Changeset 8dfb4e04

Timestamp:

03/10/2023 03:04:05 AM (3 months ago)

Author:

Xi Ruoyao <xry111@…>

Branches:

xry111/kcfg-revise

Parents:

74d4d5e

Message:

kernel: Provide a minimal base configuration for mainstream x86

File:

• chapter10/kernel.xml (modified) (1 diff)

chapter10/kernel.xml

@@ -97 +97 @@
     <ulink url="http://www.kroah.com/lkn/"/> </para>
 
-    <caution>
-      <para>A good starting place for setting up the kernel configuration is to
-      run <command>make defconfig</command>. This will set the base
-      configuration to a good state that takes your current system architecture
-      into account.</para>
-
-      <para>Do not disable any option enabled by <command>make
-      defconfig</command> unless the following note explicitly makes it
-      disabled or you really know what you are doing.</para>
-    </caution>
+    <para>
+      Set up a minimal base configuration:
+    </para>
+
+    <screen role="nodump"><userinput>cat &gt; lfs.config &lt;&lt; EOF<literal>
+# Many packages expect SysV IPC or POSIX message queue
+CONFIG_SYSVIPC=y
+CONFIG_POSIX_MQUEUE=y
+
+# Mainstream x86 system contains multiple CPU cores.  This is needed to use
+# all the cores.
+CONFIG_SMP=y
+
+# Many packages expect the basic network functionality is available, even
+# if the system has no NIC at all.
+CONFIG_NET=y
+CONFIG_PACKET=y
+CONFIG_UNIX=y
+CONFIG_INET=y
+CONFIG_IPV6=y
+
+# Mainstream x86 system use PCIe as the system bus for peripherals.
+CONFIG_PCI=y
+CONFIG_PCIEPORTBUS=y
+
+# Enable devtmpfs which is necessary for udev, and mount it at early boot
+# stage so we don't need to create static device nodes in /dev.
+CONFIG_DEVTMPFS=y
+CONFIG_DEVTMPFS_MOUNT=y
+
+# LFS uses ext4 file system.  Don't set it to m or you'll need an initramfs.
+# Also Enable Access Control List feature needed by the Acl package.
+CONFIG_EXT4_FS=y
+CONFIG_EXT4_FS_POSIX_ACL=y
+
+# Allow to execute ELF executables and scripts.  All executables in a LFS
+# system are either ELF or a script.
+CONFIG_BINFMT_ELF=y
+CONFIG_BINFMT_SCRIPT=y
+
+# Allow to use framebuffer console if your BIOS provides a framebuffer.
+# Otherwise the VGA console (forced to y with CONFIG_EXPERT=n) can be used
+# as a fallback.  Some of them can be set to m, but doing so may cause debug
+# difficulties in case the boot fails before loading modules.
+CONFIG_SYSFB_SIMPLEFB=y
+CONFIG_FB=y
+CONFIG_DRM=y
+CONFIG_DRM_FBDEV_EMULATION=y
+CONFIG_DRM_SIMPLEDRM=y
+
+# Enable NVME disk and disk controller support, SATA disk support, and AHCI
+# SATA controller support.  They should be enough for accessing the disk
+# for a mainstream x86 system.  Do not set them to m, or an initramfs will
+# be needed for boot.
+CONFIG_BLK_DEV_NVME=y
+CONFIG_SCSI=y
+CONFIG_BLK_DEV_SD=y
+CONFIG_ATA=y
+CONFIG_SATA_AHCI=y
+
+# Enable kernel modules.  If you think it's not necessary, you can omit it
+# and change all "m" below to "y".
+CONFIG_MODULES=y
+
+# Enable PS/2 and USB keyboards, and the USB controllers on mainstream x86
+# systems.
+CONFIG_INPUT_KEYBOARD=y
+CONFIG_KEYBOARD_ATKBD=m
+CONFIG_USB_SUPPORT=y
+CONFIG_USB=m
+CONFIG_USB_PCI=y
+CONFIG_USB_HID=m
+CONFIG_HID_GENERIC=m
