User:Pietinger/Tutorials/Manual kernel configuration
Tutorial: Manual kernel configuration
This tutorial gathers all links and informations needed for a manual kernel configuration. Only our Gentoo default sources will be used.
What you have to know / What you should read
Basics
Many options in your kernel configuration depends on other options. Many options selects one or more other options. Sometimes a option is not visible whilst others are not enabled. My recommendation for later: Look into every <HELP> of an option you want to enable or disable.
You can search for kernel modules by pressing / Typing a leading "CONFIG_" is not necessary.
You must enable all modules which kernel needs to find its root partition static <*> into your kernel and not as <M>odule !
Never edit .config
I quote from this thread: [1]
"Horrible things happen if you use a text editor on the kernel .config file. If you are lucky, you will get a kernel that won't build. If not, it may be broken in ways that nobody has ever seen before.
Use menuconfig and its search. Press / If the symbol you want is not found, press the 'z' key to toggle the display of hidden symbols. Search again.
The search will find it but you still can't select it. Read the help on the menu option. Pay attention to the Depends on: That boolean expression must be true before the item can be selected. Select other things so that your symbol can be selected.
Read the Selects: too. Now ask yourself if you would have got that right with your text editor?
The usual advice to someone who has used a text editor on the .config file is to throw it away and start it again."
More informations
If you have never done a manual kernel configuration you really should read all these before starting:
- User:NeddySeagoon/PC_Boot_Process
- Kernel/Gentoo_Kernel_Configuration_Guide
- Kernel/Configuration
- Short Explanation which kernel modules are needed for your harddisk: [[2]]
Before you start
1. Choose which kernel version you want and install it. This may help you: User:Pietinger/Tutorials/Selecting_a_convenient_kernel_version
2. Gather some informations: Boot with Handbook:AMD64/Installation/Media#Minimal_installation_CD or any other Live Distribution CD and do (as user root):
root #lspci -k
root #lsmod | moreNotice all "Kernel driver in use: XXXX" and all modules. You will need it later. For an INTEL system ask also:
root #dmesg | grep "Intel(R)"Notice family,model and stepping.
What you should configure at minimum
Basic Settings (Must have)
1. Start with our Handbook:AMD64/Installation/Kernel. I am missing some important options. Add these for all 5.15.x LTS kernels
General setup --->
[*] Compile the kernel with warnings as errors
[*] Checkpoint/restore support
[*] Configure standard kernel features (expert users)
Choose SLAB allocator (SLUB (Unqueued Allocator)) --->
(X) SLUB (Unqueued Allocator)
Processor type and features --->
[*] Symmetric multi-processing support
#If you have an AMD or INTEL NOTEBOOK; dont enable for a desktop mainboard (only one of them)
[?] Intel Low Power Subsystem Support
[?] AMD ACPI2Platform devices support
#Enable this in every case for a INTEL or AMD system (only one of them)
[*] Supported processor vendors --->
[?] Support Intel processor
[?] Support AMD processors
[*] Machine Check / overheating reporting
#Enable this in every case for a INTEL or AMD system (only one of them)
[?] Intel MCE Features
[?] AMD MCE Features
[ ] Enable 5-level page tables support
[*] EFI runtime service support
[*] EFI stub support
[ ] EFI mixed-mode support
[ ] Enable the LDT (local descriptor table)
Bus options (PCI etc.) --->
[*] Support mmconfig PCI config space access
Power management and ACPI options --->
[*] ACPI (Advanced Configuration and Power Interface) Support
[*] Enable the block layer --->
Partition Types --->
[*] Advanced partition selection
[*] PC BIOS (MSDOS partition tables) support
[*] EFI GUID Partition support
Device Drivers --->
Generic Driver Options --->
[*] Maintain a devtmpfs filesystem to mount at /dev
[*] Automount devtmpfs at /dev, after the kernel mounted the rootfs
Firmware Drivers --->
EFI (Extensible Firmware Interface) Support --->
[*] EFI Variable Support via sysfs
SCSI device support --->
[*] legacy /proc/scsi/ support
[*] SCSI disk support
#If you have an INTEL CPU:
[*] Hardware Monitoring support --->
[*] Intel Core/Core2/Atom temperature sensor
[*] USB support --->
[*] Support for Host-side USB
[*] PCI based USB host interface
[*] USB announce new devices
[*] Enable USB persist by default
[*] USB Monitor
[*] xHCI HCD (USB 3.0) support
#If you have an old USB 2.0 or 1.1; look into your list from: "lspci -k"
#If you dont find any module named ehci, ohci or uhci in your list you dont have it !
