Changeset 8dfb4e04

03/10/2023 03:04:05 AM (3 months ago)
Xi Ruoyao <xry111@…>

kernel: Provide a minimal base configuration for mainstream x86

1 edited


  • chapter10/kernel.xml

    r74d4d5e r8dfb4e04  
    9797    <ulink url=""/> </para>
    99     <caution>
    100       <para>A good starting place for setting up the kernel configuration is to
    101       run <command>make defconfig</command>. This will set the base
    102       configuration to a good state that takes your current system architecture
    103       into account.</para>
    105       <para>Do not disable any option enabled by <command>make
    106       defconfig</command> unless the following note explicitly makes it
    107       disabled or you really know what you are doing.</para>
    108     </caution>
     99    <para>
     100      Set up a minimal base configuration:
     101    </para>
     103    <screen role="nodump"><userinput>cat &gt; lfs.config &lt;&lt; EOF<literal>
     104# Many packages expect SysV IPC or POSIX message queue
     108# Mainstream x86 system contains multiple CPU cores.  This is needed to use
     109# all the cores.
     112# Many packages expect the basic network functionality is available, even
     113# if the system has no NIC at all.
     120# Mainstream x86 system use PCIe as the system bus for peripherals.
     124# Enable devtmpfs which is necessary for udev, and mount it at early boot
     125# stage so we don't need to create static device nodes in /dev.
     129# LFS uses ext4 file system.  Don't set it to m or you'll need an initramfs.
     130# Also Enable Access Control List feature needed by the Acl package.
     134# Allow to execute ELF executables and scripts.  All executables in a LFS
     135# system are either ELF or a script.
     139# Allow to use framebuffer console if your BIOS provides a framebuffer.
     140# Otherwise the VGA console (forced to y with CONFIG_EXPERT=n) can be used
     141# as a fallback.  Some of them can be set to m, but doing so may cause debug
     142# difficulties in case the boot fails before loading modules.
     149# Enable NVME disk and disk controller support, SATA disk support, and AHCI
     150# SATA controller support.  They should be enough for accessing the disk
     151# for a mainstream x86 system.  Do not set them to m, or an initramfs will
     152# be needed for boot.
     159# Enable kernel modules.  If you think it's not necessary, you can omit it
     160# and change all "m" below to "y".
     163# Enable PS/2 and USB keyboards, and the USB controllers on mainstream x86
     164# systems.
     178# Enable ASLR and SSP for the kernel.  We've already protected the entire
     179# userspace with them (via --enable-default-{pie,ssp} in GCC configuration)
     180# so it does not make too much sense to leave the kernel alone.
     186# Enable ACPI or the system will not shutdown or reboot correctly.
     189# Enable CMOS RTC shipped in mainstream x86 systems, so the system time
     190# will be correct once LFS is boot.
     195# Not strictly needed, but it seems a nice optimization.
     200    <para>
     201      Now enable some additional settings depending on if you are building
     202      a 32-bit or 64-bit system:
     203    </para>
     205<screen role='nodump'><userinput>if [ $(uname -m) = x86_64 ]; then
     206        cat &gt;&gt; lfs.config &lt;&lt; EOF<literal>
     207# Enable building a 64-bit kernel.
     210# Enable x2apic which is recommended by Intel on supported systems.
     211# It also prevents a kernel panic when the BIOS forcefully enables x2apic.
     219        cat &gt;&gt; lfs.config &lt;&lt; EOF<literal>
     220# Enable using more than 4GB memory because mainstream x86 systems often
     221# contains more.
     224# Enable the system calls with 32-bit time_t.  This is necessary until the
     225# year 2037 problem solved in all packages.
