Custom Kernel: Difference between revisions
m (Remove unnecessary/broken mediawiki syntax) |
|||
(16 intermediate revisions by 6 users not shown) | |||
Line 7: | Line 7: | ||
You want to build a custom kernel to enable experimental hardware or features or outdated hardware, to reduce bloat further, to tune the kernel to the hardware. | You want to build a custom kernel to enable experimental hardware or features or outdated hardware, to reduce bloat further, to tune the kernel to the hardware. | ||
The | The lts kernel for most Alpine ARCHs uses defaults to balance throughput at the expense of some responsiveness, and support for many devices. You can tweak the kernel for desktop use and low latency and responsiveness. | ||
You should disable modules to increase security. By default, Alpine will install modules but not disable most of them. Disabling modules will reduce an DMA attack but not eliminate it completely. If you have a newer processor with VT-d, you can mitigate as long as you: | You should disable modules to increase security. By default, Alpine will install modules but not disable most of them. Disabling modules will reduce an DMA attack but not eliminate it completely. If you have a newer processor with VT-d, you can mitigate as long as you: | ||
Leave CONFIG_INTEL_IOMMU_DEFAULT_ON=y or pass intel_iommu=on as a kernel parameter and disable kernel logging so the attacker doesn't gain DMAR address information through dmesg.[ | Leave <code>CONFIG_INTEL_IOMMU_DEFAULT_ON=y</code> or pass <code>intel_iommu=on</code> as a kernel parameter and disable kernel logging so the attacker doesn't gain DMAR address information through dmesg.[https://blog.frizk.net/2016/11/disable-virtualization-based-security.html] Also remove references to the kernel version to calculate the IOMMU addresses.[https://link.springer.com/content/pdf/10.1186/s13173-017-0066-7.pdf] | ||
To increase the security of the boot process, if you have a TPM, you could set CONFIG_INTEL_TXT=y (Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)) (which is not enabled in the hardened kernel by default), then you would need the SINIT module (provided only by Intel)[https://software.intel.com/en-us/articles/intel-trusted-execution-technology], a possibly compiled TrustedGrub2[https://github.com/Rohde-Schwarz-Cybersecurity/TrustedGRUB2], trousers[https://sourceforge.net/projects/trousers/?source=navbar], tboot[https://sourceforge.net/projects/tboot/]. These packages are not in aports and it is unknown if these tools work on musl. It's not recommended for Edge. Also, there would be trigger packages to generate hashes for the kernel and the mkinitfs updates. | To increase the security of the boot process, if you have a TPM, you could set <code>CONFIG_INTEL_TXT=y</code> (Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)) (which is not enabled in the hardened kernel by default), then you would need the SINIT module (provided only by Intel)[https://software.intel.com/en-us/articles/intel-trusted-execution-technology], a possibly compiled TrustedGrub2[https://github.com/Rohde-Schwarz-Cybersecurity/TrustedGRUB2], trousers[https://sourceforge.net/projects/trousers/?source=navbar], tboot[https://sourceforge.net/projects/tboot/]. These packages are not in aports and it is unknown if these tools work on musl. It's not recommended for Edge. Also, there would be trigger packages to generate hashes for the kernel and the mkinitfs updates. | ||
== Setting up the Alpine Build System == | == Setting up the Alpine Build System == | ||
First, you need to follow the steps in [[Creating_an_Alpine_package#Setup_your_system_and_account|Setup your system and account for building packages]]. You also need to configure your /etc/apk/repositories so that they search locally for your apks. See [[Creating_an_Alpine_package#Testing_the_package_locally|Testing the package locally]] for details. | First, you need to follow the steps in [[Creating_an_Alpine_package#Setup_your_system_and_account|Setup your system and account for building packages]]. You also need to configure your {{path|/etc/apk/repositories}} so that they search locally for your apks. See [[Creating_an_Alpine_package#Testing_the_package_locally|Testing the package locally]] for details. | ||
After setting up accounts and repos, change your shell's current working directory to '''aports''' that you just cloned. | After setting up accounts and repos, change your shell's current working directory to '''aports''' that you just cloned. | ||
{{cmd|$ cd aports}} | |||
== Working with aports == | == Working with aports == | ||
We will try using an existing | We will try using an existing lts kernel just tweaking the {{path|lts.ARCH.config}} file. | ||
=== Switching to the proper release version === | === Switching to the proper release version === | ||
Line 41: | Line 39: | ||
| master | | master | ||
|- | |- | ||
| 3. | | 3.17.0 | ||
| 3. | | 3.17-stable | ||
|- | |- | ||
|} | |} | ||
The following is required to get access to the APKBUILD released for that version of Alpine and which you will create a commit for. | The following is required to get access to the {{path|APKBUILD}} released for that version of Alpine and which you will create a commit for. | ||