[?] EHCI HCD (USB 2.0) support
[?] OHCI HCD (USB 1.1) support
[?] UHCI HCD (most Intel and VIA) support
[*] USB Mass Storage support
[*] USB Attached SCSI
HID support --->
-*- HID bus support
[*] Battery level reporting for HID devices
[*] /dev/hidraw raw HID device support
[*] Generic HID driver
USB HID support --->
[*] USB HID transport layer
[*] /dev/hiddev raw HID device support
#This is for an INTEL CPU; choose AMD IOMMU support for an AMD CPU:
[*] IOMMU Hardware Support --->
IOMMU default domain type (Translated - Strict) --->
[?] AMD IOMMU support
[*] Support for Intel IOMMU using DMA Remapping Devices
[*] Support for Shared Virtual Memory with Intel IOMMU
[*] Enable Intel DMA Remapping Devices by default
[*] Enable Intel IOMMU scalable mode by default
[*] Support for Interrupt Remapping
#This should be a minimum when using EXT4:
File systems --->
[ ] Second extended fs support
[ ] The Extended 3 (ext3) filesystem
[*] The Extended 4 (ext4) filesystem
[*] Use ext4 for ext2 file systems
[*] Ext4 POSIX Access Control Lists
[*] Ext4 Security Labels
[ ] JBD2 (ext4) debugging support
[ ] Reiserfs support
[ ] JFS filesystem support
[ ] XFS filesystem support
[ ] GFS2 file system support
[ ] Btrfs filesystem support
DOS/FAT/NT Filesystems --->
[*] MSDOS fs support
[*] VFAT (Windows-95) fs support
Pseudo Filesystems --->
[*] /proc file system support
[*] Tmpfs virtual memory file system support (former shm fs)
Native Language support --->
(utf8) Default NLS Option
[*] Codepage 437 (United States, Canada)
[*] Codepage 850 (Europe)
[*] ASCII (United States)
[*] NLS ISO 8859-1 (Latin 1; Western European Languages)
[*] NLS ISO 8859-15 (Latin 9; Western European Languages with Euro)
[*] NLS UTF-8
In all Links you will get now, you will need only the chapter Kernel Configuration:
2. Links for configuring your Harddisk or NVMe:
- SATA HD or SATA SSD: HDD and/or
- NVMe: NVMe or
- Old IDE or PATA: Kernel/Gentoo_Kernel_Configuration_Guide#IDE_chipsets_and_DMA
3. This is also a must; you will have a black screen (= stuck at "Loading Linux 5.15.74-gentoo ...") without: Framebuffer
4. It is highly recommended to add your microcode for your CPU:
- INTEL: [[3]] or
- AMD: AMD_microcode
5. Search with / and your notice from lscpi -k for your ethernet module. Enable it (and disable all others because unneeded).
6. Search with / and your notice from lscpi -k for additionally modules needed for your harddisk. If you miss a module kernel needs to find its root partition you will get a kernel panic and kernel cannot boot. For example: If you find a module named "vmd" you must enable it also:
Device Drivers --->
[*] PCI support --->
PCI controller drivers --->
[*] Intel Volume Management Device Driver
(from: https://forums.gentoo.org/viewtopic-t-1156306-highlight-.html )
7. If you have a "high-end-CPU" with many logical cores you should check this kernel option and change it to your quantity of logical cores:
Processor type and features --->
(15) Maximum number of CPUs
(from: https://forums.gentoo.org/viewtopic-p-8744767.html#8744767 )
8. If you have an USB-C and you search with / for module thunderbolt you will find only "INTEL_WMI_THUNDERBOLT". But this is the wrong driver; you will need instead:
Device Drivers --->
[*] Unified support for USB4 and Thunderbolt --->
Enable only this option - dont enable write by debugfs in this submenu ! Maybe you want read this: https://docs.kernel.org/admin-guide/thunderbolt.html
9. At last we need: Libinput
This configuration should be able to boot your kernel. If you want to use a graphical environment you need:
Graphics adapter
Choose from these links:
Sound and others
This should be done also:
Optional settings
At last you can check all other modules you have in your lists from lspci -k and lsmod by searching with /
Driver needs Firmware
Some kernel modules needs firmware (mostly Graphics adapter, WLAN and some Ethernet). If you use one of these kernel modules you should emerge Linux_firmware#Emerge. Now you have two options for this module:
a) If you have configured your module as <M>odule, then the kernel is able to load firmware for this module at boot-time from /lib/firmware, because all <M>odules will be loaded after kernel has access to its root partition.
b) If you have configured your module static <*> into your kernel, then you must do a little bit more. These modules will be loaded before kernel has access to its root partition and therefore is not able to load firmware from /lib/firmware.
