User:Pietinger/Tutorials/Manual Configuring Kernel Version 6.1

Manual Configuring Kernel Version 6.1
Please read User:Pietinger/Tutorials/Manual_kernel_configuration before you start here. Only our Gentoo default sources will be used.

I am not happy with the default configuration we have, after we have just emerged gentoo-sources (or after we did a "make defconfig"). Why ? Today everything must be "user-friendly" and therefore many options are enabled by default which are not necessary. Best example for this: All options for an Intel CPU and an AMD CPU are enabled ... but you can have only one of them in your machine ;-)

On the other side some options are not enabled by default which you MUST HAVE to be able to boot your machine. In this article I will describe a complete TOUR for your kernel configuration in three parts.

First we change some options to be able to reach all options we need. Then we disable all we really dont need. In part 3 we enable all we MUST HAVE. Here I will give you also a list of links you will need for your specific components in your computer.

Part 1 - Main Menu
If you have never done a make menuconfig it can be confusing what do and where to start. Let me say some general words about the main menu. But first we start with one important settings. Enable this:

Sometimes our kernel configuration is funny. In the next step we must disable something depending if we have an AMD or an Intel CPU. If you have an Intel CPU you might be surprised you can not disable AMD ... Go into:

You will get this menu:

The funny thing is, you must disable first "Hygon processors" to be able to disable "AMD processors". Of course you will not disable it if you have an AMD CPU. If you are finished here you have only one option enabled. This step is important to be able to disable some options later you dont need (e.g. Intel P-State).

The last line Gentoo Linux ---> exists only in our gentoo-sources. If you have other sources (e.g. vanilla) you will miss this option. If you are using OpenRC as init system you have nothing to do here. If you are using systemd you must enable one option - which is usually already enabled by your systemd-stage3. So we do only a check here if it is correct:

In the next last option Kernel hacking ---> you really should only change something with specific instructions - for the moment we dont care. Also you will never need Library routines ---> because all necessary modules here will be selected (=enabled) automatically by other options - with one exception: Here you can change the selected font. At the moment you are not able to do this because one other option is not enabled. If you press in this menu you can see this is disabled at the moment:

Now look into the help of this option and you will see why it is not possible ->

Depends on: FONT_SUPPORT [=y] && (FRAMEBUFFER_CONSOLE [=n] || STI_CONSOLE [=n])

Now press again and exit this menu. Yes, we really need FRAMEBUFFER_CONSOLE - it is a MUST HAVE - and we do this in part 3.

The same is true for Cryptographic API --->. Usually all necessary modules here will be selected automatically. At the moment many options are enabled because some other options are still enabled (e.g. WLAN). If we disable some in the next part we automatically disable some here. In part 3 I will explain what you really need here.

One option we have in the main menu you should think about at last when all is done: [*] Enable loadable module support ---> Why ? I highly recommend to configure all necessary modules static into the kernel - because you will need your ethernet and graphics module always ... If we do this then we dont need a loadable module support anymore and we can disable this ... and have now a monolithic kernel. Why we want do this ? Because it is more secure. Also KSPP recommends to disable module support or work with signed modules. But for the moment we dont change it and you can think about later.

Part 2 - Slim kernel
First of all we disable all we dont need. Some of these settings are also recommended by KSPP. Some other we disable because we have an Intel or AMD CPU. At last we disable some options only if we dont use it. If you already know you will use WLAN then - of course - you will not disable it.

Now we have a short break ... Next we want disable a very silly default option. For this we have to change another. It is highly recommended to do this - because of ... BIG ... performance impact:

Before we do now the driver section we clean out SELinux and integrity. Let "Enable different security models" enabled ... you will need it later for KSPP.

Now we have a big task in our driver section:

Finally we can disable some options for our network stack, before we switch to part 3. If you have your machine in a modern network environment with high-end switches and enterprise routers you surely know what you will need for fancy things like QoS (Quality of Service) and you will not disable it. If you dont know what it is and your machine is only connected to your DSL-Modem you can disable all this without fear ... if necessary you can enable it again later ;-)

If you want configure a firewall with iptables or nftables I recommend to do: Enable ALL options in this submenu as odule. Later you will make your firewall; after this is finished check with "lsmod" which modules you really need for your firewall configuration. After all you can enable all needed modules static (if you want) and disable all other you dont need. If you dont want a firewall (I dont recommend) then you can disable the complete submenu.

After all this is done you may now go into every submenu of Cryptographic API ---> and disable every module which is not hard enabled with -*- (we will enable something in part 4).

Before we switch to part 3 we take care about two main menus:

32-bit support
KSPP recommends to disable 32-bit support. But you can do this only if you have a No-Multilib system.

Virtualization
If you dont use it disable also:

Part 3 - Must Haves
... no discussion ... just do it ;-) Enable all these static (<*>) into your kernel !

Are we now ready to boot this kernel ? Maybe ... maybe not. It depends:

1. Which filesystem has your root partition ? If it is EXT4 you are fine. This is enabled by default. If you use others then you must go back into File systems ---> and enable these (static).

2. If you have a NVMe or a special harddisk controller you must enable it also. Look again into your output of lspci -k and proof it there is an unknown module. Search for it with. If you miss a module kernel needs to find its root partition you will get a kernel panic and kernel cannot boot. For example: If you find a module named "vmd" you must enable it also:

(was a problem here: https://forums.gentoo.org/viewtopic-t-1156306-highlight-.html )

To be on a safe side, read these links and double check if you have enabled all what your kernel needs to be able to access your harddisk:
 * SATA HD or SATA SSD: HDD and/or
 * NVMe: NVMe or
 * Old IDE or PATA: Kernel/Gentoo_Kernel_Configuration_Guide

Part 4 - My recommendations
1. Additional settings:

2. I highly recommend to add your microcode for your CPU. Read (and do) this:
 * INTEL: [] or
 * AMD: AMD_microcode

3. If you have an USB-C and you search with for module thunderbolt you will find only "INTEL_WMI_THUNDERBOLT". But this is the wrong driver; you will need instead:

Enable only this option - dont enable write by debugfs in this submenu ! Maybe you want read this: https://docs.kernel.org/admin-guide/thunderbolt.html

4. If you have a 4K-monitor and your font is too small you can - NOW (see part 1) - change it with:

5. Harden your kernel: User:Pietinger/Tutorials/Kernel_Hardening_with_KSPP !! (All disabling for it we have just done).

6. After your first boot with this kernel configuration you may check which HID drivers you use with:

Now you can disable all other which you dont need in this submenu:

7. Now go back to User:Pietinger/Tutorials/Manual_kernel_configuration and check all other links for e.g. your sound ;-)