User:Pietinger/Experimental/Manual Configuring Current Kernel

From Gentoo Wiki
Jump to:navigation Jump to:search

I have outsourced the steps for manual kernel configuration in this article, as there are also other articles that deal with the respective LTS kernel.

Manual Configuring Current Kernel

This is currently Version 6.11

Please read User:Pietinger/Tutorials/Manual_kernel_configuration before you start here !

Only our default sys-kernel/gentoo-sources will be used.

I will explain only specific settings for an Intel and an AMD CPU. If you have an ARM or any other CPU please take this article only as an inspiration.

I am not happy with the default configuration we have, after we have just emerged gentoo-sources (or after we did a "make defconfig"). Why ? Today everything must be "user-friendly" and therefore many options are enabled by default which are not necessary. Best example for this: All options for an Intel CPU and an AMD CPU are enabled ... but you can have only one of them in your machine ;-)

On the other side some options are not enabled by default which you must have to be able to boot your machine. In this article I will describe a complete "tour" for your kernel configuration.

Tour

If you're wondering why I'm “jumping around” a bit at first in this article, here's the explanation:

Some options are only available when one (or more) other option(s) have been activated (e.g: At the very beginning in “Processor type and features” we have the option CONFIG_X86_POSTED_MSI, which only appears when we have activated the option IRQ_REMAP in the “Device Drivers”).

Therefore proceed in the order described here !

Tip
At the same time as configuring your kernel, you should also check off (or cross out) all activated modules in your two lists (lsmod and lspci-k). You will then have less work later because you only have to check the remaining ones.

Essential Options

These are must haves.

Platform support

One of these two options must be activated - depending on whether you have an Intel or AMD CPU:

KERNEL Kernel
Processor type and features  --->
    [?] Intel Low Power Subsystem Support
    [?] AMD ACPI2Platform devices support
Efi

If your system boots with UEFI we need EFI runtime services for efibootmgr and disable the "Disable", so it is enabled ;-) Check if "EFI Variable filesystem" is already enabled.

KERNEL Kernel
Device Drivers  --->
    Firmware Drivers  --->
        EFI (Extensible Firmware Interface) Support  --->
            [ ] Disable EFI runtime services support by default

File systems  --->
    Pseudo filesystems  --->
        <*> EFI Variable filesystem
Framebuffer Device and Console

One part of these settings is described also in Framebuffer. I think nobody needs VGA anymore; to be on a safe side you can enable also the "simple framebuffer"; actually you will need only one of "VESA" or "EFI-based"; with both enabled you are on a safe side and should not run into the problem of having a black screen, or stuck at "Loading Linux ..." when using grub as bootmanager.

KERNEL Kernel
Device Drivers  --->
    Graphics support  --->
        <*> Direct Rendering Manager (XFree86 4.1.0 and higher DRI support)  --->
            [*] Enable legacy fbdev support for your modesetting driver

        Frame buffer Devices  --->
# You MUST enable this as <*> and NOT as <M>odule ! When you enable it as <M>odule you will not get the option "EFI-based Framebuffer" !
            <*> Support for frame buffer devices  --->
                [*]   VESA VGA graphics support
                [*]   EFI-based Framebuffer Support

        Console display driver support  --->
            [*] Framebuffer Console support

Excursus: If you want an answer to the question ‘Why did you add “Framebuffer Console support” even though it is already enabled by default?’ AND you are willing to dive into the depths of the kernel configuration, then read this thread: https://forums.gentoo.org/viewtopic-t-1168856.html

Accessing the Root Partition

We also have to statically include all modules in the kernel that the kernel needs to access the root partition.

1. If you have a NVMe or a special harddisk controller you must enable it also. Look again into your output of lspci -k and proof it there is an unknown module. Search for it with /. If you miss a module kernel needs to find its root partition you will get a kernel panic - the kernel cannot boot. For example: If you find a module named "vmd" you must enable it also:

KERNEL Kernel
Device Drivers  --->
    [*] PCI support  --->
        PCI controller drivers  --->
            <*> Intel Volume Management Device Driver

(Was a problem here: https://forums.gentoo.org/viewtopic-t-1156306-highlight-.html )

To be on a safe side, read these links and double check if you have enabled all what your kernel needs to be able to access your harddisk:

2. Which filesystem has your root partition? If it is EXT4 you are fine; it is enabled by default. Until today EXT4 was the recommended filesystem for your root partition. Now our developers recommend XFS. If you use it (or any other filesystem) then you must go into File systems ---> and enable these. (I am using EXT4 for my root and my /home because I also use fscrypt).

Important Options

As I said at the beginning of this chapter, we need to activate some options before we can access others. Therefore, I consider all of the following to be very important, even if they are no longer necessary for a successful boot of the kernel.

