User:Pietinger/Tutorials/Manual Configuring Kernel Version 6.1
Manual Configuring Kernel Version 6.1
Please read User:Pietinger/Tutorials/Manual_kernel_configuration before you start here. Only our Gentoo default sources will be used.
I am not happy with the default configuration we have, after we have just emerged gentoo-sources (or after we did a "make defconfig"). Why ? Today everything must be "user-friendly" and therefore many options are enabled by default which are not necessary. Best example for this: All options for an Intel CPU and an AMD CPU are enabled ... but you can have only one of them in your machine ;-)
On the other side some options are not enabled by default which you MUST HAVE to be able to boot your machine. In this article I will describe a complete TOUR for your kernel configuration in three parts.
First we change some options to be able to reach all options we need. Then we disable all we really dont need. In part 3 we enable all we MUST HAVE. Here I will give you also a list of links you will need for your specific components in your computer.
Part 1 - Main Menu
If you have never done a make menuconfig it can be confusing what do and where to start. Let me say some general words about the main menu. But first we start with one important settings. Enable this:
General setup ---> [*] Configure standard kernel features (expert users) --->
Sometimes our kernel configuration is funny. In the next step we must disable something depending if we have an AMD or an Intel CPU. If you have an Intel CPU you might be surprised you can not disable AMD ... Go into:
Processor type and features ---> [*] Supported processor vendors --->
You will get this menu:
--- Supported processor vendors [*] Support Intel processors -*- Support AMD processors [*] Support Hygon processors [*] Support Centaur processors [*] Support Zhaoxin processors
The funny thing is, you must disable first "Hygon processors" to be able to disable "AMD processors". Of course you will not disable it if you have an AMD CPU. If you are finished here you have only one option enabled. This step is important to be able to disable some options later you dont need (e.g. Intel P-State).
The last line Gentoo Linux ---> exists only in our gentoo-sources. If you have other sources (e.g. vanilla) you will miss this option. If you are using OpenRC as init system you have nothing to do here. If you are using systemd you must enable one option - which is usually already enabled by your systemd-stage3. So we do only a check here if it is correct:
Gentoo Linux ---> Support for init systems, system and service managers ---> [*] OpenRC, runit and other script based systems and managers [ ] systemd
In the next last option Kernel hacking ---> you really should only change something with specific instructions ! Also you will never need Library routines ---> because all necessary modules here will be selected (=enabled) automatically by other options - with one exception: Here you can change the selected font. At the moment you are not able to do this because one other option is not enabled. If you press z in this menu you can see this is disabled at the moment:
Library routines ---> - - Select compiled-in fonts
Now look into the help of this option and you will see why it is not possible ->
Depends on: FONT_SUPPORT [=y] && (FRAMEBUFFER_CONSOLE [=n] || STI_CONSOLE [=n])
Now press z again and exit this menu. Yes, we really need FRAMEBUFFER_CONSOLE - it is a MUST HAVE - and we do this in part 3.
The same is true for Cryptographic API --->. Usually all necessary modules here will be selected automatically (with one exception: dmcrypt; but you will find instructions in every description for dmcrypt). At the moment many options are enabled because some other options are still enabled (e.g. WLAN, IPSec). If we disable WLAN or IPv6 (or both) in the next part we can disable also some of these cryptogrphics modules later. In part 3 I will explain what you really need here.
One option we have in the main menu you should think about at last when all is done: [*] Enable loadable module support ---> Why ? I highly recommend to configure all necessary modules static into the kernel - because you will need your ethernet and graphics module always ... If we do this then we dont need a loadable module support anymore and we can disable this ... and have now a monolithic kernel. Why we want do this ? Because it is more secure. Also KSPP recommends to disable module support or work with signed modules. But for the moment we dont change it and you can think about later.
Part 2 - Slim kernel
First of all we disable all we dont need. Some of these settings are also recommended by KSPP. Some other we disable because we have an Intel or AMD CPU. At last we disable some options only if we dont use it. If you already know you will use WLAN then - of course - you will not disable it.
