Translations:Handbook:Parts/Full/Installation/8/fr
Facultatif : Installation de micrologiciels
Microcode
Linux Firmware
On many systems, non-FOSS firmware is required for certain hardware to function. The sys-kernel/linux-firmware package contains firmware for many, but not all, devices.
Most wireless cards and GPUs require firmware to function.
root #emerge --ask sys-kernel/linux-firmwareInstaller certains microcodes nécessite souvent d'accepter la licence associée. Si nécessaires, visitez la section gestion des licence du manuel pour de l'aide à propos des licences.
Firmware Loading
Firmware files are typically loaded when the associated kernel module is loaded. This means the firmware must be built into the kernel using CONFIG_EXTRA_FIRMWARE if the kernel module is set to Y instead of M. In most cases, building-in a module which required firmware can complicate or break loading.
Architecture specific firmware
Placeholder for architecture-specific firmware information
sys-kernel/installkernel
Installkernel may be used to automate the kernel installation, initramfs generation, unified kernel image generation and/or bootloader configuration among other things. sys-kernel/installkernel implements two paths of achieving this: the traditional installkernel originating from Debian and systemd's kernel-install. Which one to choose depends, among other things, on the system's bootloader. By default, systemd's kernel-install is used on systemd profiles, while the traditional installkernel is the default for other profiles.
Bootloader
Now is the time to think about which bootloader the user wants for the system, if unsure, follow the 'Traditional layout' subsection below.
GRUB
Users of GRUB can use either systemd's kernel-install or the traditional Debian installkernel. The systemd USE flag switches between these implementations. To automatically run grub-mkconfig when installing the kernel, enable the grub USE flag.
/etc/portage/package.use/installkernelsys-kernel/installkernel grub
root #emerge --ask sys-kernel/installkernelTraditional layout, other bootloaders (e.g. (e)lilo, syslinux, etc.)
The traditional /boot layout (for e.g. (e)LILO, syslinux, etc.) is used by default if the grub, systemd-boot, efistub and uki USE flags are not enabled. No further action is required.
Créer un initramfs
An initial ram-based file system, or initramfs, may be required for a system to boot. A wide of variety of cases may necessitate one, but common cases include:
- Kernels where storage/filesystem drivers are modules.
- Layouts with /usr/ or /var/ on separate partitions.
- Encrypted root filesystems.
Distribution kernels are designed to be used with an initramfs, as many storage and filesystem drivers are built as modules.
In addition to mounting the root filesystem, an initramfs may also perform other tasks such as:
- Running file system consistency check fsck, a tool to check and repair consistency of a file system in such events of uncleanly shutdown a system.
- Providing a recovery environment in the event of late-boot failures.
Installkernel can automatically generate an initramfs when installing the kernel if the dracut or ugrd USE flag is enabled:
/etc/portage/package.use/installkernelsys-kernel/installkernel dracut
root #emerge --ask sys-kernel/installkernelConfiguration et compilation du noyau
It can be a wise move to use the dist-kernel on the first boot as it provides a very simple method to rule out system issues and kernel config issues. Always having a known working kernel to fallback on can speed up debugging and alleviate anxiety when updating that your system will no longer boot.
Il est maintenant temps de configurer et de compiler les sources du noyau. Pour l'installation d'un système, trois approches pour la gestion du kernel vont être présentées, mais une approche différente pourra être utilisée une fois l'installation terminée.
During the installation phase of Gentoo, only one kernel type should be installed i.e. either the sys-kernel/gentoo-kernel-bin or sys-kernel/gentoo-sources.
Ranked from least involved to most involved:
- Le noyau est configuré et compilé manuellement.
- Un outil appelé genkernel est utilisé afin de configurer, compiler et installer automatiquement le noyau Linux.
Le cœur de toute distribution est le noyau Linux. C'est la couche située entre les programmes de l'utilisateur et le matériel du système. Même si le guide d'installation propose à ses utilisateurs plusieurs sources du noyau possibles, une liste complète des sources, avec description, est disponible sur la page Noyau - Vue d'ensemble.
Kernel installation tasks such as copying the kernel image to /boot or the EFI System Partition, generating an initramfs and/or Unified Kernel Image, updating bootloader configuration, can be automated with installkernel. Users may wish to configure and install sys-kernel/installkernel before proceeding. See the Kernel installation section below for more more information.
Installer les sources
When installing and compiling the kernel for -based systems, Gentoo recommends the sys-kernel/ package.