Expert Mode

First we activate an option that allows us to access other important options:

KERNEL Kernel
General setup  --->
    [*] Configure standard kernel features (expert users)  --->

Without this setting, you will never get the CONFIG_PROCESSOR_SELECT option in the next section. Just have a look at the <help> of CONFIG_PROCESSOR_SELECT. You will see there: Visible if: EXPERT [=y]. But before we must reactivate this in the main menu:

KERNEL Kernel
[*] Enable the block layer  --->

and also this:

KERNEL Kernel
Device Drivers  --->
    Character devices  --->
        [*] Enable TTY
        [*]   Virtual terminal
Processor Support

So that we can also switch off unnecessary options, we first have to switch off a few things here. Sometimes our kernel configuration is funny. In this step we want disable something depending if we have an AMD or an Intel CPU. If you have an Intel CPU you might be surprised you can not disable AMD ... Go into:

KERNEL Kernel
Processor type and features  --->
    [*] Supported processor vendors  --->

You will get this menu:

KERNEL Kernel
--- Supported processor vendors
[*]   Support Intel processors
-*-   Support AMD processors
[*]   Support Hygon processors
[*]   Support Centaur processors
[*]   Support Zhaoxin processors

The funny thing is, you must disable first "Hygon processors" to be able to disable "AMD processors". Of course you will not disable AMD if you have an AMD CPU. If you are finished here you have only one option enabled. This step is important so that some options are correctly deactivated later (e.g. Intel or AMD P-State).

IOMMU

Change this for an AMD and an Intel System. It is a KSPP recommendation: "Force IOMMU TLB invalidation so devices will never be able to access stale data contents". CONFIG_IRQ_REMAP must be enabled also.

KERNEL Kernel
Device Drivers  --->
    [*] IOMMU Hardware Support  --->
        IOMMU default domain type (Translated - Strict)  --->
        [*]   Support for Interrupt Remapping

If you have an AMD system you can disable all Intel IOMMU settings and you are finished here (because all what you need is enabled by default):

KERNEL Kernel
Device Drivers  --->
    [*] IOMMU Hardware Support  --->
        [*]   AMD IOMMU support
        [ ]   Support for Intel IOMMU using DMA Remapping Devices
        [*]   Support for Interrupt Remapping

For an Intel system comes now a tricky part: As soon as you disable AMD IOMMU, Intel IOMMU also disappears (hahaha). The reason is: AMD IOMMU selects PCI_MSI. After disabling AMD IOMMU also PCI_MSI is disabled ... but you need it also for Intel IOMMU. So you must disable and enable in this sequence:

KERNEL Kernel
Device Drivers  --->
    [*] IOMMU Hardware Support  --->
        [ ]   AMD IOMMU support

Device Drivers  --->
    [*] PCI support  --->
        [*]   Message Signaled Interrupts (MSI and MSI-X)

Device Drivers  --->
    [*] IOMMU Hardware Support  --->
        [ ]   AMD IOMMU support
        [*]   Support for Intel IOMMU using DMA Remapping Devices
        [*]     Support for Shared Virtual Memory with Intel IOMMU
        [*]     Enable Intel DMA Remapping Devices by default
        [*]     Enable Intel IOMMU scalable mode by default
        [*]     Intel IOMMU performance events
        < >   IOMMU Userspace API
        [*]   Support for Interrupt Remapping
Default CPUFreq governor

This change is not necessary for a successful boot, but you really should change it as it can have a big impact on performance: Your processor would be stuck with the default 'userspace' governor at the lowest frequency unless you use a daemon that changes this again.

KERNEL Kernel
Power management and ACPI options  --->
    CPU Frequency scaling  --->
        [*]   CPU frequency transition statistics
        Default CPUFreq governor (schedutil)  --->

If you have a server you can choose "performance"; for a notebook "powersave" is also possible.

P-State

If you have an Intel CPU then this is enabled automatically (thanks to CONFIG_PROCESSOR_SELECT):

KERNEL Kernel
Power management and ACPI options  --->
    CPU Frequency scaling  --->
        -*-   Intel P state control
# If you have a newer Intel CPU (Generation 4 or better == "lscpu" shows "hwp") you dont need this.
        < >   ACPI Processor P-States driver

If you have an AMD CPU above Intel P state should be already disabled and AMD P-State enabled. Nothing to do here for you.