General setup ---> [ ] Automatically append version information to the version string -*- Control Group support ---> [ ] Debug controller # We dont need initramfs when we configure our kernel self [ ] Initial RAM filesystem and RAM disk (initramfs/initrd) support [ ] Preserve cpio archive mtimes in initramfs # If you need this, you would know it ;-) [ ] Profiling support Processor type and features ---> [ ] Support for extended (non-PC) x86 platforms # If you need this, you would know it ;-) [ ] Linux guest support # Enable only one of them: [?] Intel MCE features [?] AMD MCE features # Go into this menu and enable Intel or AMD Performance monitoring ---> [ ] Enable support for 16-bit segments [ ] Enable vsyscall emulation # Enable only one of them: [?] Intel microcode loading support [?] AMD microcode loading support # Dangerous - this is the first KSPP recommendation: < > /dev/cpu/*/msr - Model-specific register support # You dont have so much RAM ;-) (and it costs only performance for nothing) [ ] Enable 5-level page tables support # If you have an Intel CPU: [ ] Old style AMD Opteron NUMA detection # Only a very old machine needs this: [ ] EFI mixed-mode support # KSPP recommendation: "Dangerous; enabling this allows replacement of running kernel." [ ] kexec system call [ ] kernel crash dumps # Next should be already disabled. We check it only because it is a security problem (also KSPP recommendation): [ ] Disable the 32-bit vDSO (needed for glibc 2.3.3) # Dangerous - KSPP recommendation: [ ] Enable the LDT (local descriptor table) Power management and ACPI options ---> # I dont use it. It is your decision. [ ] Suspend to RAM and standby # KSPP recommendation: "Dangerous; enabling this allows replacement of running kernel." [ ] Hibernation (aka 'suspend to disk') [ ] Power Management Debug Support [*] ACPI (Advanced Configuration and Power Interface) Support ---> # I dont need it. It is your decision. [ ] Boottime Graphics Resource Table support [*] Enable the block layer ---> IO Schedulers ---> # I dont need them. It is your decision < > MQ deadline I/O scheduler < > Kyber I/O scheduler Executable file formats ---> # KSPP recommendation: "Easily confused by misconfigured userspace, keep off." < > Kernel support for MISC binaries File systems ---> # I dont need it. It is your decision. [ ] Quota support < > Old Kconfig name for Kernel automounter support < > Kernel automounter support (supports v3, v4 and v5) Pseudo filesystems ---> # KSPP recommendation: "Dangerous; exposes kernel text image layout." [ ] /proc/kcore support [ ] Miscellaneous filesystems # If you have no network server (like me): [ ] Network File Systems Kernel hacking ---> [*] Tracers ---> [ ] Support for tracing block IO actions Generic Kernel Debugging Instruments ---> [ ] Debug Filesystem
Before we do now the driver section we clean out SELinux and integrity. Let "Enable different security models" enabled ... you will need it later for KSPP.
Security options ---> [*] Enable different security models [ ] NSA SELinux Support [ ] Integrity subsystem [ ] Socket and Networking Security Hooks
Now we have a big task in our driver section:
Device Drivers ---> # This is a must have for all modern machines ! (and it must be enabled to have Intel IOMMU support later) [*] PCI support ---> [*] Message Signaled Interrupts (MSI and MSI-X) # If you dont have a notebook with an old PCMCIA < > PCCard (PCMCIA/CardBus) support [*] Block devices ---> # I dont run in a VM < > Virtio block driver SCSI device support ---> # I dont have a CD-ROM < > SCSI CDROM support [*] SCSI low-level drivers ---> # I dont run in a VM < > virtio-scsi support <*> Serial ATA and Parallel ATA drivers (libata) ---> # If you have a modern machine and you had module "ahci" in your "lspci -k" then you need (MUSTHAVE) this <*> AHCI SATA support # ... and you can disable the whole section (if not in your "lspci -k"): [ ] ATA SFF support (for legacy IDE and PATA) # If you need one of them disable all other in this submenu; If you dont use DMcrypt or a RAID disable it completely: [ ] Multiple devices driver support (RAID and LVM) # I dont have a Mac [ ] Macintosh device drivers [*] Network device support ---> # I dont need / use it < > Network console logging support # I dont run in a VM < > Virtio network driver # In this submenu enable only your ethernet module (see your "lspci -k") and disable all other [*] Ethernet driver support ---> # I dont have such an adapter < > USB Network Adapters # I dont have WLAN; If you have it use our Wiki articles [ ] Wireless LAN Input device support ---> # If your keyboard and your mouse is connected with USB and you are using evdev module you can disable all this: [ ] Keyboards ---> [ ] Mice ---> [ ] Joysticks/Gamepads ---> [ ] Tablets ---> [ ] Touchscreens ---> [ ] Miscellaneous devices ---> Hardware I/O ports ---> < > Serial I/O support Character devices ---> # KSPP recommendation: "Make sure line disciplines can't be autoloaded" [ ] Automatically load TTY Line Disciplines # If your machine has no serial port (like mine) you dont need this Serial drivers ---> < > 8250/16550 and compatible serial support # I dont have it [ ] Non-standard serial port support # I dont run in a VM < > Virtio console # I dont have it < > Hardware Random Number Generator Core support # KSPP recommendation: "Do not allow direct physical memory access" [ ] /dev/mem virtual device support # Here you will need your list from "lsmod"; disable and enable what you need: I2C support ---> # I dont need / use it. It is your decision: [ ] Watchdog Timer Support # I dont run in a VM; We have to do here more - important - changes I will explain in the part 3 Graphics support ---> < > Virtio GPU