You would get an error message in your "dmesg" saying "Direct firmware load for xxxx/xxx failed with error -2". Therefore you must compile all needed firmware also into your kernel (example):
Device Drivers --->
Generic Driver Options --->
Firmware Loader --->
[*] Firmware loading facility
(i915/skl_dmc_ver1_27.bin intel-ucode/06-5e-03) Build named firmware blobs into the kernel binary
With these settings you will copy this firmware files INTO your kernel (when you compile your kernel with "make") and now kernel is able to load this firmware "from itself" without needing access to /lib/firmware at boot-time.
(Yes, it is the same place where you can also define microcode blob; if more than one firmware blobs must be loaded you separate them with a space).
Every Wiki article recommends to use option (a) because it is very easy. Option (b) is necessary if you want to build a monolithic kernel without module support, or if you have other reasons to build a module (which needs firmware) static into your kernel.
Starting with a clean environment
If you have done already some configurations and want to start from beginning you can clean up all with
root #cd /usr/src/linux
root #make distclean
root #make defconfig
root #make menuconfigThe first command (distclean) deletes all old data - also your .config file !
Cheat Sheets
These are only valid if you have done a standard installation according to our Handbook:AMD64
- Updating to a new kernel version:
root #emerge -1uvDp gentoo-sources
root #mount /boot
root ## go into the directory of the new kernel:
root #cd /usr/src/linux-X.Y.Z-gentoo
root #cp /usr/src/linux/.config .
root #make oldconfig
root ## For X use nr. of your CPU cores:
root #make -j X
root #make install
root #make modules_installroot ## Maybe you want to backup your configuration. I do this into:
root #cp .config /etc/MY/config-X-Y-Z
root #grub-mkconfig -o /boot/grub/grub.cfg
root #eselect kernel list
root #eselect kernel set X
root #umount /boot
root #reboot- Changing the configuration of your used kernel:
root #mount /boot
root #cd /usr/src/linux
root #make menuconfig
root #make -j X
root #make install
root #make modules_install
root #cp .config /etc/MY/config-X-Y-Z-revA
root #grub-mkconfig -o /boot/grub/grub.cfg
root #umount /boot
root #reboot
You will find all these informations - and more - in german language (for a NO-Multilib installation) also in this thread: [[4]]. Check it out if you have troubles with a Touchpad connected via I2C ... ;-)
Kconfig / KSPP ?
View the content of /usr/src/linux/distro/Kconfig ... and examine if you have really enabled some security options. Take a look into User:Pietinger/Tutorials/Kernel_Hardening_with_KSPP
More informations about this you will find also (in german language) in this thread: [[5]]
CONFIG_DEBUG ?
If you do this search you will see many lines:
root #grep DEBUG /usr/src/linux/.configMost of them are disabled with # CONFIG_* is not set - some are enabled. If experienced users tell you "dont enable debugging", they are usually correct. But not in every case, because for some settings you dont have an influence like all CONFIG_ARCH_* and CONFIG_HAVE_*. An Intel X86_64 system gives you these enabled:
/usr/src/linux/.configCONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y CONFIG_ARCH_HAS_DEBUG_WX=y CONFIG_HAVE_DEBUG_KMEMLEAK=y CONFIG_ARCH_HAS_DEBUG_VM_PGTABLE=y
Two more options depends on:
/usr/src/linux/.config# Enabled by selecting CONFIG_EXPERT CONFIG_DEBUG_KERNEL=y CONFIG_DEBUG_MISC=y
And if you hopefully harden your kernel with KSPP you will get automatically these (example X86_64 system):
/usr/src/linux/.config# KSPP: Allow allocator validation checking to be enabled (see "slub_debug=P" below). CONFIG_SLUB_DEBUG=y # KSPP: Report any dangerous memory permissions (not available on all archs). CONFIG_DEBUG_WX=y # KSPP: Perform additional validation of various commonly targeted structures. CONFIG_DEBUG_LIST=y CONFIG_DEBUG_SG=y CONFIG_DEBUG_NOTIFIERS=y CONFIG_DEBUG_VIRTUAL=y CONFIG_DEBUG_CREDENTIALS=y
Now you have 13 DEBUG-options enabled and this is completely fine ! If you find any other lines with enabled DEBUG you should ask yourself why you have enabled them. A really bad example is:
/usr/src/linux/.configCONFIG_DEBUG_FS=y
Because I am paranoid I have in my kernel config also these, I DONT recommend:
/usr/src/linux/.config# My settings CONFIG_X86_DEBUGCTLMSR=y CONFIG_SCHED_DEBUG=y ONFIG_X86_DEBUG_FPU=y
Useful links
- https://www.kernel.org/doc/html/latest/
- https://kernelnewbies.org/LinuxChanges
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
This is my second try for creating a wiki article. Maybe some formatting is wrong. Because it is a tutorial and not a reference guide I ignored the standard of not writing in first or second person. Yes, my english is very poor.