     231    <para revision='systemd'>
     232      Enable some features needed by Systemd:
     233    </para>
     235    <screen role="nodump" revision="systemd"><userinput>cat &gt;&gt; lfs.config &lt;&lt;EOF<literal>
     249    <para>
     250      Now create the <filename>.config</filename> file with our settings
     251      in <filename>lfs.config</filename>, but other options disabled:
     252    </para>
     254<screen role="nodump"><userinput>KCONFIG_ALLCONFIG=lfs.config make allnoconfig</userinput></screen>
     256    <para>
     257      Check if our settings are set correctly:
     258    </para>
     260<screen role="nodump"><userinput>for i in $(sed '/^#/d' lfs.config); do
     261  grep $i .config -q || echo "$i is not set correctly"
     264    <para>
     265      Enable mitigations against hardware vulnerabilities in mainstream x86
     266      systems.  Even if you want to disable them (only do so if you know
     267      what you are doing), it would be better to use
     268      <option>mitigations=off</option> in the kernel command line instead of
     269      disabling them at build time:
     270    </para>
     272<screen role="nodump"><userinput>echo "CONFIG_SPECULATION_MITIGATIONS=y" >> .config
     273make olddefconfig</userinput></screen>
    110275    <note>
    111       <para>Be sure to enable/disable/set the following features or the system might
    112       not work correctly or boot at all:</para>
    114       <screen role="nodump" revision="sysv">Processor type and features ---&gt;
    115    [*] Build a relocatable kernel [CONFIG_RELOCATABLE]
    116    [*]   Randomize the address of the kernel image (KASLR) [CONFIG_RANDOMIZE_BASE]
    117 General setup ---&gt;
    118    [ ] Compile the kernel with warnings as errors [CONFIG_WERROR]
    119    &lt; &gt; Enable kernel headers through /sys/kernel/kheaders.tar.xz [CONFIG_IKHEADERS]
    120    [ ] Configure standard kernel features (expert users) [CONFIG_EXPERT]
    121 General architecture-dependent options  ---&gt;
    122    [*] Stack Protector buffer overflow detection [CONFIG_STACKPROTECTOR]
    123    [*]   Strong Stack Protector [CONFIG_STACKPROTECTOR_STRONG]
    124 Device Drivers  ---&gt;
    125   Graphics support ---&gt;
    126    Frame buffer Devices ---&gt;
    127       &lt;*&gt; Support for frame buffer devices ---&gt;
    128    Console display driver support ---&gt;
    129       [*] Framebuffer Console support [CONFIG_FRAMEBUFFER_CONSOLE]
    130   Generic Driver Options  ---&gt;
    131    [ ] Support for uevent helper [CONFIG_UEVENT_HELPER]
    132    [*] Maintain a devtmpfs filesystem to mount at /dev [CONFIG_DEVTMPFS]
    133    [*]   Automount devtmpfs at /dev, after the kernel mounted the rootfs [CONFIG_DEVTMPFS_MOUNT]</screen>
    135       <screen role="nodump" revision="systemd">Processor type and features ---&gt;
    136    [*] Build a relocatable kernel [CONFIG_RELOCATABLE]
    137    [*]   Randomize the address of the kernel image (KASLR) [CONFIG_RANDOMIZE_BASE]
    138 General setup ---&gt;
    139    [ ] Compile the kernel with warnings as errors [CONFIG_WERROR]
    140    [ ] Auditing Support [CONFIG_AUDIT]
    141    CPU/Task time and stats accounting ---&gt;
    142       [*] Pressure stall information tracking [CONFIG_PSI]
    143    &lt; &gt; Enable kernel headers through /sys/kernel/kheaders.tar.xz [CONFIG_IKHEADERS]
    144    [*] Control Group support [CONFIG_CGROUPS]   ---&gt;
    145       [*] Memory controller [CONFIG_MEMCG]
    146    [ ] Enable deprecated sysfs features to support old userspace tools [CONFIG_SYSFS_DEPRECATED]
    147    [ ] Configure standard kernel features (expert users) [CONFIG_EXPERT]
    148 General architecture-dependent options  ---&gt;
    149    [*] Enable seccomp to safely compute untrusted bytecode [CONFIG_SECCOMP]
    150    [*] Stack Protector buffer overflow detection [CONFIG_STACKPROTECTOR]
    151    [*]   Strong Stack Protector [CONFIG_STACKPROTECTOR_STRONG]
    152 Networking support  ---&gt;
    153   Networking options  ---&gt;
    154    &lt;*&gt; The IPv6 protocol [CONFIG_IPV6]
    155 Device Drivers  ---&gt;
    156   Generic Driver Options  ---&gt;
    157    [ ] Support for uevent helper [CONFIG_UEVENT_HELPER]
    158    [*] Maintain a devtmpfs filesystem to mount at /dev [CONFIG_DEVTMPFS]
    159    [*]   Automount devtmpfs at /dev, after the kernel mounted the rootfs [CONFIG_DEVTMPFS_MOUNT]
    160    Firmware Loader ---&gt;
    161       [ ] Enable the firmware sysfs fallback mechanism [CONFIG_FW_LOADER_USER_HELPER]
    162   Firmware Drivers   ---&gt;
    163    [*] Export DMI identification via sysfs to userspace [CONFIG_DMIID]
    164   Graphics support ---&gt;
    165    Frame buffer Devices ---&gt;
    166       &lt;*&gt; Support for frame buffer devices ---&gt;
    167    Console display driver support ---&gt;
    168       [*] Framebuffer Console support [CONFIG_FRAMEBUFFER_CONSOLE]
    169 File systems  ---&gt;
    170    [*] Inotify support for userspace [CONFIG_INOTIFY_USER]
    171        Pseudo filesystems  ---&gt;
    172         [*] Tmpfs POSIX Access Control Lists [CONFIG_TMPFS_POSIX_ACL]</screen>
    174       <para>Enable some additional features if you are building a 64-bit
    175       system.  If you are using menuconfig, enable them in the order of
    176       <parameter>CONFIG_PCI_MSI</parameter> first, then
    177       <parameter>CONFIG_IRQ_REMAP</parameter>, at last