KERNEL Kernel
Power management and ACPI options  --->
    CPU Frequency scaling  --->
        -*-   AMD Processor P-State driver
        (3)     AMD Processor P-State default mode
Proc File System
KERNEL Kernel
File systems  --->
    Pseudo filesystems  --->
        [*] /proc file system support
# KSPP recommendation: "Dangerous; exposes kernel text image layout."
        [ ]   /proc/kcore support
CPU Microcode

In my previous articles I had the integration of a CPU microcode in one chapter of my recommendations. I now believe that it is so important that it must be included here. Read - and do - this for your CPU:

Main Menu

Now we have configured all the prerequisites to view some menus completely. As I already wrote in the article User:Pietinger/Tutorials/Manual_kernel_configuration, I also want a slim kernel. This not only makes it more secure, you also save time when compiling.

You can recognize all options where I leave the default by the fact that there is no comment from me. I have marked the KSPP recommendations with “KSPP”, my own recommendations with “MYR”.

General setup

KERNEL Kernel
General setup  --->
    [ ] Compile also drivers which will not load
    [*] Compile the kernel with warnings as errors
    ()  Local version - append to kernel release
# MYR: Not needed. Makes it easier to copy the kernel (from ./arch/x86/boot/bzImage) via script.
    [ ] Automatically append version information to the version string
    ()  Build ID Salt
    Kernel compression mode (Gzip)  --->
    ()  Default init path
    ((none)) Default hostname
    -*- System V IPC
    [*] POSIX Message Queues
# MYR:
    [*] General notification queue
    [*] Enable process_vm_readv/writev syscalls
    [ ] uselib syscall (for libc5 and earlier)
    [*] Auditing support
    IRQ subsystem  ----
    Timers subsystem  --->
    BPF subsystem  --->
    Preemption Model (Voluntary Kernel Preemption (Desktop))  --->
# MYR: Not needed. Cost only runtime overhead.
    [ ] Preemption behaviour defined on boot
# MYR and KSPP recommendation:
    [*] Core Scheduling for SMT
    CPU/Task time and stats accounting  --->
# MYR:
        [*]   BSD Process Accounting version 3 file format
    [*] CPU isolation
    RCU Subsystem  --->
    < > Kernel .config support
    < > Enable kernel headers through /sys/kernel/kheaders.tar.xz
    (18) Kernel log buffer size (16 => 64KB, 17 => 128KB)
    (12) CPU kernel log buffer size contribution (13 => 8 KB, 17 => 128KB)
# This option will disappear as soon as we deactivate DEBUG_FS later. It is unnecessary anyway.
    [ ] Printk indexing debugfs interface
    Scheduler features  --->
    [ ] Memory placement aware NUMA scheduler
    -*- Control Group support  --->
# MYR: The <Help> says it all.
        [ ]   Debug controller
    -*- Namespaces support  --->
# MYR: It is not absolutely necessary anymore; but it is not wrong to enable it for the future
    [*] Checkpoint/restore support
# MYR:
    [*] Automatic process group scheduling
    -*- Kernel->user space relay support (formerly relayfs)
# We dont need initramfs when we configure our kernel self
    [ ] Initial RAM filesystem and RAM disk (initramfs/initrd) support
    [ ] Boot config support
# We have no initramfs
    [ ] Preserve cpio archive mtimes in initramfs
    Compiler optimization level (Optimize for performance (-O2))  --->
# Already done in previous chapter.
    [*] Configure standard kernel features (expert users)  --->
    Kernel Performance Events And Counters  --->
# MYR: If you would need this, you would know it ;-)
    [ ] Profiling support
    Kexec and crash features  --->
# KSPP:
        [ ] Enable kexec system call
        [ ] Enable kexec file based system call

If you think about changing the default setting for the Preemption Model and dont know what to do, then watch this "Deep dive into the preemption models of the Linux Kernel" by kernel developer Thomas Gleixner: https://www.youtube.com/watch?v=Fwvj0442ub0

(Dont stop at minute 20 because you think you are not interested in RT ... it is only a short passage.)

In short: This setting determines about latencies versus throughput, and my recommendation is: Stay on the default "Desktop" (PREEMPT_VOLUNTARY) or choose "Server" (PREEMPT_NONE) for a server or a machine with a fast CPU. Change this only to "Low-Latency Desktop" if you have a slow machine AND/OR problems (hickups) when watching a 4k-video. As long as you have never a problem when watching a video you dont need it ... and get a higher throughput !

