手册:片段/安装/内核/Dist-Kernel

From Gentoo Wiki
Jump to:navigation Jump to:search
This page is a translated version of the page Handbook:Parts/Installation/Kernel/Dist-Kernel and the translation is 44% complete.
Outdated translations are marked like this.
Other languages:

distribution 内核

Distribution 内核是涵盖了解包、配置、编译和安装内核完整过程的 ebuild。这种方法的主要优点是,内核可以作为 @world 的一部分通过包管理器升级到新版本。只需要运行 emerge 命令即可。Distribution 内核默认支持大多数硬件,但是有两种定制的机制:savedconfig 和 config snippets。查看项目页面获取更多配置细节。

安装 distribution 内核

Before installing the kernel package the dracut USE flag needs to be added for the package sys-kernel/installkernel in /etc/portage/package.use:

文件 /etc/portage/package.use/installkernelEnable dracut support
sys-kernel/installkernel dracut

Users may also wish to enable additional sys-kernel/installkernel USE flags at this stage. See the Installation/Kernel#Installkernel section for details.

如果用 Gentoo 补丁从源码构建一个内核 ,输入:

root #emerge --ask sys-kernel/gentoo-kernel

想要避免编译本地内核源代码的系统管理员可以使用预编译的内核镜像:

root #emerge --ask sys-kernel/gentoo-kernel-bin
Optional: Signed kernel modules

The kernel modules in the prebuilt distribution kernel (sys-kernel/gentoo-kernel-bin) are already signed. To sign the modules of kernels built from source enable the modules-sign USE flag, and optionally specify which key to use for signing in /etc/portage/make.conf:

文件 /etc/portage/make.confEnable module signing
USE="modules-sign"
</div>

<div lang="en" dir="ltr" class="mw-content-ltr">
# Optionally, to use custom signing keys.
MODULES_SIGN_KEY="/path/to/kernel_key.pem"
MODULES_SIGN_CERT="/path/to/kernel_key.pem" # Only required if the MODULES_SIGN_KEY does not also contain the certificate.
MODULES_SIGN_HASH="sha512" # Defaults to sha512.

If MODULES_SIGN_KEY is not specified the kernel build system will generate a key, it will be stored in /usr/src/linux-x.y.z/certs. It is recommended to manually generate a key to ensure that it will be the same for each kernel release. A key may be generated with:

root #openssl req -new -nodes -utf8 -sha256 -x509 -outform PEM -out kernel_key.pem -keyout kernel_key.pem
附注
The MODULES_SIGN_KEY and MODULES_SIGN_CERT may be different files. For this example the pem file generated by OpenSSL includes both the key and the accompanying certificate, and thus both variables are set to the same value.

OpenSSL will ask some questions about the user generating the key, it is recommended to fill in these questions as detailed as possible.

Store the key in a safe location, at the very least the key should be readable only by the root user. Verify this with:

root #ls -l kernel_key.pem
 -r-------- 1 root root 3164 Jan  4 10:38 kernel_key.pem 

If this outputs anything other then the above, correct the permissions with:

root #chown root:root kernel_key.pem
root #chmod 400 kernel_key.pem
Optional: Signing the kernel image (Secure Boot)

The kernel image in the prebuilt distribution kernel (sys-kernel/gentoo-kernel-bin) is already signed for use with Secure Boot. To sign the kernel image of kernels built from source enable the secureboot USE flag, and optionally specify which key to use for signing in /etc/portage/make.conf. Note that signing the kernel image for use with secureboot requires that the kernel modules are also signed, the same key may be used to sign both the kernel image and the kernel modules:

文件 /etc/portage/make.confEnable custom signing keys
USE="modules-sign secureboot"
</div>

<div lang="en" dir="ltr" class="mw-content-ltr">
# Optionally, to use custom signing keys.
MODULES_SIGN_KEY="/path/to/kernel_key.pem"
MODULES_SIGN_CERT="/path/to/kernel_key.pem" # Only required if the MODULES_SIGN_KEY does not also contain the certificate.
MODULES_SIGN_HASH="sha512" # Defaults to sha512.
</div>

<div lang="en" dir="ltr" class="mw-content-ltr">
# Optionally, to boot with secureboot enabled, may be the same or different signing key.
SECUREBOOT_SIGN_KEY="/path/to/kernel_key.pem"
SECUREBOOT_SIGN_CERT="/path/to/kernel_key.pem"
附注
The SECUREBOOT_SIGN_KEY and SECUREBOOT_SIGN_CERT may be different files. For this example the pem file generated by OpenSSL includes both the key and the accompanying certificate, and thus both variables are set to the same value.
附注
For this example the same key that was generated to sign the modules is used to sign the kernel image. It is also possible to generate and use a second separate key for signing the kernel image. The same OpenSSL command as in the previous section may be used again.

See the above section for instructions on generating a new key, the steps may be repeated if a separate key should be used to sign the kernel image.

To successfully boot with Secure Boot enabled, the used bootloader must also be signed and the certificate must be accepted by the UEFI firmware or Shim. This will be explained later in the handbook.

更新和清理

内核安装后,包管理器将自动更新到新版本。包管理器清理旧的软件包之前,将保留以前的版本。如果要回收磁盘空间,可以定期运行 emerge 加 --depclean 选项清理过时的软件包:

root #emerge --depclean

或者,专门清理旧版本的内核:

root #emerge --prune sys-kernel/gentoo-kernel sys-kernel/gentoo-kernel-bin

安装后/更新任务

Distribution kernels are capable of rebuilding kernel modules installed by other packages. Portage provides a hook with dist-kernel USE flag which is part of linux-mod-r1.eclass and controls a subslot dependency on virtual/dist-kernel.

在像 sys-fs/zfssys-fs/zfs-kmod 这样的软件包上启用 USE 标记后,将允许它们自动根据最新更新的内核重新编译,如果合适的话,还会相应地重新生成 initramfs!

手动重建 initramfs

需要的话, 可以手动重建 initramfs,内核更新后,执行:

root #emerge --ask @module-rebuild

如果任何内核模块(例如 ZFS)需要提前启动,需要之后通过下面命令重建 initramfs:

root #emerge --config sys-kernel/gentoo-kernel
root #emerge --config sys-kernel/gentoo-kernel-bin