+CONFIG_USB_XHCI_HCD=m
+CONFIG_USB_EHCI_HCD=m
+CONFIG_USB_OHCI_HCD=m
+CONFIG_USB_OHCI_HCD_PCI=m
+CONFIG_USB_UHCI_HCD=m
+
+# Enable ASLR and SSP for the kernel.  We've already protected the entire
+# userspace with them (via --enable-default-{pie,ssp} in GCC configuration)
+# so it does not make too much sense to leave the kernel alone.
+CONFIG_RELOCATABLE=y
+CONFIG_RANDOMIZE_BASE=y
+CONFIG_STACKPROTECTOR=y
+CONFIG_STACKPROTECTOR_STRONG=y
+
+# Enable ACPI or the system will not shutdown or reboot correctly.
+CONFIG_ACPI=y
+
+# Enable CMOS RTC shipped in mainstream x86 systems, so the system time
+# will be correct once LFS is boot.
+CONFIG_RTC_CLASS=y
+CONFIG_RTC_INTF_DEV=y
+CONFIG_RTC_DRV_CMOS=y
+
+# Not strictly needed, but it seems a nice optimization.
+CONFIG_JUMP_LABEL=y
+
+</literal>EOF</userinput></screen>
+
+    <para>
+      Now enable some additional settings depending on if you are building
+      a 32-bit or 64-bit system:
+    </para>
+
+<screen role='nodump'><userinput>if [ $(uname -m) = x86_64 ]; then
+        cat &gt;&gt; lfs.config &lt;&lt; EOF<literal>
+# Enable building a 64-bit kernel.
+CONFIG_64BIT=y
+
+# Enable x2apic which is recommended by Intel on supported systems.
+# It also prevents a kernel panic when the BIOS forcefully enables x2apic.
+CONFIG_PCI_MSI=y
+CONFIG_IOMMU_SUPPORT=y
+CONFIG_IRQ_REMAP=y
+CONFIG_X86_X2APIC=y
+
+</literal>EOF
+else
+        cat &gt;&gt; lfs.config &lt;&lt; EOF<literal>
+# Enable using more than 4GB memory because mainstream x86 systems often
+# contains more.
+CONFIG_HIGHMEM64G=y
+
+# Enable the system calls with 32-bit time_t.  This is necessary until the
+# year 2037 problem solved in all packages.
+CONFIG_COMPAT_32BIT_TIME=y
+
+</literal>EOF
+fi</userinput></screen>
+
+    <para revision='systemd'>
+      Enable some features needed by Systemd:
+    </para>
+
+    <screen role="nodump" revision="systemd"><userinput>cat &gt;&gt; lfs.config &lt;&lt;EOF<literal>
+CONFIG_PSI=y
+CONFIG_CGROUPS=y
+CONFIG_MEMCG=y
+CONFIG_SECCOMP=y
+CONFIG_NETDEVICES=y
+CONFIG_DMIID=y
+CONFIG_INOTIFY_USER=y
+CONFIG_AUTOFS_FS=m
+CONFIG_TMPFS=y
+CONFIG_TMPFS_POSIX_ACL=y
+
+</literal>EOF</userinput></screen>
+
+    <para>
+      Now create the <filename>.config</filename> file with our settings
+      in <filename>lfs.config</filename>, but other options disabled:
+    </para>
+
+<screen role="nodump"><userinput>KCONFIG_ALLCONFIG=lfs.config make allnoconfig</userinput></screen>
+
+    <para>
+      Check if our settings are set correctly:
+    </para>
+
+<screen role="nodump"><userinput>for i in $(sed '/^#/d' lfs.config); do
+  grep $i .config -q || echo "$i is not set correctly"
+done</userinput></screen>
+
+    <para>
+      Enable mitigations against hardware vulnerabilities in mainstream x86
+      systems.  Even if you want to disable them (only do so if you know
+      what you are doing), it would be better to use
+      <option>mitigations=off</option> in the kernel command line instead of
+      disabling them at build time:
+    </para>
+
+<screen role="nodump"><userinput>echo "CONFIG_SPECULATION_MITIGATIONS=y" >> .config
+make olddefconfig</userinput></screen>
 