Processor type and features

Tip
It can be tedious to search for something in the output of cpuid. However, if you already know what to look for, just do a cpuid | grep X, e.g. cpuid | grep x2APIC (you may want to do all 5 (6 if Intel) of the following queries at once)
KERNEL Kernel
Processor type and features  --->
    [*] Symmetric multi-processing support
# If a query with "cpuid" gives you: "x2APIC: extended xAPIC support = true" then enable this:
    [*] Support x2apic
# New in 6.10. If you have a high-end server with a very high load enable it. For my desktop I dont need it.
    [?] Enable MSI and MSI-x delivery by posted interrupts
# Only for very old systems. If you have x2APIC enabled, then disble it:
    [ ] Enable MPS table
# MYR:
    [*] x86 CPU resource control support
# New in 6.9. If a query with "cpuid" gives you: "FRED transitions & MSRs = false" let it disabled:
    [ ] Flexible Return and Event Delivery
# We dont have it
    [ ] Support for extended (non-PC) x86 platforms
# Both options already done in previous chapter.
    [?] Intel Low Power Subsystem Support
    [?] AMD ACPI2Platform devices support
    -*- Intel SoC IOSF Sideband support for SoC platforms
    [ ]   Enable IOSF sideband access through debugfs
    [*] Single-depth WCHAN output
# If this kernel dont run in a VM then we dont need this:
    [ ] Linux guest support
# If you have an modern Intel CPU switch to Core2
    Processor family (Core 2/newer Xeon)  --->
    [*] Supported processor vendors  --->
    [*] Enable DMI scanning
# Only very old AMD machines need this:
    [ ] Old AMD GART IOMMU support
    [ ] Enable Maximum number of SMP Processors and NUMA Nodes
# See my comment below [1]
    (32) Maximum number of CPUs
    [*] Cluster scheduler support
    [*] Multi-core scheduler support
    [*]   CPU core priorities scheduler support
    [*] Reroute for broken boot IRQs
    [*] Machine Check / overheating reporting
    [ ]   Support for deprecated /dev/mcelog character device
# Enable one of them:
    [?]   Intel MCE features
    [?]   AMD MCE features
    < > Machine check injector support
# Go into this menu and enable Intel or AMD
    Performance monitoring  --->
# Disable it if you dont use "wine"
    [ ] Enable support for 16-bit segments
# KSPP:
    [ ] Enable vsyscall emulation
    [*] IOPERM and IOPL Emulation
    [ ] Late microcode loading (DANGEROUS)
# KSPP:
    < > /dev/cpu/*/msr - Model-specific register support
    <*> /dev/cpu/*/cpuid - CPU information support
# If a query with "cpuid" gives you: "LA57: 57-bit addrs & 5-level paging = false" OR you have less than 512 GB RAM then disable:
    [ ] Enable 5-level page tables support
# This option will disappear as soon as we deactivate DEBUG_FS later. It is unnecessary anyway.
    [ ] Enable statistic for Change Page Attribute
# Enable it only if you really need it:
    [?] AMD Secure Memory Encryption (SME) support
    [*] NUMA Memory Allocation and Scheduler Support
# If you have an Intel CPU disable it.
    [?]   Old style AMD Opteron NUMA detection
    [*]   ACPI NUMA detection
    [ ]   NUMA emulation
    (6)   Maximum NUMA Nodes (as a power of 2)
# Enable it only if you have Intel Sandy Bridge-EP. See more in the <Help>
    < > Support non-standard NVDIMMs and ADR protected memory
    [*] Check for low memory corruption
    [*]   Set the default setting of memory_corruption_check
# MYR - start:
    [*] MTRR (Memory Type Range Register) support
    [*]   MTRR cleanup support
    (1)     MTRR cleanup enable value (0-1)
    (1)     MTRR cleanup spare reg num (0-7)
    [*]   x86 PAT support
# MYR - end.
    [*] User Mode Instruction Prevention
# KSPPP: If a query with "cpuid" gives you: "IBRS/IBPB: indirect branch restrictions  = true" then leave it enabled:
    [*] Indirect Branch Tracking
    [*] Memory Protection Keys
# Next is only available if you have an Intel. Leave it on off.
    TSX enable mode (off)  --->
# Next is only available if you have an Intel and enabled x2APIC
# If a query with "cpuid" gives you: "SGX: Software Guard Extensions supported = false" then leave it disabled:
    [ ] Software Guard eXtensions (SGX)
# KSPP: If a query with "cpuid" gives you: "CET_SS: CET shadow stack = true" then enable this:
    [*] X86 userspace shadow stack
    [*] EFI runtime service support
    [*]   EFI stub support
    [*]     EFI handover protocol (DEPRECATED)
# Only a very old machine needs this:
    [ ]     EFI mixed-mode support
    [ ]   Export EFI runtime maps to sysfs
# See my comment below [2]
    Timer frequency (300 HZ)  --->
    (0x1000000) Physical address where the kernel is loaded
    -*- Build a relocatable kernel
    [*]   Randomize the address of the kernel image (KASLR)
    (0x200000) Alignment value to which kernel should be aligned
    [*] Randomize the kernel memory sections
    (0x0) Physical memory mapping padding
# If a query with "cpuid" gives you: "LAM: linear address masking = false" then leave it disabled:
    [ ] Linear Address Masking support
# Only available in X86_32. Next should be already disabled. We check it only because it is a security problem (also KSPP recommendation):
    [ ] Disable the 32-bit vDSO (needed for glibc 2.3.3)
# KSPP:
    vsyscall table for legacy applications (None)  --->
    [ ] Built-in kernel command line
# KSPP. Dont disable it if you are using "wine"
    [ ] Enable the LDT (local descriptor table)
    [ ] Enforce strict size checking for sigaltstack