Choisissez les sources du kernel appropriées et installez les en utilisant emerge :
root #emerge --ask sys-kernel/Cela installera les sources du noyau Linux dans le répertoire /usr/src/, dans lequel un lien symbolique appelé linux pointera vers les sources du noyau installées :
It is conventional for a /usr/src/linux symlink to be maintained, such that it refers to whichever sources correspond with the currently running kernel. However, this symbolic link will not be created by default. An easy way to create the symbolic link is to utilize eselect's kernel module.
For further information regarding the purpose of the symlink, and how to manage it, please refer to Kernel/Upgrade.
First, list all installed kernels:
root #eselect kernel listAvailable kernel symlink targets: [1] linux-
In order to create a symbolic link called linux, use:
root #eselect kernel set 1root #ls -l /usr/src/linuxlrwxrwxrwx 1 root root 12 Oct 13 11:04 /usr/src/linux -> linux-
Configuration manuelle
In case it was missed, this section requires the kernel sources to be installed. Be sure to obtain the relevant kernel sources, then return here for the rest of section.
Manually configuring a kernel is commonly seen as one of the most difficult procedures a system administrator has to perform. Nothing is less true - after configuring a few kernels no one remembers that it was difficult! There are two ways for a Gentoo user to manage a manual kernel system, both of which are listed below:
Modprobed-db process
A very easy way to manage the kernel is to first install sys-kernel/gentoo-kernel-bin and use the sys-kernel/modprobed-db to collect information about what the system requires. modprobed-db is a tool which monitors the system via crontab to add all modules of all devices over the system's life to make sure it everything a user needs is supported. For example, if an Xbox controller is added after installation, then modprobed-db will add the modules to be built next time the kernel is rebuilt. More on this topic can be found in the Modprobed-db article.
Manual process
This method allows a user to have full control of how their kernel is built with as minimal help from outside tools as they wish. Some could consider this as making it hard for the sake of it.
Cependant, une chose est vraie : c'est vital de connaître le système quand un noyau est configuré manuellement. La plupart des informations nécessaires peuvent être recueillies en installant le paquet sys-apps/pciutils qui contient la commande lspci :
root #emerge --ask sys-apps/pciutilsÀ l'intérieur d'un chroot, il est possible d'ignorer sans risque toutes les mises en garde (du genrepcilib: cannot open /sys/bus/pci/devices) que lspci pourrait afficher.
Un autre source d'information est d'exécuter la commande lsmod pour voir quels modules du noyau sont utilisés par le média d'installation afin de savoir quoi activer plus tard.
Il est maintenant temps d'accéder au répertoire source du noyau et d'exécuter make menuconfig. Cela lancera un menu de configuration.
root #cd /usr/src/linux
root #make menuconfig
The kernel has a method of autodetecting the modules currently being used on the installcd which will give a great starting point to allow a user to configure their own. This can be called by using:
root #make localmodconfigIt's now time to configure using nconfig:
root #make nconfigLa configuration du noyau Linux comporte beaucoup, beaucoup de sections. Voici une liste des options qui doivent être activées (sinon Gentoo ne fonctionnera pas, ou incorrectement, sans modifications supplémentaires). Il existe également un Guide de configuration du noyau de Gentoo sur le wiki pouvant apporter plus d'informations.
Enabling required options
When using sys-kernel/gentoo-sources, it is strongly recommend the Gentoo-specific configuration options be enabled. These ensure that a minimum of kernel features required for proper functioning is available:
Gentoo Linux --->
[*] Gentoo Linux support
[*] Linux dynamic and persistent device naming (userspace devfs) support
[*] Select options required by Portage features
Support for init systems, system and service managers --->
[*] OpenRC, runit and other script based systems and managers
[*] systemd
Naturally the choice in the last two lines depends on the selected init system (OpenRC vs. systemd). It does not hurt to have support for both init systems enabled.
When using sys-kernel/vanilla-sources, the additional selections for init systems will be unavailable. Enabling support is possible, but goes beyond the scope of the handbook.
Enabling support for typical system components
Bien s'assurer que tous les pilotes indispensables au démarrage du système (comme le contrôleur SCSI, etc.) soient compilés dans le noyau et non en tant que module, sinon le système de pourra pas démarrer correctement.
Ensuite, sélectionner le type exact du processeur. Il est également recommandé d'active les fonctionnalités MCE (si disponibles) afin que les utilisateurs puissent être notifiés de tout problème matériel. Sur certaines architectures (telles que x86_64), ces erreurs se sont pas affichées dans dmesg, mais dans /dev/mcelog. Cela nécessite le paquet app-admin/mcelog.
