menu "Gentoo Linux" config GENTOO_LINUX bool "Gentoo Linux support" default y select CPU_FREQ_DEFAULT_GOV_SCHEDUTIL help In order to boot Gentoo Linux a minimal set of config settings needs to be enabled in the kernel; to avoid the users from having to enable them manually as part of a Gentoo Linux installation or a new clean config, we enable these config settings by default for convenience. See the settings that become available for more details and fine-tuning. config GENTOO_LINUX_UDEV bool "Linux dynamic and persistent device naming (userspace devfs) support" depends on GENTOO_LINUX default y if GENTOO_LINUX select DEVTMPFS select TMPFS select UNIX select MMU select SHMEM help In order to boot Gentoo Linux a minimal set of config settings needs to be enabled in the kernel; to avoid the users from having to enable them manually as part of a Gentoo Linux installation or a new clean config, we enable these config settings by default for convenience. Currently this only selects TMPFS, DEVTMPFS and their dependencies. TMPFS is enabled to maintain a tmpfs file system at /dev/shm, /run and /sys/fs/cgroup; DEVTMPFS to maintain a devtmpfs file system at /dev. Some of these are critical files that need to be available early in the boot process; if not available, it causes sysfs and udev to malfunction. To ensure Gentoo Linux boots, it is best to leave this setting enabled; if you run a custom setup, you could consider whether to disable this. config GENTOO_LINUX_PORTAGE bool "Select options required by Portage features" depends on GENTOO_LINUX default y if GENTOO_LINUX select CGROUPS select NAMESPACES select IPC_NS select NET_NS select PID_NS select SYSVIPC select USER_NS select UTS_NS help This enables options required by various Portage FEATURES. Currently this selects: CGROUPS (required for FEATURES=cgroup) IPC_NS (required for FEATURES=ipc-sandbox) NET_NS (required for FEATURES=network-sandbox) PID_NS (required for FEATURES=pid-sandbox) SYSVIPC (required by IPC_NS) It is highly recommended that you leave this enabled as these FEATURES are, or will soon be, enabled by default. menu "Support for init systems, system and service managers" visible if GENTOO_LINUX config GENTOO_LINUX_INIT_SCRIPT bool "OpenRC, runit and other script based systems and managers" default y if GENTOO_LINUX depends on GENTOO_LINUX select BINFMT_SCRIPT select CGROUPS select EPOLL select FILE_LOCKING select INOTIFY_USER select SIGNALFD select TIMERFD help The init system is the first thing that loads after the kernel booted. These config settings allow you to select which init systems to support; instead of having to select all the individual settings all over the place, these settings allows you to select all the settings at once. This particular setting enables all the known requirements for OpenRC, runit and similar script based systems and managers. If you are unsure about this, it is best to leave this setting enabled. config GENTOO_LINUX_INIT_SYSTEMD bool "systemd" default n depends on GENTOO_LINUX && GENTOO_LINUX_UDEV select AUTOFS_FS select BLK_DEV_BSG select BPF_SYSCALL select CGROUP_BPF select CGROUPS select CRYPTO_HMAC select CRYPTO_SHA256 select CRYPTO_USER_API_HASH select DEVPTS_MULTIPLE_INSTANCES select DMIID if X86_32 || X86_64 || X86 select EPOLL select FANOTIFY select FHANDLE select FILE_LOCKING select INOTIFY_USER select IPV6 select KCMP select NET select NET_NS select PROC_FS select SECCOMP if HAVE_ARCH_SECCOMP select SECCOMP_FILTER if HAVE_ARCH_SECCOMP_FILTER select SIGNALFD select SYSFS select TIMERFD select TMPFS_POSIX_ACL select TMPFS_XATTR select ANON_INODES select BLOCK select EVENTFD select FSNOTIFY select INET select NLATTR help The init system is the first thing that loads after the kernel booted. These config settings allow you to select which init systems to support; instead of having to select all the individual settings all over the place, these settings allows you to select all the settings at once. This particular setting enables all the known requirements for systemd; it also enables suggested optional settings, as the package suggests to. endmenu menuconfig GENTOO_KERNEL_SELF_PROTECTION bool "Kernel Self Protection Project" depends on GENTOO_LINUX help Recommended Kernel settings based on the suggestions from the Kernel Self Protection Project See: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings Note, there may be additional settings for which the CONFIG_ setting is invisible in menuconfig due to unmet dependencies. Search for GENTOO_KERNEL_SELF_PROTECTION_COMMON and search for GENTOO_KERNEL_SELF_PROTECTION_{X86_64, ARM64, X86_32, ARM} for dependency information on your specific architecture. Note 2: Please see the URL above for numeric settings, e.g. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 for X86_64 if GENTOO_KERNEL_SELF_PROTECTION config GENTOO_KERNEL_SELF_PROTECTION_COMMON bool "Enable Kernel Self Protection Project Recommendations" depends on GENTOO_LINUX && !ACPI_CUSTOM_METHOD && !COMPAT_BRK && !PROC_KCORE && !COMPAT_VDSO && !KEXEC && !HIBERNATION && !LEGACY_PTYS && !X86_X32_ABI && !MODIFY_LDT_SYSCALL && GCC_PLUGINS && !IOMMU_DEFAULT_DMA_LAZY && !IOMMU_DEFAULT_PASSTHROUGH && IOMMU_DEFAULT_DMA_STRICT && SECURITY && !ARCH_EPHEMERAL_INODES && RANDSTRUCT_PERFORMANCE select BUG select STRICT_KERNEL_RWX select DEBUG_WX select STACKPROTECTOR select STACKPROTECTOR_STRONG select STRICT_DEVMEM if DEVMEM=y select IO_STRICT_DEVMEM if DEVMEM=y select SYN_COOKIES select DEBUG_CREDENTIALS select DEBUG_NOTIFIERS select DEBUG_LIST select DEBUG_SG select HARDENED_USERCOPY if HAVE_HARDENED_USERCOPY_ALLOCATOR=y select KFENCE if HAVE_ARCH_KFENCE && (!SLAB || SLUB) select RANDOMIZE_KSTACK_OFFSET_DEFAULT if HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET && (INIT_STACK_NONE || !CC_IS_CLANG || CLANG_VERSION>=140000) select SECURITY_LANDLOCK select SCHED_CORE if SCHED_SMT select BUG_ON_DATA_CORRUPTION select SCHED_STACK_END_CHECK select SECCOMP if HAVE_ARCH_SECCOMP select SECCOMP_FILTER if HAVE_ARCH_SECCOMP_FILTER select SECURITY_YAMA select SLAB_FREELIST_RANDOM select SLAB_FREELIST_HARDENED select SHUFFLE_PAGE_ALLOCATOR select SLUB_DEBUG select PAGE_POISONING select PAGE_POISONING_NO_SANITY select PAGE_POISONING_ZERO select INIT_ON_ALLOC_DEFAULT_ON select INIT_ON_FREE_DEFAULT_ON select REFCOUNT_FULL select FORTIFY_SOURCE select SECURITY_DMESG_RESTRICT select PANIC_ON_OOPS select GCC_PLUGIN_LATENT_ENTROPY select GCC_PLUGIN_STRUCTLEAK select GCC_PLUGIN_STRUCTLEAK_BYREF_ALL select GCC_PLUGIN_RANDSTRUCT select GCC_PLUGIN_RANDSTRUCT_PERFORMANCE select ZERO_CALL_USED_REGS if CC_HAS_ZERO_CALL_USED_REGS help Search for GENTOO_KERNEL_SELF_PROTECTION_{X86_64, ARM64, X86_32, ARM} for dependency information on your specific architecture. Note 2: Please see the URL above for numeric settings, e.g. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 for X86_64 config GENTOO_KERNEL_SELF_PROTECTION_X86_64 bool "X86_64 KSPP Settings" if GENTOO_KERNEL_SELF_PROTECTION_COMMON depends on !X86_MSR && X86_64 && GENTOO_KERNEL_SELF_PROTECTION default n select GCC_PLUGIN_STACKLEAK select LEGACY_VSYSCALL_NONE select PAGE_TABLE_ISOLATION select RANDOMIZE_BASE select RANDOMIZE_MEMORY select RELOCATABLE select VMAP_STACK config GENTOO_KERNEL_SELF_PROTECTION_ARM64 bool "ARM64 KSPP Settings" depends on ARM64 default n select RANDOMIZE_BASE select RELOCATABLE select ARM64_SW_TTBR0_PAN select CONFIG_UNMAP_KERNEL_AT_EL0 select GCC_PLUGIN_STACKLEAK select VMAP_STACK config GENTOO_KERNEL_SELF_PROTECTION_X86_32 bool "X86_32 KSPP Settings" depends on !X86_MSR && !MODIFY_LDT_SYSCALL && !M486 && X86_32 default n select HIGHMEM64G select X86_PAE select RANDOMIZE_BASE select RELOCATABLE select PAGE_TABLE_ISOLATION config GENTOO_KERNEL_SELF_PROTECTION_ARM bool "ARM KSPP Settings" depends on !OABI_COMPAT && ARM default n select VMSPLIT_3G select STRICT_MEMORY_RWX select CPU_SW_DOMAIN_PAN endif config GENTOO_PRINT_FIRMWARE_INFO bool "Print firmware information that the kernel attempts to load" depends on GENTOO_LINUX default y help Enable this option to print information about firmware that the kernel is attempting to load. This information can be accessible via the dmesg command-line utility See the settings that become available for more details and fine-tuning. endmenu