1) Adjust this to the number of your LOGICAL cores of your CPU (I have 32). If you have an AMD CPU check your dmesg later for a message like this:

smpboot: 32 Processors exceeds NR_CPUS limit of 16

Yes, it was a Ryzen 7 5700x with 8 cores (16 logical cores) but it need 32 instead of 16 (please dont ask me why).

2) Bear in mind that this value applies to every core of your CPU. If you have 32 cores, that would be 32,000 interrupts/sec. With today's high-res timers, we really don't need that. 300 is more than enough.

Mitigations for CPU vulnerabilities

These options - and many more - are covered in the article User:Pietinger/Tutorials/Kernel_Hardening_with_KSPP. Nothing to do here for the moment.

Power management and ACPI options

I'm not going to go into all the possible options - that would be too much - just the important/necessary ones. The same applies to all the following chapters !

KERNEL Kernel
Power management and ACPI options  --->
# MYR: I dont use it. It is your decision.
    [ ] Suspend to RAM and standby
# KSPP: "Dangerous; enabling this allows replacement of running kernel."
    [ ] Hibernation (aka 'suspend to disk')
# MYR: If you have disabled "Suspend to RAM" (and Hibernation) then enable this again (otherwise it is already activated)
    [*] Device power management core functionality
# MYR: ... but we dont need this
    [ ]   Power Management Debug Support
    [*] ACPI (Advanced Configuration and Power Interface) Support  --->
# MYR: I dont need it. It is your decision.
        [ ]   Boottime Graphics Resource Table support
# MYR: If you have an Intel CPU
    [*] Cpuidle Driver for Intel Processors

Bus options

Nothing to do here - leave the default settings.

Binary Emulations

KSPP recommends to disable 32-bit support. But you can do this only if you have a No-Multilib system. If you have a Multilib system you have nothing to do here.

KERNEL Kernel
Binary Emulations  --->
    [ ] IA32 Emulation
    [ ] x32 ABI for 64-bit mode

Virtualization

Nothing to do here.

General architecture-dependent options

KERNEL Kernel
General architecture-dependent options  --->
# New in 6.10. MYR is the same as the <Help> says: Disable it.
    [ ] Kprobes
    [*] Optimize very unlikely/likely branches

Enable the block layer

KERNEL Kernel
[*] Enable the block layer  --->
# New in 6.8 Check if this is already enabled ... it is important.
    [*]   Allow writing to mounted block devices
    IO Schedulers  --->
# MYR: I dont need them. It is your decision.
        < > MQ deadline I/O scheduler
        < > Kyber I/O scheduler

Nothing else to do here, because in "Partition Types" both important options are already enabled (PC BIOS (MSDOS partition tables) and EFI GUID Partition support). You would need it only if you really have strange partition types like Minix, Solaris, Sun, Amiga or Macintosh partitions.

Executable file formats

KERNEL Kernel
Executable file formats  --->
# KSPP: "Easily confused by misconfigured userspace, keep off."
    < > Kernel support for MISC binaries

Memory Management options

KERNEL Kernel
Memory Management options  --->
# KSPP: You would also get all the options in this submenu as soon as you make the KSPP settings; but we can also do it right away ;-)
    SLAB allocator options  --->
        [ ] Configure for minimal memory footprint
        [ ] Allow slab caches to be merged
        [*] Randomize slab freelist
        [*] Harden slab freelist metadata
# New in 6.11 If you would have updated from 6.10 to 6.11 it would have been recommended to enable this. MYR also.
        [*] Support allocation from separate kmalloc buckets
        [ ] Enable performance statistics
        [*] Enable per cpu partial caches
        [*] Randomize slab caches for normal kmalloc
# KSPP:
        (65536) Low address space to protect from user allocation
# MYR:
    [*] Transparent Hugepage Support  --->
        Transparent Hugepage Support sysfs defaults (madvise)  --->
# MYR:
    [*] Multi-Gen LRU
    [*]   Enable by default

Networking support

I will actually only deactivate options here that are not needed in the private area. If you have your machine in a modern network environment with high-end switches and enterprise routers you surely know what you will need for fancy things like QoS (Quality of Service) and you will not disable it. If you dont know what it is and your machine is only connected to your DSL-Modem you can disable all this without fear ... if necessary you can enable it again later ;-)

(Since everything is just a recommendation from me, I will save myself the labeling with “MYR”.)

