292 lines
8.4 KiB
Plaintext
292 lines
8.4 KiB
Plaintext
menu "Gentoo Linux"
|
|
|
|
config GENTOO_LINUX
|
|
bool "Gentoo Linux support"
|
|
|
|
default y
|
|
|
|
select CPU_FREQ_DEFAULT_GOV_SCHEDUTIL
|
|
|
|
help
|
|
In order to boot Gentoo Linux a minimal set of config settings needs to
|
|
be enabled in the kernel; to avoid the users from having to enable them
|
|
manually as part of a Gentoo Linux installation or a new clean config,
|
|
we enable these config settings by default for convenience.
|
|
|
|
See the settings that become available for more details and fine-tuning.
|
|
|
|
config GENTOO_LINUX_UDEV
|
|
bool "Linux dynamic and persistent device naming (userspace devfs) support"
|
|
|
|
depends on GENTOO_LINUX
|
|
default y if GENTOO_LINUX
|
|
|
|
select DEVTMPFS
|
|
select TMPFS
|
|
select UNIX
|
|
|
|
select MMU
|
|
select SHMEM
|
|
|
|
help
|
|
In order to boot Gentoo Linux a minimal set of config settings needs to
|
|
be enabled in the kernel; to avoid the users from having to enable them
|
|
manually as part of a Gentoo Linux installation or a new clean config,
|
|
we enable these config settings by default for convenience.
|
|
|
|
Currently this only selects TMPFS, DEVTMPFS and their dependencies.
|
|
TMPFS is enabled to maintain a tmpfs file system at /dev/shm, /run and
|
|
/sys/fs/cgroup; DEVTMPFS to maintain a devtmpfs file system at /dev.
|
|
|
|
Some of these are critical files that need to be available early in the
|
|
boot process; if not available, it causes sysfs and udev to malfunction.
|
|
|
|
To ensure Gentoo Linux boots, it is best to leave this setting enabled;
|
|
if you run a custom setup, you could consider whether to disable this.
|
|
|
|
config GENTOO_LINUX_PORTAGE
|
|
bool "Select options required by Portage features"
|
|
|
|
depends on GENTOO_LINUX
|
|
default y if GENTOO_LINUX
|
|
|
|
select CGROUPS
|
|
select NAMESPACES
|
|
select IPC_NS
|
|
select NET_NS
|
|
select PID_NS
|
|
select SYSVIPC
|
|
select USER_NS
|
|
select UTS_NS
|
|
|
|
help
|
|
This enables options required by various Portage FEATURES.
|
|
Currently this selects:
|
|
|
|
CGROUPS (required for FEATURES=cgroup)
|
|
IPC_NS (required for FEATURES=ipc-sandbox)
|
|
NET_NS (required for FEATURES=network-sandbox)
|
|
PID_NS (required for FEATURES=pid-sandbox)
|
|
SYSVIPC (required by IPC_NS)
|
|
|
|
|
|
It is highly recommended that you leave this enabled as these FEATURES
|
|
are, or will soon be, enabled by default.
|
|
|
|
menu "Support for init systems, system and service managers"
|
|
visible if GENTOO_LINUX
|
|
|
|
config GENTOO_LINUX_INIT_SCRIPT
|
|
bool "OpenRC, runit and other script based systems and managers"
|
|
|
|
default y if GENTOO_LINUX
|
|
|
|
depends on GENTOO_LINUX
|
|
|
|
select BINFMT_SCRIPT
|
|
select CGROUPS
|
|
select EPOLL
|
|
select FILE_LOCKING
|
|
select INOTIFY_USER
|
|
select SIGNALFD
|
|
select TIMERFD
|
|
|
|
help
|
|
The init system is the first thing that loads after the kernel booted.
|
|
|
|
These config settings allow you to select which init systems to support;
|
|
instead of having to select all the individual settings all over the
|
|
place, these settings allows you to select all the settings at once.
|
|
|
|
This particular setting enables all the known requirements for OpenRC,
|
|
runit and similar script based systems and managers.
|
|
|
|
If you are unsure about this, it is best to leave this setting enabled.