     <note>
-      <para>Be sure to enable/disable/set the following features or the system might
-      not work correctly or boot at all:</para>
-
-      <screen role="nodump" revision="sysv">Processor type and features ---&gt;
-   [*] Build a relocatable kernel [CONFIG_RELOCATABLE]
-   [*]   Randomize the address of the kernel image (KASLR) [CONFIG_RANDOMIZE_BASE]
-General setup ---&gt;
-   [ ] Compile the kernel with warnings as errors [CONFIG_WERROR]
-   &lt; &gt; Enable kernel headers through /sys/kernel/kheaders.tar.xz [CONFIG_IKHEADERS]
-   [ ] Configure standard kernel features (expert users) [CONFIG_EXPERT]
-General architecture-dependent options  ---&gt;
-   [*] Stack Protector buffer overflow detection [CONFIG_STACKPROTECTOR]
-   [*]   Strong Stack Protector [CONFIG_STACKPROTECTOR_STRONG]
-Device Drivers  ---&gt;
-  Graphics support ---&gt;
-   Frame buffer Devices ---&gt;
-      &lt;*&gt; Support for frame buffer devices ---&gt;
-   Console display driver support ---&gt;
-      [*] Framebuffer Console support [CONFIG_FRAMEBUFFER_CONSOLE]
-  Generic Driver Options  ---&gt;
-   [ ] Support for uevent helper [CONFIG_UEVENT_HELPER]
-   [*] Maintain a devtmpfs filesystem to mount at /dev [CONFIG_DEVTMPFS]
-   [*]   Automount devtmpfs at /dev, after the kernel mounted the rootfs [CONFIG_DEVTMPFS_MOUNT]</screen>
-
-      <screen role="nodump" revision="systemd">Processor type and features ---&gt;
-   [*] Build a relocatable kernel [CONFIG_RELOCATABLE]
-   [*]   Randomize the address of the kernel image (KASLR) [CONFIG_RANDOMIZE_BASE]
-General setup ---&gt;
-   [ ] Compile the kernel with warnings as errors [CONFIG_WERROR]
-   [ ] Auditing Support [CONFIG_AUDIT]
-   CPU/Task time and stats accounting ---&gt;
-      [*] Pressure stall information tracking [CONFIG_PSI]
-   &lt; &gt; Enable kernel headers through /sys/kernel/kheaders.tar.xz [CONFIG_IKHEADERS]
-   [*] Control Group support [CONFIG_CGROUPS]   ---&gt;
-      [*] Memory controller [CONFIG_MEMCG]
-   [ ] Enable deprecated sysfs features to support old userspace tools [CONFIG_SYSFS_DEPRECATED]
-   [ ] Configure standard kernel features (expert users) [CONFIG_EXPERT]
-General architecture-dependent options  ---&gt;
-   [*] Enable seccomp to safely compute untrusted bytecode [CONFIG_SECCOMP]
-   [*] Stack Protector buffer overflow detection [CONFIG_STACKPROTECTOR]
-   [*]   Strong Stack Protector [CONFIG_STACKPROTECTOR_STRONG]
-Networking support  ---&gt;
-  Networking options  ---&gt;
-   &lt;*&gt; The IPv6 protocol [CONFIG_IPV6]
-Device Drivers  ---&gt;
-  Generic Driver Options  ---&gt;