KERNEL Kernel
[*] Networking support  --->
    Networking options  --->
        < > Transformation user configuration interface
# If you do some p2p file transmissions you need multicasting; try disabling it and check if you really need it
        [ ]   IP: multicasting
        [ ]   IP: advanced router
        [ ]   IP: kernel level autoconfiguration
        [ ]   TCP: advanced congestion control
        [ ]   TCP: MD5 Signature Option support (RFC2385)
# I am not a fan of IPv6 (because of privacy problems); If you need it you will not disable it
        < >   The IPv6 protocol
        [ ]   NetLabel subsystem support
        [ ] Security Marking
# Here you can do a FireWall. Please read my recommendation below.
        [*] Network packet filtering framework (Netfilter)  --->
            [*]   Advanced netfilter configuration
            ... everything as <M>odule (if possible)
        [ ] QoS and/or fair queueing
# This can only be deactivated later if you (like me) do not need NETWORK_FILESYSTEMS
        < > DNS Resolver support

# I dont want WLAN. However, it can only be deactivated if "Wireless LAN" has been disabled in Device Drivers->Network device support->Wireless LAN.
    [ ]   Wireless
# I also have no Bluetooth. Dont disable it if you want WLAN OR Bluetooth
    < >   RF switch subsystem support
    < >   Plan 9 Resource Sharing Support (9P2000)
# The following option can only be deactivated once we have deactivated each VIRTIO module in “Device Drivers” (what we want when we are not running in a VM).
    < >   Generic failover module
# Disable this if you have a problem with an e1000e module after resume (see: https://forums.gentoo.org/viewtopic-t-1166274.html )
    [ ]   Netlink interface for ethtool

If you want configure a firewall with iptables or nftables I recommend to do: Enable ALL options in this submenu as <M>odule. Later you will make your firewall; after this is finished check with "lsmod" which modules you really need for your firewall configuration. After all you can enable all needed modules static (if you want) and disable all other you dont need. If you dont want a firewall (I dont recommend) then you can disable the complete submenu.

Device Drivers

Now we have a big task in our driver section ...

KERNEL Kernel
Device Drivers  --->
# Enable all these if you have an USB Type-C and/or Thunderbolt
    [*] PCI support  --->
        [*] PCI Express Port Bus support
        [*]   PCI Express Hotplug driver
        [*] Support for PCI Hotplug  --->
            [*] ACPI PCI Hotplug driver
# If you dont have a notebook with an old PCMCIA
    < > PCCard (PCMCIA/CardBus) support
    [*] Block devices  --->
# MYR: I dont run in a VM
        < >   Virtio block driver
    Misc devices  --->
# MYR: I don't like it (and fortunately I don't need it). It could be that you need it (e.g. for sound via SoC).
        < > Intel Management Engine Interface
    SCSI device support  --->
# MYR: I dont have a CD-ROM
        < > SCSI CDROM support
        [*] SCSI low-level drivers  --->
# MYR: I dont run in a VM
            < >   virtio-scsi support
    <*> Serial ATA and Parallel ATA drivers (libata)  --->
# If you have a modern machine and you had module "ahci" in your "lspci -k" then you need (MUSTHAVE) this
        <*>   AHCI SATA support
# ... and you can disable the whole section (if not in your "lspci -k"):
        [ ]   ATA SFF support (for legacy IDE and PATA)
# If you need one of them disable all other in this submenu; If you dont use DMcrypt or a RAID disable it completely:
    [ ] Multiple devices driver support (RAID and LVM)
# MYR: I dont have a Mac
    [ ] Macintosh device drivers
    [*] Network device support  --->
# MYR: I dont need / use it
        < >     Network console logging support
# MYR: I dont run in a VM
        < >     Virtio network driver
# In this submenu enable only your ethernet module (see your "lspci -k") and disable all other
        [*]   Ethernet driver support  --->
# MYR: I dont have such an adapter
        < >   USB Network Adapters
# MYR: I dont have WLAN; if you have it use our Wiki articles
        [ ]   Wireless LAN
        < >   Failover driver

# See my comment below [1]
        Input device support  --->
        < >   Support for memoryless force-feedback devices
        < >   Sparse keymap support library
        <*>   Mouse interface
        [*]     Provide legacy /dev/psaux device
        [?] Keyboards  --->
            <?> AT keyboard
        [ ]   Mice  --->
        [ ]   Joysticks/Gamepads  --->
        [ ]   Tablets  --->
        [ ]   Touchscreens  --->
        [ ]   Miscellaneous devices  --->
        Hardware I/O ports  --->
            < > Serial I/O support