If you are on 3. | If you are on 3.17 do: | ||
{{cmd|$ git checkout -b 3.17-stable origin/3.17-stable}} | |||
If you are on Edge do: | If you are on Edge do: | ||
{{cmd|$ git checkout master}} | |||
=== Creating your config === | === Creating your config === | ||
You can use linux- | You can use {{pkg|linux-lts}} but what you should do is create a local branch by doing: | ||
For Alpine Edge: | For Alpine Edge: | ||
{{cmd|$ git checkout -b my-custom-kernel}} | |||
For Alpine 3. | For Alpine 3.17: | ||
{{cmd|$ git checkout -b my-custom-kernel origin/3.17-stable}} | |||
Doing it this way, you do less work in maintaining. All you need to do is keep ''master'' or ''3. | Doing it this way, you do less work in maintaining. All you need to do is keep ''master'' or ''3.17-stable'' in sync[https://help.github.com/articles/syncing-a-fork/][https://help.github.com/articles/configuring-a-remote-for-a-fork/] and merge any conflicts. | ||
First switch to the branch by doing <code>git checkout my-custom-kernel</code>. Then, you need to navigate to the | First switch to the branch by doing <code>git checkout my-custom-kernel</code>. Then, you need to navigate to the {{path|main/linux-lts}} folder where you should see a APKBUILD and some config- files. When you are done with your edits either by editing directly the APKBUILD and copying the {{path|lts.ARCH.config}} as {{path|.config}} in the {{path|linux-4.15}} folder. You will then move the {{path|.config}} back overriding the {{path|lts.ARCH.config}} generated by <code>make menuconfig</code> (discussed below in the ''Configuring kernel'' section). After generating your config, you need to <code>abuild checksum</code>. Then, do <code>git add APKBUILD lts.ARCH.config</code> where ARCH is whatever architecture (x86, x86_64, ...) you use. Then, you need to do <code>git commit APKBUILD config-NAME.ARCH -m "Enabled these options ...."</code> for your customization the ARCHitecture of your system. You do this so that git can keep your code separate from Alpine's and so your changes float forward between kernel updates. | ||
== Adding custom patches == | == Adding custom patches == | ||
Line 82: | Line 80: | ||
== Configuring kernel == | == Configuring kernel == | ||
Attempt to build the kernel first. To do that, you do abuild -rK to install most of the dependencies. If it complains about a dependency like elfutils-dev use -rKd. Then, when it prompts for values for new found config options just hold enter till it starts compiling the kernel. There should be two sets one for - | Attempt to build the kernel first. To do that, you do <code>abuild -rK</code> to install most of the dependencies. If it complains about a dependency like {{pkg|elfutils-dev}} use <code>-rKd</code>. Then, when it prompts for values for new found config options just hold enter till it starts compiling the kernel. There should be two sets one for -lts and the other for the -virt. Just {{Key|Ctrl}}+{{Key|C}} out of the compilation process after the second set so you can further customize the config. Then you go into the {{path|src/linux-VER}} and edit the config file. Copy the {{path|.config}} file overriding the {{path|lts.ARCH.config}} in the srcdir. | ||
The alternative is to use the kernel configuration menu in the build-NAME folder, but before yo do that you need to <code>sudo apk add ncurses-dev</code> | The alternative is to use the kernel configuration menu in the build-NAME folder, but before yo do that you need to <code>sudo apk add {{pkg|ncurses-dev}}</code> | ||
After you are done using the menu in the build-NAME folder by doing <code>make menuconfig</code>, you want to remove <code>ncurses-dev</code>. When you are done, it will be stored in ''.config'' which you need to again override the | After you are done using the menu in the build-NAME folder by doing <code>make menuconfig</code>, you want to remove <code>ncurses-dev</code>. When you are done, it will be stored in ''.config'' which you need to again override the {{path|lts.ARCH.config}} file. When you are done updating the {{path|config-NAME.ARCH}}, you need to do <code>abuild checksum</code>. | ||
The options in the kernel config are typically defaults. If your device is old, it may be set to n by default. | The options in the kernel config are typically defaults. If your device is old, it may be set to n by default. | ||
Line 128: | Line 126: | ||
|300 HZ | |300 HZ | ||
|Voluntary Kernel Preemption (Desktop) | |Voluntary Kernel Preemption (Desktop) | ||
| | |64 | ||
|- | |- | ||
|x86 | |x86 | ||
Line 201: | Line 199: | ||
=== Fast reboots with kexec === | === Fast reboots with kexec === | ||
{{main|kexec}} | |||
If you want to reboot the kernel fast avoiding the POST test, you need | If you want to reboot the kernel fast avoiding the POST test, you need {{ic|doas apk add {{pkg|kexec-tools}}}} and enable kexec in the kernel: | ||
Processor type and features | Processor type and features | ||
Line 212: | Line 211: | ||
[*] Hibernation (aka 'suspend to disk') | [*] Hibernation (aka 'suspend to disk') | ||