-   [ ] Support for uevent helper [CONFIG_UEVENT_HELPER]
-   [*] Maintain a devtmpfs filesystem to mount at /dev [CONFIG_DEVTMPFS]
-   [*]   Automount devtmpfs at /dev, after the kernel mounted the rootfs [CONFIG_DEVTMPFS_MOUNT]
-   Firmware Loader ---&gt;
-      [ ] Enable the firmware sysfs fallback mechanism [CONFIG_FW_LOADER_USER_HELPER]
-  Firmware Drivers   ---&gt;
-   [*] Export DMI identification via sysfs to userspace [CONFIG_DMIID]
-  Graphics support ---&gt;
-   Frame buffer Devices ---&gt;
-      &lt;*&gt; Support for frame buffer devices ---&gt;
-   Console display driver support ---&gt;
-      [*] Framebuffer Console support [CONFIG_FRAMEBUFFER_CONSOLE]
-File systems  ---&gt;
-   [*] Inotify support for userspace [CONFIG_INOTIFY_USER]
-       Pseudo filesystems  ---&gt;
-        [*] Tmpfs POSIX Access Control Lists [CONFIG_TMPFS_POSIX_ACL]</screen>
-
-      <para>Enable some additional features if you are building a 64-bit
-      system.  If you are using menuconfig, enable them in the order of
-      <parameter>CONFIG_PCI_MSI</parameter> first, then
-      <parameter>CONFIG_IRQ_REMAP</parameter>, at last
-      <parameter>CONFIG_X86_X2APIC</parameter> because an option only
-      shows up after its dependencies are selected.</para>
-
-      <screen role="nodump">Processor type and features ---&gt;
-  [*] Support x2apic [CONFIG_X86_X2APIC]
-Device Drivers ---&gt;
-  [*] PCI Support ---&gt; [CONFIG_PCI]
-    [*] Message Signaled Interrupts (MSI and MSI-X) [CONFIG_PCI_MSI]
-  [*] IOMMU Hardware Support ---&gt; [CONFIG_IOMMU_SUPPORT]
-    [*] Support for Interrupt Remapping [CONFIG_IRQ_REMAP]</screen>
+      <para>
+        In the instructions above, a <quote>mainstream x86 system</quote>
+        means a x86 system manufactured in 2010 or more recent.  All these
+        systems should have 64-bit capability (though still compatible with
+        32-bit distros).
+      </para>
+
+      <para>
+        If your system is older, it may contain a non-AHCI ATA controller.
+        Then you need to set <option>CONFIG_ATA_SFF=y</option>,
+        <option>CONFIG_ATA_BMDMA=y</option>, and a suitable driver for the
+        ATA controller (for example, <option>CONFIG_ATA_PIIX=y</option>
+        for old Intel chipsets and QEMU virtual machines).
+      </para>
+
+      <para>
+        If your system is older and it contains 4GB or smaller RAM, and you
+        are building a 32-bit LFS system, remove
+        <parameter>CONFIG_HIGHMEM64G=y</parameter> or the kernel may fail
+        to boot.
+      </para>
     </note>
 
