menu "Gentoo Linux"
config GENTOO_LINUX
bool "Gentoo Linux support"
default y
select CPU_FREQ_DEFAULT_GOV_SCHEDUTIL
help
In order to boot Gentoo Linux a minimal set of config settings needs to
be enabled in the kernel; to avoid the users from having to enable them
manually as part of a Gentoo Linux installation or a new clean config,
we enable these config settings by default for convenience.
See the settings that become available for more details and fine-tuning.
config GENTOO_LINUX_UDEV
bool "Linux dynamic and persistent device naming (userspace devfs) support"
depends on GENTOO_LINUX
default y if GENTOO_LINUX
select DEVTMPFS
select TMPFS
select UNIX
select MMU
select SHMEM
help
In order to boot Gentoo Linux a minimal set of config settings needs to
be enabled in the kernel; to avoid the users from having to enable them
manually as part of a Gentoo Linux installation or a new clean config,
we enable these config settings by default for convenience.
Currently this only selects TMPFS, DEVTMPFS and their dependencies.
TMPFS is enabled to maintain a tmpfs file system at /dev/shm, /run and
/sys/fs/cgroup; DEVTMPFS to maintain a devtmpfs file system at /dev.
Some of these are critical files that need to be available early in the
boot process; if not available, it causes sysfs and udev to malfunction.
To ensure Gentoo Linux boots, it is best to leave this setting enabled;
if you run a custom setup, you could consider whether to disable this.
config GENTOO_LINUX_PORTAGE
bool "Select options required by Portage features"
depends on GENTOO_LINUX
default y if GENTOO_LINUX
select CGROUPS
select NAMESPACES
select IPC_NS
select NET_NS
select PID_NS
select SYSVIPC
select USER_NS
select UTS_NS
help
This enables options required by various Portage FEATURES.
Currently this selects:
CGROUPS (required for FEATURES=cgroup)
IPC_NS (required for FEATURES=ipc-sandbox)
NET_NS (required for FEATURES=network-sandbox)
PID_NS (required for FEATURES=pid-sandbox)
SYSVIPC (required by IPC_NS)
It is highly recommended that you leave this enabled as these FEATURES
are, or will soon be, enabled by default.
menu "Support for init systems, system and service managers"
visible if GENTOO_LINUX
config GENTOO_LINUX_INIT_SCRIPT
bool "OpenRC, runit and other script based systems and managers"
default y if GENTOO_LINUX
depends on GENTOO_LINUX
select BINFMT_SCRIPT
select CGROUPS
select EPOLL
select FILE_LOCKING
select INOTIFY_USER
select SIGNALFD
select TIMERFD
help
The init system is the first thing that loads after the kernel booted.
These config settings allow you to select which init systems to support;
instead of having to select all the individual settings all over the
place, these settings allows you to select all the settings at once.
This particular setting enables all the known requirements for OpenRC,
runit and similar script based systems and managers.
If you are unsure about this, it is best to leave this setting enabled.
config GENTOO_LINUX_INIT_SYSTEMD
bool "systemd"
default n
depends on GENTOO_LINUX && GENTOO_LINUX_UDEV
select AUTOFS_FS
select BLK_DEV_BSG
select BPF_SYSCALL
select CGROUP_BPF
select CGROUPS
select CRYPTO_HMAC
select CRYPTO_SHA256
select CRYPTO_USER_API_HASH
select DEVPTS_MULTIPLE_INSTANCES
select DMIID if X86_32 || X86_64 || X86
select EPOLL
select FANOTIFY
select FHANDLE
select FILE_LOCKING
select INOTIFY_USER
select IPV6
select KCMP
select NET
select NET_NS
select PROC_FS
select SECCOMP if HAVE_ARCH_SECCOMP
select SECCOMP_FILTER if HAVE_ARCH_SECCOMP_FILTER
select SIGNALFD
select SYSFS
select TIMERFD
select TMPFS_POSIX_ACL
select TMPFS_XATTR
select ANON_INODES
select BLOCK
select EVENTFD
select FSNOTIFY
select INET
select NLATTR
help
The init system is the first thing that loads after the kernel booted.
These config settings allow you to select which init systems to support;
instead of having to select all the individual settings all over the
place, these settings allows you to select all the settings at once.
This particular setting enables all the known requirements for systemd;
it also enables suggested optional settings, as the package suggests to.
endmenu
menuconfig GENTOO_KERNEL_SELF_PROTECTION
bool "Kernel Self Protection Project"
depends on GENTOO_LINUX
help
Recommended Kernel settings based on the suggestions from the Kernel Self Protection Project
See: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
Note, there may be additional settings for which the CONFIG_ setting is invisible in menuconfig due
to unmet dependencies. Search for GENTOO_KERNEL_SELF_PROTECTION_COMMON and search for
GENTOO_KERNEL_SELF_PROTECTION_{X86_64, ARM64, X86_32, ARM} for dependency information on your
specific architecture.