Aussi, sélectionner Maintain a devtmpfs file system to mount at /dev afin que le fichiers critiques des périphériques soient disponible au début du processus de démarrage. (CONFIG_DEVTMPFS and CONFIG_DEVTMPFS_MOUNT) :
Device Drivers --->
Generic Driver Options --->
[*] Maintain a devtmpfs filesystem to mount at /dev
[*] Automount devtmpfs at /dev, after the kernel mounted the rootfs
Vérifier que le support pour les disques SCSI soit activé (CONFIG_BLK_DEV_SD):
Device Drivers --->
SCSI device support --->
<*> SCSI disk support
Device Drivers --->
<*> Serial ATA and Parallel ATA drivers (libata) --->
[*] ATA ACPI Support
[*] SATA Port Multiplier support
<*> AHCI SATA support (ahci)
[*] ATA BMDMA support
[*] ATA SFF support (for legacy IDE and PATA)
<*> Intel ESB, ICH, PIIX3, PIIX4 PATA/SATA support (ata_piix)
Vérifiez que le support basique des NVMe a bien été activé :
Device Drivers --->
<*> NVM Express block device
Device Drivers --->
NVME Support --->
<*> NVM Express block device
It does not hurt to enable the following additional NVMe support:
[*] NVMe multipath support
[*] NVMe hardware monitoring
<M> NVM Express over Fabrics FC host driver
<M> NVM Express over Fabrics TCP host driver
<M> NVMe Target support
[*] NVMe Target Passthrough support
<M> NVMe loopback device support
<M> NVMe over Fabrics FC target driver
< > NVMe over Fabrics FC Transport Loopback Test driver (NEW)
<M> NVMe over Fabrics TCP target support
Maintenant, aller dans File Systems et sélectionner la prise en charge des systèmes de fichiers qui seront utilisés. Attention, ne pas compiler le système de fichier utilisé par le système de fichier racine an tant que module, sinon Gentoo sera incapable de monter la partition. Aussi, sélectionner Virtual memory et /proc file system. Sélectionner également une ou plusieurs des options suivantes selon le système (CONFIG_EXT2_FS, CONFIG_EXT3_FS, CONFIG_EXT4_FS, CONFIG_MSDOS_FS, CONFIG_VFAT_FS, CONFIG_PROC_FS, and CONFIG_TMPFS) :
File systems --->
<*> Second extended fs support
<*> The Extended 3 (ext3) filesystem
<*> The Extended 4 (ext4) filesystem
<*> Reiserfs support
<*> JFS filesystem support
<*> XFS filesystem support
<*> Btrfs filesystem support
DOS/FAT/NT Filesystems --->
<*> MSDOS fs support
<*> VFAT (Windows-95) fs support
Pseudo Filesystems --->
[*] /proc file system support
[*] Tmpfs virtual memory file system support (former shm fs)
Si PPPoE, ou un modem analogique, est utilisé pour se connecter à Internet, activer les options suivantes(CONFIG_PPP, CONFIG_PPP_ASYNC, and CONFIG_PPP_SYNC_TTY) :
Device Drivers --->
Network device support --->
<*> PPP (point-to-point protocol) support
<*> PPP support for async serial ports
<*> PPP support for sync tty ports
Les deux options de compression ne poseront pas de problème mais elle ne sont définitivement pas indispensables, pas plus que l'option de PPP sur Ethernet qui ne sera probablement utilisée que si configurée pour faire du mode PPPoE via le noyau.
Ne pas oublier d'inclure dans le noyau le support pour les cartes réseau (Ethernet ou sans fil).
La plupart des système possèdent également plusieurs cœurs à leur disposition, il est donc important d'activer l'option Symmetric multi-processing support (CONFIG_SMP) :
Processor type and features --->
[*] Symmetric multi-processing support
Dans les systèmes multi-cœur, chaque cœur compte comme un processeur.