driver [*] USB support ---> # Disable this only if you really dont have a modern machine using USB 3.0 [*] xHCI HCD (USB 3.0) support # If you have old USB 2.0 or 1.1; look into your output from: "lspci -k" # If you dont find any module named ehci, ohci or uhci in your "lspci -k" you dont have it ! [?] EHCI HCD (USB 2.0) support [?] OHCI HCD (USB 1.1) support [?] UHCI HCD (most Intel and VIA) support [*] USB Mass Storage support [*] USB Attached SCSI # I dont run in a VM [ ] Virtio drivers -*- X86 Platform Specific Device Drivers ---> # I dont need / use it. It is your decision: < > WMI embedded Binary MOF driver # I dont have an Eee PC < > Eee PC Hotkey Driver # Here we enable also one important option; and disable Intel or AMD [*] IOMMU Hardware Support ---> # KSPP recommendation: "Force IOMMU TLB invalidation so devices will never be able to access stale data contents" IOMMU default domain type (Translated - Strict) ---> # For an Intel enable this: (for AMD do the opposite) [ ] AMD IOMMU support [*] Support for Intel IOMMU using DMA Remapping Devices [*] Support for Shared Virtual Memory with Intel IOMMU [*] Enable Intel DMA Remapping Devices by default [*] Enable Intel IOMMU scalable mode by default [*] Support for Interrupt Remapping # I dont need / use it. It is your decision: -*- NVMEM Support ---> [ ] /sys/bus/nvmem/devices/*/nvmem (sysfs interface)
Finally we can disable some options for our network stack, before we switch to part 3. If you have your machine in a modern network environment with high-end switches and enterprise routers you surely know what you will need for fancy things like QoS (Quality of Service) and you will not disable it. If you dont know what it is and your machine is only connected to your DSL-Modem you can disable all this without fear ... if necessary you can enable it again later ;-)
[*] Networking support ---> Networking options ---> < > Transformation user configuration interface # If you do some p2p file transmissions you need multicasting; try disabling it and check if you really need it [ ] IP: multicasting [ ] IP: advanced router [ ] IP: kernel level autoconfiguration [ ] TCP: advanced congestion control [ ] TCP: MD5 Signature Option support (RFC2385) # I am not a fan of IPv6 (because of privacy problems); If you need it you will not disable it < > The IPv6 protocol [ ] NetLabel subsystem support [ ] Security Marking # Here you can do a FireWall. Please read my recommendation below. [*] Network packet filtering framework (Netfilter) ---> [ ] QoS and/or fair queueing < > DNS Resolver support [ ] Wireless < > RF switch subsystem support < > Plan 9 Resource Sharing Support (9P2000)
If you want configure a firewall with iptables or nftables I recommend to do: Enable ALL options in this submenu as <M>odule. Later you will make your firewall; after this is finished check with "lsmod" which modules you really need for your firewall configuration. After all you can enable all needed modules static (if you want) and disable all other you dont need. If you dont want a firewall (I dont recommend) then you can disable the complete submenu.
After all this is done you may now go into every submenu of Cryptographic API ---> and disable every module which is not hard enabled with -*- (we will enable something in part 4).
Before we switch to part 3 we take care about two main menus:
KSPP recommends to disable 32-bit support. But you can do this only if you have a No-Multilib system.
Binary Emulations ---> [ ] IA32 Emulation
If you dont use it disable also:
[ ] Virtualization ----
Part 3 - Must Haves
... no discussion ... just do it ;-) Enable all these static (<*>) into your kernel ! One part of these settings is described also in Framebuffer. I think nobody needs VGA anymore; to be on a safe side you can enable also the "simple framebuffer"; actually you will need only one of "VESA" or "EFI-based"; with both enabled you are on a safe side and should not run into the problem of having a black screen (or stuck at "Loading ..." when using grub as bootmanager).
# If you have an AMD or Intel NOTEBOOK, or if you have seen module "intel_lpss" in your output from "lspci -k" Processor type and features ---> [?] Intel Low Power Subsystem Support [?] AMD ACPI2Platform devices support Device Drivers ---> Firmware Drivers ---> EFI (Extensible Firmware Interface) Support ---> # We need EFI runtime services for "efibootmgr" and disable the "Disable", so it is enabled ;-) [ ] Disable EFI runtime services support by default Graphics support ---> Frame buffer Devices ---> <*> Support for frame buffer devices ---> [*] VESA VGA graphics support [*] EFI-based Framebuffer Support Console display driver support ---> [*] Framebuffer Console support File systems ---> Pseudo filesystems ---> <*> EFI Variable filesystem
The next change is not necessary for a successful system start, but you really should change it, because it cause a big performance impact. If you have a server you can choose "performance"; for a notebook "powersave" is also possible:
Power management and ACPI options ---> CPU Frequency scaling ---> [*] CPU frequency transition statistics # Change this to: Default CPUFreq governor (schedutil) ---> # And now we are able to disable: < > 'userspace' governor for userspace frequency scaling # If you have an Intel CPU then this is enabled automatically (see part 1): -*- Intel P state control # If you have a newer Intel CPU (generation 4 or better) you dont need: < > ACPI Processor P-States driver # If you have an AMD CPU disable above Intel P state and... read some documentation about AMD P-State or ask in our Gentoo forum # (sorry; it is under heavy construction right now; with ACPI you should have no problems).