Hibernation should be used if you have a laptop. You don't want the laptop to suddenly shut off resulting in data loss, you want it to save your work based on a percentage of battery life (this requires special script). When | Hibernation should be used if you have a laptop. You don't want the laptop to suddenly shut off resulting in data loss, you want it to save your work based on a percentage of battery life (this requires special script). When hibernation resumes, should lock and ask for credentials. Depending on your needs, the hibernated image can be encrypted/decrypted which again requires additional customization to scripts. | ||
Hibernation with an unsanitized swap file is generally insecure because data and unlocked memory pages are swapped out in plaintext. To increase the security either disable swap or use an encrypted swap. The swap file/partition is typically used as the hibernation resume image. | |||
== Building == | == Building == | ||
Before building, you may want to remove | Before building, you may want to remove as many modules as possible. This will reduce the time to compile greatly. Also, you may want to use [https://github.com/ccache/ccache/ ccache] for faster recompiles especially if you are searching for the minimal set of options or modules to use or include. | ||
You should then do an <code>abuild -r</code> to attempt to build it. | You should then do an <code>abuild -r</code> to attempt to build it. | ||
Line 236: | Line 223: | ||
== Installing == | == Installing == | ||
To install it you do a | To install it you do a {{ic|doas apk add linux-NAME}} where NAME is your custom kernel name. | ||
== Testing == | == Testing == | ||
Before you test, you should install the | Before you test, you should install the lts kernel too, using <code>apk add {{pkg|linux-lts}}</code>. You may be missing a module and can't boot, so you use the other kernel as the fallback boot kernel. Don't forget to update your bootloader configuration. | ||
To test, first you should make a bootable Alpine USB image. Then, when you have your rescue USB done, you <code> | To test, first you should make a bootable Alpine USB image. Then, when you have your rescue USB done, you <code>reboot</code> the computer. | ||
To test it, you basically do trial and error. Sometimes your config is missing something if you want to have a bare minimum setting. | To test it, you basically do trial and error. Sometimes your config is missing something if you want to have a bare minimum setting. | ||
If you are curious about correctness testing, some kernel modules or components do preform self tests at the beginning of the boot process. The tools may have test suites that you run with the make command. | If you are curious about correctness testing, some kernel modules or components do preform self tests at the beginning of the boot process. The tools may have test suites that you run with the make command. | ||
== See Also == | |||
* [https://wiki.archlinux.org/title/Kernel Archwiki Kernels] | |||
* [https://wiki.gentoo.org/wiki/Kernel Gentoo Wiki Kernel] | |||
* [https://wiki.gentoo.org/wiki/Kernel/Configuration Gentoo Wiki Kernel Configuration] | |||
[[Category:Kernel]] | [[Category:Kernel]] |
Latest revision as of 10:08, 25 September 2024
This material is work-in-progress ... Do not follow instructions here until this notice is removed. |
This process of building a custom configured kernel assumes you are running on Alpine Linux utilizing abuild & aports.
But why?
You want to build a custom kernel to enable experimental hardware or features or outdated hardware, to reduce bloat further, to tune the kernel to the hardware.
The lts kernel for most Alpine ARCHs uses defaults to balance throughput at the expense of some responsiveness, and support for many devices. You can tweak the kernel for desktop use and low latency and responsiveness.
You should disable modules to increase security. By default, Alpine will install modules but not disable most of them. Disabling modules will reduce an DMA attack but not eliminate it completely. If you have a newer processor with VT-d, you can mitigate as long as you:
Leave CONFIG_INTEL_IOMMU_DEFAULT_ON=y
or pass intel_iommu=on
as a kernel parameter and disable kernel logging so the attacker doesn't gain DMAR address information through dmesg.[1] Also remove references to the kernel version to calculate the IOMMU addresses.[2]
To increase the security of the boot process, if you have a TPM, you could set CONFIG_INTEL_TXT=y
(Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)) (which is not enabled in the hardened kernel by default), then you would need the SINIT module (provided only by Intel)[3], a possibly compiled TrustedGrub2[4], trousers[5], tboot[6]. These packages are not in aports and it is unknown if these tools work on musl. It's not recommended for Edge. Also, there would be trigger packages to generate hashes for the kernel and the mkinitfs updates.
Setting up the Alpine Build System
First, you need to follow the steps in Setup your system and account for building packages. You also need to configure your /etc/apk/repositories so that they search locally for your apks. See Testing the package locally for details.
After setting up accounts and repos, change your shell's current working directory to aports that you just cloned.
$ cd aports
Working with aports
We will try using an existing lts kernel just tweaking the lts.ARCH.config file.