Note 2: Please see the URL above for numeric settings, e.g. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
for X86_64
if GENTOO_KERNEL_SELF_PROTECTION
config GENTOO_KERNEL_SELF_PROTECTION_COMMON
bool "Enable Kernel Self Protection Project Recommendations"
depends on GENTOO_LINUX && !ACPI_CUSTOM_METHOD && !COMPAT_BRK && !PROC_KCORE && !COMPAT_VDSO && !KEXEC && !HIBERNATION && !LEGACY_PTYS && !X86_X32 && !MODIFY_LDT_SYSCALL && GCC_PLUGINS && !IOMMU_DEFAULT_DMA_LAZY && !IOMMU_DEFAULT_PASSTHROUGH && IOMMU_DEFAULT_DMA_STRICT && SECURITY && !ARCH_EPHEMERAL_INODES && RANDSTRUCT_PERFORMANCE
select BUG
select STRICT_KERNEL_RWX
select DEBUG_WX
select STACKPROTECTOR
select STACKPROTECTOR_STRONG
select STRICT_DEVMEM if DEVMEM=y
select IO_STRICT_DEVMEM if DEVMEM=y
select SYN_COOKIES
select DEBUG_CREDENTIALS
select DEBUG_NOTIFIERS
select DEBUG_LIST
select DEBUG_SG
select HARDENED_USERCOPY if HAVE_HARDENED_USERCOPY_ALLOCATOR=y
select KFENCE if HAVE_ARCH_KFENCE && (!SLAB || SLUB)
select RANDOMIZE_KSTACK_OFFSET_DEFAULT if HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET && (INIT_STACK_NONE || !CC_IS_CLANG || CLANG_VERSION>=140000)
select SECURITY_LANDLOCK
select SCHED_CORE if SCHED_SMT
select BUG_ON_DATA_CORRUPTION
select SCHED_STACK_END_CHECK
select SECCOMP if HAVE_ARCH_SECCOMP
select SECCOMP_FILTER if HAVE_ARCH_SECCOMP_FILTER
select SECURITY_YAMA
select SLAB_FREELIST_RANDOM
select SLAB_FREELIST_HARDENED
select SHUFFLE_PAGE_ALLOCATOR
select SLUB_DEBUG
select PAGE_POISONING
select PAGE_POISONING_NO_SANITY
select PAGE_POISONING_ZERO
select INIT_ON_ALLOC_DEFAULT_ON
select INIT_ON_FREE_DEFAULT_ON
select REFCOUNT_FULL
select FORTIFY_SOURCE
select SECURITY_DMESG_RESTRICT
select PANIC_ON_OOPS
select GCC_PLUGIN_LATENT_ENTROPY
select GCC_PLUGIN_STRUCTLEAK
select GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
select GCC_PLUGIN_RANDSTRUCT
select GCC_PLUGIN_RANDSTRUCT_PERFORMANCE
select ZERO_CALL_USED_REGS if CC_HAS_ZERO_CALL_USED_REGS
help
Search for GENTOO_KERNEL_SELF_PROTECTION_{X86_64, ARM64, X86_32, ARM} for dependency
information on your specific architecture. Note 2: Please see the URL above for
numeric settings, e.g. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 for X86_64
config GENTOO_KERNEL_SELF_PROTECTION_X86_64
bool "X86_64 KSPP Settings" if GENTOO_KERNEL_SELF_PROTECTION_COMMON
depends on !X86_MSR && X86_64 && GENTOO_KERNEL_SELF_PROTECTION
default n
select GCC_PLUGIN_STACKLEAK
select LEGACY_VSYSCALL_NONE
select PAGE_TABLE_ISOLATION
select RANDOMIZE_BASE
select RANDOMIZE_MEMORY
select RELOCATABLE
select VMAP_STACK
config GENTOO_KERNEL_SELF_PROTECTION_ARM64
bool "ARM64 KSPP Settings"
depends on ARM64
default n
select RANDOMIZE_BASE
select RELOCATABLE
select ARM64_SW_TTBR0_PAN
select CONFIG_UNMAP_KERNEL_AT_EL0
select GCC_PLUGIN_STACKLEAK
select VMAP_STACK
config GENTOO_KERNEL_SELF_PROTECTION_X86_32
bool "X86_32 KSPP Settings"
depends on !X86_MSR && !MODIFY_LDT_SYSCALL && !M486 && X86_32
default n
select HIGHMEM64G
select X86_PAE
select RANDOMIZE_BASE
select RELOCATABLE
select PAGE_TABLE_ISOLATION
config GENTOO_KERNEL_SELF_PROTECTION_ARM
bool "ARM KSPP Settings"
depends on !OABI_COMPAT && ARM
default n
select VMSPLIT_3G
select STRICT_MEMORY_RWX
select CPU_SW_DOMAIN_PAN
endif
config GENTOO_PRINT_FIRMWARE_INFO
bool "Print firmware information that the kernel attempts to load"
depends on GENTOO_LINUX
default y
help
Enable this option to print information about firmware that the kernel
is attempting to load. This information can be accessible via the
dmesg command-line utility
See the settings that become available for more details and fine-tuning.
endmenu