Si des périphériques d'entrée USB (comme un clavier ou une souris), ou d'autres périphériques USB seront utilisés, ne pas oublier d'en activer le support (CONFIG_HID_GENERIC and CONFIG_USB_HID, CONFIG_USB_SUPPORT, CONFIG_USB_XHCI_HCD, CONFIG_USB_EHCI_HCD, CONFIG_USB_OHCI_HCD) :
Device Drivers --->
HID support --->
-*- HID bus support
<*> Generic HID driver
[*] Battery level reporting for HID devices
USB HID support --->
<*> USB HID transport layer
[*] USB support --->
<*> xHCI HCD (USB 3.0) support
<*> EHCI HCD (USB 2.0) support
<*> OHCI HCD (USB 1.1) support
Optionnel : Modules kernel signés
Pour automatiquement signer les modules kernels, activez l'option CONFIG_MODULE_SIG_ALL :
[*] Enable loadable module support
-*- Module signature verification
[*] Automatically sign all modules
Which hash algorithm should modules be signed with? (Sign modules with SHA-512) --->
Vous pouvez changer l'algorithme de hash si vous le désirez.
Pour s'assurer que tous les modules signés le sont avec une signature valide, activez également l'option CONFIG_MODULE_SIG_FORCE :
[*] Enable loadable module support
-*- Module signature verification
[*] Require modules to be validly signed
[*] Automatically sign all modules
Which hash algorithm should modules be signed with? (Sign modules with SHA-512) --->
To use a custom key, specify the location of this key in CONFIG_MODULE_SIG_KEY. If unspecified, the kernel build system will generate a key. It is recommended to generate one manually instead. This can be done with:
root #openssl req -new -nodes -utf8 -sha256 -x509 -outform PEM -out kernel_key.pem -keyout kernel_key.pemOpenSSL will ask some questions about the user generating the key, it is recommended to fill in these questions as detailed as possible.
Store the key in a safe location, at the very least the key should be readable only by the root user. Verify this with:
root #ls -l kernel_key.pem-r-------- 1 root root 3164 Jan 4 10:38 kernel_key.pem
If this outputs anything other then the above, correct the permissions with:
root #chown root:root kernel_key.pem
root #chmod 400 kernel_key.pem
-*- Cryptographic API --->
Certificates for signature checking --->
(/path/to/kernel_key.pem) File name or PKCS#11 URI of module signing key
To also sign external kernel modules installed by other packages via linux-mod-r1.eclass, enable the modules-sign USE flag globally:
/etc/portage/make.confActivation de la signature des modulesUSE="modules-sign"
<div lang="en" dir="ltr" class="mw-content-ltr">
# Optionally, when using custom signing keys.
MODULES_SIGN_KEY="/path/to/kernel_key.pem"
MODULES_SIGN_CERT="/path/to/kernel_key.pem" # Only required if the MODULES_SIGN_KEY does not also contain the certificate
MODULES_SIGN_HASH="sha512" # Defaults to sha512
MODULES_SIGN_KEY and MODULES_SIGN_CERT may point to different files. For this example, the pem file generated by OpenSSL includes both the key and the accompanying certificate, and thus both variables are set to the same value.
Optionnel: Signez l'image kernel (Secure Boot) ====
When signing the kernel image (for use on systems with Secure Boot enabled) it is recommended to set the following kernel config options:
General setup --->
Kexec and crash features --->
[*] Enable kexec system call
[*] Enable kexec file based system call
[*] Verify kernel signature during kexec_file_load() syscall
[*] Require a valid signature in kexec_file_load() syscall
[*] Enable ""image"" signature verification support
</div>
<div lang="en" dir="ltr" class="mw-content-ltr">
[*] Enable loadable module support
-*- Module signature verification
[*] Require modules to be validly signed
[*] Automatically sign all modules
Which hash algorithm should modules be signed with? (Sign modules with SHA-512) --->
</div>
<div lang="en" dir="ltr" class="mw-content-ltr">
Security options --->
[*] Integrity subsystem
[*] Basic module for enforcing kernel lockdown
[*] Enable lockdown LSM early in init
Kernel default lockdown mode (Integrity) --->
</div>
<div lang="en" dir="ltr" class="mw-content-ltr">
[*] Digital signature verification using multiple keyrings
[*] Enable asymmetric keys support
-*- Require all keys on the integrity keyrings be signed
[*] Provide keyring for platform/firmware trusted keys
[*] Provide a keyring to which Machine Owner Keys may be added
[ ] Enforce Machine Keyring CA Restrictions
Where ""image"" is a placeholder for the architecture specific image name. These options, from the top to the bottom: enforces that the kernel image in a kexec call must be signed (kexec allows replacing the kernel in-place), enforces that kernel modules are signed, enables lockdown integrity mode (prevents modifying the kernel at runtime), and enables various keychains.