    178       <parameter>CONFIG_X86_X2APIC</parameter> because an option only
    179       shows up after its dependencies are selected.</para>
    181       <screen role="nodump">Processor type and features ---&gt;
    182   [*] Support x2apic [CONFIG_X86_X2APIC]
    183 Device Drivers ---&gt;
    184   [*] PCI Support ---&gt; [CONFIG_PCI]
    185     [*] Message Signaled Interrupts (MSI and MSI-X) [CONFIG_PCI_MSI]
    186   [*] IOMMU Hardware Support ---&gt; [CONFIG_IOMMU_SUPPORT]
    187     [*] Support for Interrupt Remapping [CONFIG_IRQ_REMAP]</screen>
     276      <para>
     277        In the instructions above, a <quote>mainstream x86 system</quote>
     278        means a x86 system manufactured in 2010 or more recent.  All these
     279        systems should have 64-bit capability (though still compatible with
     280        32-bit distros).
     281      </para>
     283      <para>
     284        If your system is older, it may contain a non-AHCI ATA controller.
     285        Then you need to set <option>CONFIG_ATA_SFF=y</option>,
     286        <option>CONFIG_ATA_BMDMA=y</option>, and a suitable driver for the
     287        ATA controller (for example, <option>CONFIG_ATA_PIIX=y</option>
     288        for old Intel chipsets and QEMU virtual machines).
     289      </para>
     291      <para>
     292        If your system is older and it contains 4GB or smaller RAM, and you
     293        are building a 32-bit LFS system, remove
     294        <parameter>CONFIG_HIGHMEM64G=y</parameter> or the kernel may fail
     295        to boot.
     296      </para>
    188297    </note>
    190     <note revision="systemd">
    191       <para>While "The IPv6 Protocol" is not strictly
    192       required, it is highly recommended by the systemd developers.</para>
     299    <para>
     300      The instructions above has created a minimal configuration enough
     301      for booting LFS on a mainstream x86 system with a functional Linux
     302      console.  For other peripherals (NICs, mice, etc.), it's obviously
     303      impossible to cover all the drivers for them here.  And there are also
     304      other configuation options you may want to tweak.  Now you should run
     305      <command>make menuconfig</command> to invoke a menu-driven
     306      configuration interface and manually adapt the configuration for your
     307      need, or run <command>make localmodconfig</command> to enable all
     308      configuration options for kernel modules already loaded by the host
     309      distro (they should likely cover the drivers for the peripherals
     310      already connected onto the system).  Some examples of kernel
     311      configurations (for the systems of LFS editors) can be viewed at
     312      <ulink url='about:blank'>TODO</ulink>.
     313    </para>
     315    <note>
     316      <para>
     317        Do not set <option>CONFIG_WERROR=y</option> or
     318        <option>CONFIG_IKHEADERS=y</option>, or the kernel may fail to
     319        build.  Do not set <option>CONFIG_SYSFS_DEPRECATED=y</option>,
     320        <option>CONFIG_UEVENT_HELPER=y</option>, or
     321        <option>CONFIG_FW_LOADER_USER_HELPER=y</option>, or the system may
     322        fail to boot.  Do not set <option>CONFIG_EXPERT=y</option>
     323        unless you really know what you are doing.
     324      </para>
    193325    </note>
    195     <para revision="sysv">There are several other options that may be desired
    196     depending on the requirements for the system. For a list of options needed
    197     for BLFS packages, see the <ulink
    198     url="&lfs-root;blfs/view/&short-version;/longindex.html#kernel-config-index">BLFS
    199     Index of Kernel Settings</ulink>
    200     (&lfs-root;blfs/view/&short-version;/longindex.html#kernel-config-index).</para>
    202     <note>
    203       <para>If your host hardware is using UEFI and you wish to boot the
    204       LFS system with it, you should adjust some kernel configuration
    205       following <ulink url="&blfs-book;postlfs/grub-setup.html#uefi-kernel">
    206       the BLFS page</ulink>.</para>
    207     </note>
    209     <variablelist>
    210       <title>The rationale for the above configuration items:</title>
    212       <varlistentry>
    213         <term><parameter>Randomize the address of the kernel image (KASLR)</parameter></term>
    214         <listitem>
    215           <para>Enable ASLR for kernel image, to mitigate some attacks based
    216           on fixed addresses of sensitive data or code in the kernel.</para>
    217         </listitem>
    218       </varlistentry>
    220       <varlistentry>
    221         <term>
    222           <parameter>
    223             Compile the kernel with warnings as errors
    224           </parameter>
    225         </term>
    226         <listitem>
    227           <para>This may cause building failure if the compiler and/or
    228           configuration are different from those of the kernel
    229           developers.</para>
    230         </listitem>
    231       </varlistentry>
    233       <varlistentry>
    234         <term>
    235           <parameter>
    236             Enable kernel headers through /sys/kernel/kheaders.tar.xz
    237           </parameter>
    238         </term>
    239         <listitem>
    240           <para>This will require <command>cpio</command> building the kernel.