-    <note revision="systemd">
-      <para>While "The IPv6 Protocol" is not strictly
-      required, it is highly recommended by the systemd developers.</para>
+    <para>
+      The instructions above has created a minimal configuration enough
+      for booting LFS on a mainstream x86 system with a functional Linux
+      console.  For other peripherals (NICs, mice, etc.), it's obviously
+      impossible to cover all the drivers for them here.  And there are also
+      other configuation options you may want to tweak.  Now you should run
+      <command>make menuconfig</command> to invoke a menu-driven
+      configuration interface and manually adapt the configuration for your
+      need, or run <command>make localmodconfig</command> to enable all
+      configuration options for kernel modules already loaded by the host
+      distro (they should likely cover the drivers for the peripherals
+      already connected onto the system).  Some examples of kernel
+      configurations (for the systems of LFS editors) can be viewed at
+      <ulink url='about:blank'>TODO</ulink>.
+    </para>
+
+    <note>
+      <para>
+        Do not set <option>CONFIG_WERROR=y</option> or
+        <option>CONFIG_IKHEADERS=y</option>, or the kernel may fail to
+        build.  Do not set <option>CONFIG_SYSFS_DEPRECATED=y</option>,
+        <option>CONFIG_UEVENT_HELPER=y</option>, or
+        <option>CONFIG_FW_LOADER_USER_HELPER=y</option>, or the system may
+        fail to boot.  Do not set <option>CONFIG_EXPERT=y</option>
+        unless you really know what you are doing.
+      </para>
     </note>
-
-    <para revision="sysv">There are several other options that may be desired
-    depending on the requirements for the system. For a list of options needed
-    for BLFS packages, see the <ulink
-    url="&lfs-root;blfs/view/&short-version;/longindex.html#kernel-config-index">BLFS
-    Index of Kernel Settings</ulink>
-    (&lfs-root;blfs/view/&short-version;/longindex.html#kernel-config-index).</para>
-
-    <note>
-      <para>If your host hardware is using UEFI and you wish to boot the
-      LFS system with it, you should adjust some kernel configuration
-      following <ulink url="&blfs-book;postlfs/grub-setup.html#uefi-kernel">
-      the BLFS page</ulink>.</para>
-    </note>
-
-    <variablelist>
-      <title>The rationale for the above configuration items:</title>
-
-      <varlistentry>
-        <term><parameter>Randomize the address of the kernel image (KASLR)</parameter></term>
-        <listitem>
-          <para>Enable ASLR for kernel image, to mitigate some attacks based
-          on fixed addresses of sensitive data or code in the kernel.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>
-          <parameter>
-            Compile the kernel with warnings as errors
-          </parameter>
-        </term>
-        <listitem>
-          <para>This may cause building failure if the compiler and/or
-          configuration are different from those of the kernel
-          developers.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>
-          <parameter>
-            Enable kernel headers through /sys/kernel/kheaders.tar.xz
-          </parameter>
-        </term>
-        <listitem>
-          <para>This will require <command>cpio</command> building the kernel.
-          <command>cpio</command> is not installed by LFS.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>
-          <parameter>
-            Configure standard kernel features (expert users)
-          </parameter>
-        </term>
-        <listitem>
-          <para>This will make some options show up in the configuration
-          interface but changing those options may be dangerous.  Do not use
-          this unless you know what you are doing.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><parameter>Strong Stack Protector</parameter></term>
-        <listitem>
-          <para>Enable SSP for the kernel.  We've enabled it for the entire
-          userspace with <parameter>--enable-default-ssp</parameter>
-          configuring GCC, but the kernel does not use GCC default setting
-          for SSP.  We enable it explicitly here.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><parameter>Support for uevent helper</parameter></term>
-        <listitem>
-          <para>Having this option set may interfere with device
-          management when using Udev/Eudev. </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><parameter>Maintain a devtmpfs</parameter></term>
-        <listitem>
-          <para>This will create automated device nodes which are populated by the
-          kernel, even without Udev running.  Udev then runs on top of this,
-          managing permissions and adding symlinks.  This configuration
-          item is required for all users of Udev/Eudev.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><parameter>Automount devtmpfs at /dev</parameter></term>
-        <listitem>
-          <para>This will mount the kernel view of the devices on /dev
-          upon switching to root filesystem just before starting
-          init.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><parameter>Framebuffer Console support</parameter></term>
-        <listitem>
-          <para>This is needed to display the Linux console on a frame
-          buffer device.  To allow the kernel to print debug messages at an
-          early boot stage, it shouldn't be built as a kernel module
-          unless an initramfs will be used. And, if
-          <option>CONFIG_DRM</option> (Direct Rendering Manager) is enabled,
-          it's likely <option>CONFIG_DRM_FBDEV_EMULATION</option> (Enable
-          legacy fbdev support for your modesetting driver) should be
-          enabled as well.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><parameter>Support x2apic</parameter></term>
-        <listitem>
-          <para>Support running the interrupt controller of 64-bit x86
-          processors in x2APIC mode.  x2APIC may be enabled by firmware on
-          64-bit x86 systems, and a kernel without this option enabled will
-          panic on boot if x2APIC is enabled by firmware.  This option has
-          has no effect, but also does no harm if x2APIC is disabled by the
-          firmware.</para>
-        </listitem>
-      </varlistentry>
-
-    </variablelist>
-
-    <para>Alternatively, <command>make oldconfig</command> may be more
-    appropriate in some situations. See the <filename>README</filename>
-    file for more information.</para>
-
-    <para>If desired, skip kernel configuration by copying the kernel
-    config file, <filename>.config</filename>, from the host system
-    (assuming it is available) to the unpacked <filename
-    class="directory">linux-&linux-version;</filename> directory. However,
-    we do not recommend this option. It is often better to explore all the
-    configuration menus and create the kernel configuration from
-    scratch.</para>
 
     <para>Compile the kernel image and modules:</para>