On arches that do not natively support decompressing the kernel (e.g. arm64 and riscv), the kernel must be built with its own decompressor (zboot):
Device Drivers --->
Firmware Drivers --->
EFI (Extensible Firmware Interface) Support --->
[*] Enable the generic EFI decompressor
After compilation of the kernel, as explained in the next section, the kernel image must be signed. First install app-crypt/sbsigntools and then sign the kernel image:
root #emerge --ask app-crypt/sbsigntoolsroot #sbsign /usr/src/linux-x.y.z/path/to/kernel-image --cert /path/to/kernel_key.pem --key /path/to/kernel_key.pem --out /usr/src/linux-x.y.z/path/to/kernel-imageFor this example, the same key that was generated to sign the modules is used to sign the kernel image. It is also possible to generate and use a second separate key for signing the kernel image. The same OpenSSL command as in the previous section may be used again.
Then proceed with the installation.
To automatically sign EFI executables installed by other packages, enable the secureboot USE flag globally:
/etc/portage/make.confActiver le Secure BootUSE="modules-sign secureboot"
<div lang="en" dir="ltr" class="mw-content-ltr">
# Optionally, to use custom signing keys.
MODULES_SIGN_KEY="/path/to/kernel_key.pem"
MODULES_SIGN_CERT="/path/to/kernel_key.pem" # Only required if the MODULES_SIGN_KEY does not also contain the certificate.
MODULES_SIGN_HASH="sha512" # Defaults to sha512
</div>
<div lang="en" dir="ltr" class="mw-content-ltr">
# Optionally, to boot with secureboot enabled, may be the same or different signing key.
SECUREBOOT_SIGN_KEY="/path/to/kernel_key.pem"
SECUREBOOT_SIGN_CERT="/path/to/kernel_key.pem"
SECUREBOOT_SIGN_KEY and SECUREBOOT_SIGN_CERT may point to different files. For this example, the pem file generated by OpenSSL includes both the key and the accompanying certificate, and thus both variables are set to the same value.
When generating an Unified Kernel Image with systemd's
ukify the kernel image will be signed automatically before inclusion in the unified kernel image and it is not necessary to sign it manually.}}
Architecture specific kernel configurations
Placeholder for architecture-specific kernel build information
Compiling and installing
Placeholder for instructions for building and installing the kernel sources
Deprecated: Genkernel
Genkernel should only be considered by users with a required need that only Genkernel can meet. For others, it is recommended to use the Distribution kernel or manually compile their own as it will make maintaining a Gentoo system a lot more simple. An example of why genkernel is more difficult to manage is the lack of integration with sys-kernel/installkernel. This means a user will not get the same level of automation as provided by the other methods; for example, Unified Kernel Images will need to be created manually when using Genkernel.
Users still wishing to use Genkernel should see the Genkernel article for more information.
Les modules du noyau
Lister les modules Kernels disponibles
Il est facultatif de lister manuellement les modules matériels. udev chargera normalement tous les modules pour les matériels détectés comme étant connectés dans la plupart des cas. Cependant, il n'est pas préjudiciable que les modules automatiquement chargés soient listés. Les modules ne peuvent pas être chargés deux fois: ils sont soit chargés, soit déchargés. Quelquefois, un matériel exotique nécessite de l'aide pour charger ses pilotes.
Les modules qui doivent être chargés automatiquement à chaque démarrage sont définis dans les fichiers /etc/modules-load.d/*.conf, un module par ligne. Cependant, lorsque des options supplémentaires doivent être ajoutées, elles doivent être ajoutés dans les fichiers /etc/modprobe.d/*.conf.
Pour voir tous les modules disponibles pour une version de kernel spécifiques, exécuter la commande find suivante. N'oubliez pas de remplacer "<version noyau>" par la version du noyau venant que vous souhaitez utiliser :
root #find /lib/modules/<version noyau>/ -type f -iname '*.o' -or -iname '*.ko' | lessForcer le chargement des modules kernel particuliers
Pour forcer le chargement du module 3c59x.ko (correspondant au pilote pour une carte réseau de la famille 3Com), éditez le fichier /etc/modules-load.d/network.conf et ajoutez-y le nom du module.
root #mkdir -p /etc/modules-load.d
root #nano -w /etc/modules-load.d/network.conf
Notez que le suffixe .ko des modules est insignifiant pour le mécanisme de chargement et n'apparaît pas dans le fichier de configuration
/etc/modules-load.d/network.confForcer le chargement du module 3c59x3c59x
Continuer l'installation avec Configuer le système.