    Character devices  --->
# KSPP: "Make sure line disciplines can't be autoloaded"
        [ ]   Automatically load TTY Line Disciplines
# MYR: If your machine has no serial port (like mine) you dont need this
        Serial drivers  --->
            < > 8250/16550 and compatible serial support
# MYR: I dont have it
        [ ]   Non-standard serial port support
# MYR: I dont run in a VM
        < > Virtio console
# MYR: I dont have it
        < > Hardware Random Number Generator Core support
# KSPP: "Do not allow direct physical memory access"
        [ ] /dev/mem virtual device support

    I2C support  --->
# Here you will need your list from "lsmod"; disable and enable what you need:
        I2C Hardware Bus support  --->
# Most Intel Machines use this
            <*> Intel 82801 (ICH/PCH)
# Many AMD machines use this (or one of the AMD drivers; look in your lsmod-list)
            <*> Intel PIIX4 and compatible (ATI/AMD/Serverworks/Broadcom/SMSC)
    [*] SPI support  --->
    -*- Pin controllers  --->
# for AMD enable this:
        [*]   AMD GPIO pin control
# for Intel see my comment below [2]
        Intel pinctrl drivers  --->

    -*- Hardware Monitoring support  --->
# MYR: If you later use a system monitor ...
        <*>   Hard disk drives with temperature sensors
# MYR: ... and you have an Intel CPU:
        <*>   Intel Core/Core2/Atom temperature sensor
# MYR: I dont need / use it. It is your decision:
    [ ] Watchdog Timer Support
# MYR: I dont run in a VM
    Graphics support  --->
        <*> Direct Rendering Manager (XFree86 4.1.0 and higher DRI support)  --->
            < > Virtio GPU driver
    [*] Compute Acceleration Framework  --->
# Enable this if you have an Intel 14. Generation CPU (Meteor Lake) and read the <Help>
        <*>   Intel VPU for Meteor Lake and newer
    [*] USB support  --->
# New in 6.7 If you have an Intel disable it
        [ ]     AMD PCI USB host support
# Disable this only if you really dont have a modern machine using USB 3.0
        <*>   xHCI HCD (USB 3.0) support
# If you have old USB 2.0 or 1.1; look into your output from: "lspci -k"
# If you dont find any module named ehci, ohci or uhci in your "lspci -k" you dont have it !
        <?>   EHCI HCD (USB 2.0) support
        <?>   OHCI HCD (USB 1.1) support
        <?>   UHCI HCD (most Intel and VIA) support
        <*>   USB Mass Storage support
        <*>     USB Attached SCSI
# If you have a USB Type-C (it is almost at the end of the USB menu):
        <*>   USB Type-C Support  --->
            <*>   USB Type-C Port Controller Manager
# and if you want connect a DisplayPort display to it:
        USB Type-C Alternate Mode drivers  --->
            <*> DisplayPort Alternate Mode driver
# MYR: I dont run in a VM
    [ ] Virtio drivers
    -*- X86 Platform Specific Device Drivers  --->
# MYR: I dont need / use it. It is your decision:
        < >     WMI embedded Binary MOF driver
# MYR: I dont have an Eee PC
        < >   Eee PC Hotkey Driver
# MYR: I dont need / use it. It is your decision:
    -*- NVMEM Support  --->
        [ ]   /sys/bus/nvmem/devices/*/nvmem (sysfs interface)

1) If your keyboard and your mouse is connected with USB and you are using evdev module (<*> Event interface) you can disable all this. Two options can only be deactivated once unnecessary HID drivers have been disabled. Enable AT keyboard only if you want boot from an encrypted root partition, or you really have an old PS/2 keyboard (then you are not able to disable "Serial I/O support"):

2) Maybe you wont see in your lsmod-list which driver you will need; so you have to find out ! You can find the code names here: [[2]]. If you are unsure enable every module in this submenu. Note: If you have a machine with a 12th generation Intel CPU, you may need TigerLake instead of AlderLake (so check both). This was previously the case with: Dell XPS 9520, System76 Darter Pro 8 and MSI Katana GF66.

File systems

KERNEL Kernel
File systems  --->
# MYR: If you have systemd then it is already enabled
    [*] Filesystem wide access notification
# MYR: I dont need it. It is your decision.
    [ ] Quota support
# MYR: I dont need it. It is your decision. If you have systemd then it is hard enabled
    < > Kernel automounter support (supports v3, v4 and v5)
# MYR: If you have no network server (like me):
    [ ] Network File Systems

Security options

Disable SELinux and integrity (because you don't have either; believe me you would need a lot more for IMA. If you don't know IMA and want to know what it is, you could read my article (where I try to explain it, but I am not sure if it helps): User:Pietinger/Draft/IMA). Leave "Enable different security models" enabled ... you will need it later for KSPP.