Are we now ready to boot this kernel ? Maybe ... maybe not. It depends:
1. Which filesystem has your root partition ? If it is EXT4 you are fine. This is enabled by default. If you use others then you must go back into File systems ---> and enable these (static).
2. If you have a NVMe or a special harddisk controller you must enable it also. Look again into your output of lspci -k and proof it there is an unknown module. Search for it with /. If you miss a module kernel needs to find its root partition you will get a kernel panic and kernel cannot boot. For example: If you find a module named "vmd" you must enable it also:
Device Drivers ---> [*] PCI support ---> PCI controller drivers ---> [*] Intel Volume Management Device Driver
(was a problem here: https://forums.gentoo.org/viewtopic-t-1156306-highlight-.html )
To be on a safe side, read these links and double check if you have enabled all what your kernel needs to be able to access your harddisk:
- SATA HD or SATA SSD: HDD and/or
- NVMe: NVMe or
- Old IDE or PATA: Kernel/Gentoo_Kernel_Configuration_Guide#IDE_chipsets_and_DMA
Part 4 - My recommendations
1. Additional settings:
General setup ---> [*] Core Scheduling for SMT # Checkpoint/restore is not absolutely necessary anymore; but it is not wrong to enable it for the future [*] Checkpoint/restore support Processor type and features ---> [ ] Enable Maximum number of SMP Processors and NUMA Nodes # Adjust this to the number of your LOGICAL cores of your CPU (I have 32) (32) Maximum number of CPUs (1) MTRR cleanup enable value (0-1) Timer frequency (300 HZ) ---> General architecture-dependent options ---> [*] Optimize very unlikely/likely branches Memory Management options ---> (65536) Low address space to protect from user allocation [*] Transparent Hugepage Support ---> Transparent Hugepage Support sysfs defaults (madvise) ---> [*] Multi-Gen LRU [*] Enable by default Device Drivers ---> [*] Hardware Monitoring support ---> [*] Hard disk drives with temperature sensors # If you have an Intel CPU: [*] Intel Core/Core2/Atom temperature sensor # This is a requirement for enabling Gentoo KSPP (see below nr. 5) Security options ---> Kernel hardening options ---> Randomize layout of sensitive kernel structures (Limit randomization of structure layout to cache-lines) ---> # If you have a modern CPU ("lscpu" shows "pclmulqdq" and "sse4_2") then enable also: Cryptographic API ---> Accelerated Cryptographic Algorithms for CPU (x86) ---> [*] CRC32c (SSE4.2/PCLMULQDQ) [*] CRC32 (PCLMULQDQ) # Enable in this submenu also more accelerated algorithms IF you use one of them
2. I highly recommend to add your microcode for your CPU. Read (and do) this:
- INTEL: [] or
- AMD: AMD_microcode
3. If you have an USB-C and you search with / for module thunderbolt you will find only "INTEL_WMI_THUNDERBOLT". But this is the wrong driver; you will need instead:
Device Drivers ---> [*] Unified support for USB4 and Thunderbolt --->
Enable only this option - dont enable write by debugfs in this submenu ! Maybe you want read this: https://docs.kernel.org/admin-guide/thunderbolt.html
4. If you have a 4K-monitor and your font is too small you can - NOW (see part 1) - change it with:
Library routines ---> [*] Select compiled-in fonts [*] Terminus 16x32 font (not supported by all drivers)
5. Harden your kernel: User:Pietinger/Tutorials/Kernel_Hardening_with_KSPP !! (All disabling for it we have just done).
6. After your first boot with this kernel configuration you may check which HID drivers you use with:
dmesg | grep input
Now you can disable all other which you dont need in this submenu:
Device Drivers ---> HID support ---> Special HID drivers --->
7. If you have a notebook with a touchpad connected via i2c you must know: i2c needs pinctrl ! I wrote a (german) article in our Gentoo forum for all settings you will need: []
Now go back to User:Pietinger/Tutorials/Manual_kernel_configuration and check all other links for e.g. your graphics card and sound ;-)