|
|
|
|
config GENTOO_LINUX_INIT_SYSTEMD
|
|
bool "systemd"
|
|
|
|
default n
|
|
|
|
depends on GENTOO_LINUX && GENTOO_LINUX_UDEV
|
|
|
|
select AUTOFS_FS
|
|
select BLK_DEV_BSG
|
|
select BPF_SYSCALL
|
|
select CGROUP_BPF
|
|
select CGROUPS
|
|
select CRYPTO_HMAC
|
|
select CRYPTO_SHA256
|
|
select CRYPTO_USER_API_HASH
|
|
select DEVPTS_MULTIPLE_INSTANCES
|
|
select DMIID if X86_32 || X86_64 || X86
|
|
select EPOLL
|
|
select FANOTIFY
|
|
select FHANDLE
|
|
select FILE_LOCKING
|
|
select INOTIFY_USER
|
|
select IPV6
|
|
select KCMP
|
|
select NET
|
|
select NET_NS
|
|
select PROC_FS
|
|
select SECCOMP if HAVE_ARCH_SECCOMP
|
|
select SECCOMP_FILTER if HAVE_ARCH_SECCOMP_FILTER
|
|
select SIGNALFD
|
|
select SYSFS
|
|
select TIMERFD
|
|
select TMPFS_POSIX_ACL
|
|
select TMPFS_XATTR
|
|
|
|
select ANON_INODES
|
|
select BLOCK
|
|
select EVENTFD
|
|
select FSNOTIFY
|
|
select INET
|
|
select NLATTR
|
|
|
|
help
|
|
The init system is the first thing that loads after the kernel booted.
|
|
|
|
These config settings allow you to select which init systems to support;
|
|
instead of having to select all the individual settings all over the
|
|
place, these settings allows you to select all the settings at once.
|
|
|
|
This particular setting enables all the known requirements for systemd;
|
|
it also enables suggested optional settings, as the package suggests to.
|
|
|
|
endmenu
|
|
|
|
menuconfig GENTOO_KERNEL_SELF_PROTECTION
|
|
bool "Kernel Self Protection Project"
|
|
depends on GENTOO_LINUX
|
|
help
|
|
Recommended Kernel settings based on the suggestions from the Kernel Self Protection Project
|
|
See: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
|
|
Note, there may be additional settings for which the CONFIG_ setting is invisible in menuconfig due
|
|
to unmet dependencies. Search for GENTOO_KERNEL_SELF_PROTECTION_COMMON and search for
|
|
GENTOO_KERNEL_SELF_PROTECTION_{X86_64, ARM64, X86_32, ARM} for dependency information on your
|
|
specific architecture.
|
|
Note 2: Please see the URL above for numeric settings, e.g. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
|
|
for X86_64
|
|
|
|
if GENTOO_KERNEL_SELF_PROTECTION
|
|
config GENTOO_KERNEL_SELF_PROTECTION_COMMON
|
|
bool "Enable Kernel Self Protection Project Recommendations"
|
|
|
|
depends on GENTOO_LINUX && !ACPI_CUSTOM_METHOD && !COMPAT_BRK && !PROC_KCORE && !COMPAT_VDSO && !KEXEC && !HIBERNATION && !LEGACY_PTYS && !X86_X32 && !MODIFY_LDT_SYSCALL && GCC_PLUGINS && !IOMMU_DEFAULT_DMA_LAZY && !IOMMU_DEFAULT_PASSTHROUGH && IOMMU_DEFAULT_DMA_STRICT && SECURITY && !ARCH_EPHEMERAL_INODES && RANDSTRUCT_PERFORMANCE
|
|
|
|
select BUG
|
|
select STRICT_KERNEL_RWX
|
|
select DEBUG_WX
|
|
select STACKPROTECTOR
|
|
select STACKPROTECTOR_STRONG
|
|
select STRICT_DEVMEM if DEVMEM=y
|
|
select IO_STRICT_DEVMEM if DEVMEM=y
|
|
select SYN_COOKIES
|
|
select DEBUG_CREDENTIALS
|
|
select DEBUG_NOTIFIERS
|
|
select DEBUG_LIST
|
|
select DEBUG_SG
|
|
select HARDENED_USERCOPY if HAVE_HARDENED_USERCOPY_ALLOCATOR=y
|
|
select KFENCE if HAVE_ARCH_KFENCE && (!SLAB || SLUB)