KERNEL Kernel
Security options  --->
    [*] Enable different security models
    [ ] NSA SELinux Support
    [ ] Integrity subsystem
    [ ] Socket and Networking Security Hooks
    Kernel hardening options  --->
# This is a requirement for enabling Gentoo KSPP
        Randomize layout of sensitive kernel structures (Limit randomization of structure layout to cache-lines)  --->

Cryptographic API

After all this is done you may now go into every submenu and disable every module which is not hard enabled with -*-. Make a note of all modules that are hard enabled. If you have a modern CPU ("lscpu" shows "pclmulqdq" and "sse4_2") then enable in this submenu these two and every module from your list:

KERNEL Kernel
Cryptographic API  --->
    Accelerated Cryptographic Algorithms for CPU (x86)  --->
        [*] CRC32c (SSE4.2/PCLMULQDQ)
        [*] CRC32 (PCLMULQDQ)

Library routines

If you have a 4K-monitor and your font is too small you can now change it to a larger font. Otherwise there's really nothing to do here.

KERNEL Kernel
Library routines  --->
    [*] Select compiled-in fonts
        [*] Terminus 16x32 font (not supported by all drivers)

Kernel hacking

User:Pietinger/Tutorials/Kernel_Hardening_with_KSPP will configure a few things here later. Some things can already be done now, such as deactivating “Debug Filesystem”.

KERNEL Kernel
Kernel hacking  --->
# MYR: I dont need / use it. It is your decision,
    [ ] Remote debugging over FireWire early on boot
# This must first be deactivated so that we can access DEBUG_FS.
    [*] Tracers  --->
        [ ]   Support for tracing block IO actions
# It should now already be deactivated
    Generic Kernel Debugging Instruments  --->
        [ ] Debug Filesystem
    Memory Debugging  --->
# MYR: I dont work with sysrq-T and sysrq-P and dont want slow down process creation somewhat. The <Help> says it all.
        [ ] Stack utilization instrumentation
# This option was a default in 6.1 Now it is no default anymore ... but if you did a "make oldconfig" you still have it. Time to disable.
    [ ] Debug preemptible kernel
    x86 Debugging  --->
# MYR: The <Help> says it all.
        [ ] Early printk
# New in 6.8. MYR: I dont like it. It is your decision. (Read the <Help>)
        [?] Debug low-level entry code

Special hardware

Thunderbolt

If you have Thunderbolt and you search with / for module thunderbolt you will find only "INTEL_WMI_THUNDERBOLT". But this is the wrong driver; you will need instead:

KERNEL Kernel
Device Drivers  --->
    [*] Unified support for USB4 and Thunderbolt  --->

Enable only this option - dont enable write by debugfs in this submenu ! Maybe you want read this: https://docs.kernel.org/admin-guide/thunderbolt.html

I2C Touchpad

If you have a notebook with a touchpad connected via i2c you will need in most cases this:

KERNEL Kernel
Device Drivers  --->
    [*] HID bus support  --->
        Special HID drivers  --->
            <*> HID Multitouch panels
        <*>   I2C HID support  --->
            <*>   HID over I2C transport layer ACPI driver

Of course i2c AND pinctrl must be configured correctly (you must know: i2c needs pinctrl !). If you have a special PCI controller (e.g. Designware) you must enable it also. I wrote a (german) article in our Gentoo forum for all settings you will need for such a touchpad: [[3]]

Serial Bus Multi Instantiate

If you have a problem with your sound you might enable (SPI is necessary to access CONFIG_SERIAL_MULTI_INSTANTIATE):

KERNEL Kernel
Device Drivers  --->
    [*] SPI support  --->

    -*- X86 Platform Specific Device Drivers  --->
        [*]   Serial bus multi instantiate pseudo device driver

(was a problem with an Asus Zephyrus G14 using Cirrus speaker amp (CS35L56): https://forums.gentoo.org/viewtopic-p-8826751.html#8826751 )

After the First Start of this Kernel

Do not start this kernel yet. Go back to the article User:Pietinger/Tutorials/Manual_kernel_configuration ! Come back when all is done ;-)

Remove unnecessary HID Drivers

After your first boot with this kernel configuration you may check which HID drivers you use with:

root #dmesg | grep input

Now you can disable all other which you dont need in this submenu:

KERNEL Kernel
Device Drivers  --->
    [*] HID bus support  --->
        Special HID drivers  --->

Monolithic Kernel

I talked about the fact that you can switch off the module support. Only do this when you have done everything else (e.g. firewall).

There is now a small pitfall if you are using the new Intel Xe Graphics Module. This requires the module support OR kunit. This means that before you can switch off module support, you must activate it:

KERNEL Kernel
Kernel hacking  --->
    Kernel Testing and Coverage  --->
        [*] KUnit - Enable support for unit tests

Before you switch off the module support you should really have done everything else.