    241           <command>cpio</command> is not installed by LFS.</para>
    242         </listitem>
    243       </varlistentry>
    245       <varlistentry>
    246         <term>
    247           <parameter>
    248             Configure standard kernel features (expert users)
    249           </parameter>
    250         </term>
    251         <listitem>
    252           <para>This will make some options show up in the configuration
    253           interface but changing those options may be dangerous.  Do not use
    254           this unless you know what you are doing.</para>
    255         </listitem>
    256       </varlistentry>
    258       <varlistentry>
    259         <term><parameter>Strong Stack Protector</parameter></term>
    260         <listitem>
    261           <para>Enable SSP for the kernel.  We've enabled it for the entire
    262           userspace with <parameter>--enable-default-ssp</parameter>
    263           configuring GCC, but the kernel does not use GCC default setting
    264           for SSP.  We enable it explicitly here.</para>
    265         </listitem>
    266       </varlistentry>
    268       <varlistentry>
    269         <term><parameter>Support for uevent helper</parameter></term>
    270         <listitem>
    271           <para>Having this option set may interfere with device
    272           management when using Udev/Eudev. </para>
    273         </listitem>
    274       </varlistentry>
    276       <varlistentry>
    277         <term><parameter>Maintain a devtmpfs</parameter></term>
    278         <listitem>
    279           <para>This will create automated device nodes which are populated by the
    280           kernel, even without Udev running.  Udev then runs on top of this,
    281           managing permissions and adding symlinks.  This configuration
    282           item is required for all users of Udev/Eudev.</para>
    283         </listitem>
    284       </varlistentry>
    286       <varlistentry>
    287         <term><parameter>Automount devtmpfs at /dev</parameter></term>
    288         <listitem>
    289           <para>This will mount the kernel view of the devices on /dev
    290           upon switching to root filesystem just before starting
    291           init.</para>
    292         </listitem>
    293       </varlistentry>
    295       <varlistentry>
    296         <term><parameter>Framebuffer Console support</parameter></term>
    297         <listitem>
    298           <para>This is needed to display the Linux console on a frame
    299           buffer device.  To allow the kernel to print debug messages at an
    300           early boot stage, it shouldn't be built as a kernel module
    301           unless an initramfs will be used. And, if
    302           <option>CONFIG_DRM</option> (Direct Rendering Manager) is enabled,
    303           it's likely <option>CONFIG_DRM_FBDEV_EMULATION</option> (Enable
    304           legacy fbdev support for your modesetting driver) should be
    305           enabled as well.</para>
    306         </listitem>
    307       </varlistentry>
    309       <varlistentry>
    310         <term><parameter>Support x2apic</parameter></term>
    311         <listitem>
    312           <para>Support running the interrupt controller of 64-bit x86
    313           processors in x2APIC mode.  x2APIC may be enabled by firmware on
    314           64-bit x86 systems, and a kernel without this option enabled will
    315           panic on boot if x2APIC is enabled by firmware.  This option has
    316           has no effect, but also does no harm if x2APIC is disabled by the
    317           firmware.</para>
    318         </listitem>
    319       </varlistentry>
    321     </variablelist>
    323     <para>Alternatively, <command>make oldconfig</command> may be more
    324     appropriate in some situations. See the <filename>README</filename>
    325     file for more information.</para>
    327     <para>If desired, skip kernel configuration by copying the kernel
    328     config file, <filename>.config</filename>, from the host system
    329     (assuming it is available) to the unpacked <filename
    330     class="directory">linux-&linux-version;</filename> directory. However,
    331     we do not recommend this option. It is often better to explore all the
    332     configuration menus and create the kernel configuration from
    333     scratch.</para>
    335327    <para>Compile the kernel image and modules:</para>
Note: See TracChangeset for help on using the changeset viewer.