|
|
select RANDOMIZE_KSTACK_OFFSET_DEFAULT if HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET && (INIT_STACK_NONE || !CC_IS_CLANG || CLANG_VERSION>=140000)
|
|
select SECURITY_LANDLOCK
|
|
select SCHED_CORE if SCHED_SMT
|
|
select BUG_ON_DATA_CORRUPTION
|
|
select SCHED_STACK_END_CHECK
|
|
select SECCOMP if HAVE_ARCH_SECCOMP
|
|
select SECCOMP_FILTER if HAVE_ARCH_SECCOMP_FILTER
|
|
select SECURITY_YAMA
|
|
select SLAB_FREELIST_RANDOM
|
|
select SLAB_FREELIST_HARDENED
|
|
select SHUFFLE_PAGE_ALLOCATOR
|
|
select SLUB_DEBUG
|
|
select PAGE_POISONING
|
|
select PAGE_POISONING_NO_SANITY
|
|
select PAGE_POISONING_ZERO
|
|
select INIT_ON_ALLOC_DEFAULT_ON
|
|
select INIT_ON_FREE_DEFAULT_ON
|
|
select REFCOUNT_FULL
|
|
select FORTIFY_SOURCE
|
|
select SECURITY_DMESG_RESTRICT
|
|
select PANIC_ON_OOPS
|
|
select GCC_PLUGIN_LATENT_ENTROPY
|
|
select GCC_PLUGIN_STRUCTLEAK
|
|
select GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
|
|
select GCC_PLUGIN_RANDSTRUCT
|
|
select GCC_PLUGIN_RANDSTRUCT_PERFORMANCE
|
|
select ZERO_CALL_USED_REGS if CC_HAS_ZERO_CALL_USED_REGS
|
|
|
|
help
|
|
Search for GENTOO_KERNEL_SELF_PROTECTION_{X86_64, ARM64, X86_32, ARM} for dependency
|
|
information on your specific architecture. Note 2: Please see the URL above for
|
|
numeric settings, e.g. CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 for X86_64
|
|
|
|
config GENTOO_KERNEL_SELF_PROTECTION_X86_64
|
|
bool "X86_64 KSPP Settings" if GENTOO_KERNEL_SELF_PROTECTION_COMMON
|
|
|
|
depends on !X86_MSR && X86_64 && GENTOO_KERNEL_SELF_PROTECTION
|
|
default n
|
|
|
|
select GCC_PLUGIN_STACKLEAK
|
|
select LEGACY_VSYSCALL_NONE
|
|
select PAGE_TABLE_ISOLATION
|
|
select RANDOMIZE_BASE
|
|
select RANDOMIZE_MEMORY
|
|
select RELOCATABLE
|
|
select VMAP_STACK
|
|
|
|
|
|
config GENTOO_KERNEL_SELF_PROTECTION_ARM64
|
|
bool "ARM64 KSPP Settings"
|
|
|
|
depends on ARM64
|
|
default n
|
|
|
|
select RANDOMIZE_BASE
|
|
select RELOCATABLE
|
|
select ARM64_SW_TTBR0_PAN
|
|
select CONFIG_UNMAP_KERNEL_AT_EL0
|
|
select GCC_PLUGIN_STACKLEAK
|
|
select VMAP_STACK
|
|
|
|
config GENTOO_KERNEL_SELF_PROTECTION_X86_32
|
|
bool "X86_32 KSPP Settings"
|
|
|
|
depends on !X86_MSR && !MODIFY_LDT_SYSCALL && !M486 && X86_32
|
|
default n
|
|
|
|
select HIGHMEM64G
|
|
select X86_PAE
|
|
select RANDOMIZE_BASE
|
|
select RELOCATABLE
|
|
select PAGE_TABLE_ISOLATION
|
|
|
|
config GENTOO_KERNEL_SELF_PROTECTION_ARM
|
|
bool "ARM KSPP Settings"
|
|
|
|
depends on !OABI_COMPAT && ARM
|
|
default n
|
|
|
|
select VMSPLIT_3G
|
|
select STRICT_MEMORY_RWX
|
|
select CPU_SW_DOMAIN_PAN
|
|
|
|
endif
|
|
|
|
config GENTOO_PRINT_FIRMWARE_INFO
|
|
bool "Print firmware information that the kernel attempts to load"
|
|
|
|
depends on GENTOO_LINUX
|
|
default y
|
|
|
|
help
|
|
Enable this option to print information about firmware that the kernel
|
|
is attempting to load. This information can be accessible via the
|
|
dmesg command-line utility
|
|
|
|
See the settings that become available for more details and fine-tuning.
|
|
|
|
endmenu
|