(sed '/^#/d' lfs.config); do + grep $i .config -q || echo "$i is not set correctly" +done + + + Enable mitigations against hardware vulnerabilities in mainstream x86 + systems. Even if you want to disable them (only do so if you know + what you are doing), it would be better to use + in the kernel command line instead of + disabling them at build time: + + +echo "CONFIG_SPECULATION_MITIGATIONS=y" >> .config +make olddefconfig - Be sure to enable/disable/set the following features or the system might - not work correctly or boot at all: - - Processor type and features ---> - [*] Build a relocatable kernel [CONFIG_RELOCATABLE] - [*] Randomize the address of the kernel image (KASLR) [CONFIG_RANDOMIZE_BASE] -General setup ---> - [ ] Compile the kernel with warnings as errors [CONFIG_WERROR] - < > Enable kernel headers through /sys/kernel/kheaders.tar.xz [CONFIG_IKHEADERS] - [ ] Configure standard kernel features (expert users) [CONFIG_EXPERT] -General architecture-dependent options ---> - [*] Stack Protector buffer overflow detection [CONFIG_STACKPROTECTOR] - [*] Strong Stack Protector [CONFIG_STACKPROTECTOR_STRONG] -Device Drivers ---> - Graphics support ---> - Frame buffer Devices ---> - <*> Support for frame buffer devices ---> - Console display driver support ---> - [*] Framebuffer Console support [CONFIG_FRAMEBUFFER_CONSOLE] - Generic Driver Options ---> - [ ] Support for uevent helper [CONFIG_UEVENT_HELPER] - [*] Maintain a devtmpfs filesystem to mount at /dev [CONFIG_DEVTMPFS] - [*] Automount devtmpfs at /dev, after the kernel mounted the rootfs [CONFIG_DEVTMPFS_MOUNT] - - Processor type and features ---> - [*] Build a relocatable kernel [CONFIG_RELOCATABLE] - [*] Randomize the address of the kernel image (KASLR) [CONFIG_RANDOMIZE_BASE] -General setup ---> - [ ] Compile the kernel with warnings as errors [CONFIG_WERROR] - [ ] Auditing Support [CONFIG_AUDIT] - CPU/Task time and stats accounting ---> - [*] Pressure stall information tracking [CONFIG_PSI] - < > Enable kernel headers through /sys/kernel/kheaders.tar.xz [CONFIG_IKHEADERS] - [*] Control Group support [CONFIG_CGROUPS] ---> - [*] Memory controller [CONFIG_MEMCG] - [ ] Enable deprecated sysfs features to support old userspace tools [CONFIG_SYSFS_DEPRECATED] - [ ] Configure standard kernel features (expert users) [CONFIG_EXPERT] -General architecture-dependent options ---> - [*] Enable seccomp to safely compute untrusted bytecode [CONFIG_SECCOMP] - [*] Stack Protector buffer overflow detection [CONFIG_STACKPROTECTOR] - [*] Strong Stack Protector [CONFIG_STACKPROTECTOR_STRONG] -Networking support ---> - Networking options ---> - <*> The IPv6 protocol [CONFIG_IPV6] -Device Drivers ---> - Generic Driver Options ---> - [ ] Support for uevent helper [CONFIG_UEVENT_HELPER] - [*] Maintain a devtmpfs filesystem to mount at /dev [CONFIG_DEVTMPFS] - [*] Automount devtmpfs at /dev, after the kernel mounted the rootfs [CONFIG_DEVTMPFS_MOUNT] - Firmware Loader ---> - [ ] Enable the firmware sysfs fallback mechanism [CONFIG_FW_LOADER_USER_HELPER] - Firmware Drivers ---> - [*] Export DMI identification via sysfs to userspace [CONFIG_DMIID] - Graphics support ---> - Frame buffer Devices ---> - <*> Support for frame buffer devices ---> - Console display driver support ---> - [*] Framebuffer Console support [CONFIG_FRAMEBUFFER_CONSOLE] -File systems ---> - [*] Inotify support for userspace [CONFIG_INOTIFY_USER] - Pseudo filesystems ---> - [*] Tmpfs POSIX Access Control Lists [CONFIG_TMPFS_POSIX_ACL] - - Enable some additional features if you are building a 64-bit - system. If you are using menuconfig, enable them in the order of - CONFIG_PCI_MSI first, then - CONFIG_IRQ_REMAP, at last - CONFIG_X86_X2APIC because an option only - shows up after its dependencies are selected. - - Processor type and features ---> - [*] Support x2apic [CONFIG_X86_X2APIC] -Device Drivers ---> - [*] PCI Support ---> [CONFIG_PCI] - [*] Message Signaled Interrupts (MSI and MSI-X) [CONFIG_PCI_MSI] - [*] IOMMU Hardware Support ---> [CONFIG_IOMMU_SUPPORT] - [*] Support for Interrupt Remapping [CONFIG_IRQ_REMAP] - - - - While "The IPv6 Protocol" is not strictly - required, it is highly recommended by the systemd developers. + + In the instructions above, a mainstream x86 system + means a x86 system manufactured in 2010 or more recent. All these + systems should have 64-bit capability (though still compatible with + 32-bit distros). + + + + If your system is older, it may contain a non-AHCI ATA controller. + Then you need to set , + , and a suitable driver for the + ATA controller (for example, + for old Intel chipsets and QEMU virtual machines). + + + + If your system is older and it contains 4GB or smaller RAM, and you + are building a 32-bit LFS system, remove + CONFIG_HIGHMEM64G=y or the kernel may fail + to boot. + - There are several other options that may be desired - depending on the requirements for the system. For a list of options needed - for BLFS packages, see the BLFS - Index of Kernel Settings - (&lfs-root;blfs/view/&short-version;/longindex.html#kernel-config-index). + + The instructions above has created a minimal configuration enough + for booting LFS on a mainstream x86 system with a functional Linux + console. For other peripherals (NICs, mice, etc.), it's obviously + impossible to cover all the drivers for them here. And there are also + other configuation options you may want to tweak. Now you should run + make menuconfig to invoke a menu-driven + configuration interface and manually adapt the configuration for your + need, or run make localmodconfig to enable all + configuration options for kernel modules already loaded by the host + distro (they should likely cover the drivers for the peripherals + already connected onto the system). Some examples of kernel + configurations (for the systems of LFS editors) can be viewed at + TODO. + - If your host hardware is using UEFI and you wish to boot the - LFS system with it, you should adjust some kernel configuration - following - the BLFS page. + + Do not set or + , or the kernel may fail to + build. Do not set , + , or + , or the system may + fail to boot. Do not set + unless you really know what you are doing. + - - The rationale for the above configuration items: - - - Randomize the address of the kernel image (KASLR) - - Enable ASLR for kernel image, to mitigate some attacks based - on fixed addresses of sensitive data or code in the kernel. - - - - - - - Compile the kernel with warnings as errors - - - - This may cause building failure if the compiler and/or - configuration are different from those of the kernel - developers. - - - - - - - Enable kernel headers through /sys/kernel/kheaders.tar.xz - - - - This will require cpio building the kernel. - cpio is not installed by LFS. - - - - - - - Configure standard kernel features (expert users) - - - - This will make some options show up in the configuration - interface but changing those options may be dangerous. Do not use - this unless you know what you are doing. - - - - - Strong Stack Protector - - Enable SSP for the kernel. We've enabled it for the entire - userspace with --enable-default-ssp - configuring GCC, but the kernel does not use GCC default setting - for SSP. We enable it explicitly here. - - - - - Support for uevent helper - - Having this option set may interfere with device - management when using Udev/Eudev. - - - - - Maintain a devtmpfs - - This will create automated device nodes which are populated by the - kernel, even without Udev running. Udev then runs on top of this, - managing permissions and adding symlinks. This configuration - item is required for all users of Udev/Eudev. - - - - - Automount devtmpfs at /dev - - This will mount the kernel view of the devices on /dev - upon switching to root filesystem just before starting - init. - - - - - Framebuffer Console support - - This is needed to display the Linux console on a frame - buffer device. To allow the kernel to print debug messages at an - early boot stage, it shouldn't be built as a kernel module - unless an initramfs will be used. And, if - (Direct Rendering Manager) is enabled, - it's likely (Enable - legacy fbdev support for your modesetting driver) should be - enabled as well. - - - - - Support x2apic - - Support running the interrupt controller of 64-bit x86 - processors in x2APIC mode. x2APIC may be enabled by firmware on - 64-bit x86 systems, and a kernel without this option enabled will - panic on boot if x2APIC is enabled by firmware. This option has - has no effect, but also does no harm if x2APIC is disabled by the - firmware. - - - - - - Alternatively, make oldconfig may be more - appropriate in some situations. See the README - file for more information. - - If desired, skip kernel configuration by copying the kernel - config file, .config, from the host system - (assuming it is available) to the unpacked linux-&linux-version; directory. However, - we do not recommend this option. It is often better to explore all the - configuration menus and create the kernel configuration from - scratch. - Compile the kernel image and modules: make -- cgit v1.2.3-54-g00ecf