Switching to the proper release version
You need to switch to the proper branch that matches the release so that the kernel compiles against the dependencies properly.
Alpine version | Remote branch |
---|---|
Edge | master |
3.17.0 | 3.17-stable |
The following is required to get access to the APKBUILD released for that version of Alpine and which you will create a commit for.
If you are on 3.17 do:
$ git checkout -b 3.17-stable origin/3.17-stable
If you are on Edge do:
$ git checkout master
Creating your config
You can use linux-lts but what you should do is create a local branch by doing:
For Alpine Edge:
$ git checkout -b my-custom-kernel
For Alpine 3.17:
$ git checkout -b my-custom-kernel origin/3.17-stable
Doing it this way, you do less work in maintaining. All you need to do is keep master or 3.17-stable in sync[7][8] and merge any conflicts.
First switch to the branch by doing git checkout my-custom-kernel
. Then, you need to navigate to the main/linux-lts folder where you should see a APKBUILD and some config- files. When you are done with your edits either by editing directly the APKBUILD and copying the lts.ARCH.config as .config in the linux-4.15 folder. You will then move the .config back overriding the lts.ARCH.config generated by make menuconfig
(discussed below in the Configuring kernel section). After generating your config, you need to abuild checksum
. Then, do git add APKBUILD lts.ARCH.config
where ARCH is whatever architecture (x86, x86_64, ...) you use. Then, you need to do git commit APKBUILD config-NAME.ARCH -m "Enabled these options ...."
for your customization the ARCHitecture of your system. You do this so that git can keep your code separate from Alpine's and so your changes float forward between kernel updates.
Adding custom patches
Custom patches should be added to sources=.
After you added the URL, you need to produce a checksum by doing abuild checksum
.
The custom patches may not be autopatched, due to being distributed as an archive or different patch level, so you need to define what to do with it in the prepare().
Configuring kernel
Attempt to build the kernel first. To do that, you do abuild -rK
to install most of the dependencies. If it complains about a dependency like elfutils-dev use -rKd
. Then, when it prompts for values for new found config options just hold enter till it starts compiling the kernel. There should be two sets one for -lts and the other for the -virt. Just Ctrl+C out of the compilation process after the second set so you can further customize the config. Then you go into the src/linux-VER and edit the config file. Copy the .config file overriding the lts.ARCH.config in the srcdir.
The alternative is to use the kernel configuration menu in the build-NAME folder, but before yo do that you need to sudo apk add ncurses-dev
After you are done using the menu in the build-NAME folder by doing make menuconfig
, you want to remove ncurses-dev
. When you are done, it will be stored in .config which you need to again override the lts.ARCH.config file. When you are done updating the config-NAME.ARCH, you need to do abuild checksum
.
The options in the kernel config are typically defaults. If your device is old, it may be set to n by default.
Vanilla targets and tuning
ARCH | Processor Type / CPU Selection / System Type | Code Generation / Instruction Extensions | Timer Frequency | Preemption Model | Bitness |
---|---|---|---|---|---|
s390x | IBM zEnterprise 114 and 196 | IBM zBC12 and zEC12 (-march=zEC12 -mtune=zEC12 )
|
100 Hz | No Forced Preemption (Server) | 64 |
ppc64le | Server processors | POWER8 (-mcpu=power8 ), AltiVec (-Wa,-maltivec to assembler or -maltivec -mabi=altivec ), VSX
|
100 HZ | No Forced Preemption (Server) | 64 |
ppc |
512x/52xx/6xx/7xx/74xx/82xx/83xx/86xx
|
AltiVec (-Wa,-maltivec to assembler or -maltivec -mabi=altivec ) on >=74xx
|
250 HZ | No Forced Preemption (Server) | 32 |
x86_64 | Generic-x86-64 | (-mtune=generic ; SIMD assembly modules enabled based on simple compile test and/or presence of CPU flag) | 300 HZ | Voluntary Kernel Preemption (Desktop) | 64 |
x86 | 586/K5/5x86/6x86/6x86MX | (-mtune=generic ; SIMD assembly modules enabled based on simple compile test and/or presence of CPU flag) | 300 HZ | Voluntary Kernel Preemption (Desktop) | 32 |
armhf |
|
Either -march=armv7-a or -march=armv5t -Wa,-march=armv7-a based on a compile test. -mfpu=vfp
|
100 Hz | Voluntary Kernel Preemption (Desktop) | 32 |
aarch64 |
|
300 HZ | Voluntary Kernel Preemption (Desktop) | 64 |
If you do desktop multitasking, you may want to switch to Voluntary Kernel Preemption (Desktop) or Preemptible Kernel (Low-Latency Desktop) and up the Timer Frequency. If you run a dedicated render farm node or a dedicated bitcoin miner use No Forced Preemption (Server) and decrease the Timer Frequency.
Optimized modules (most are already compiled as modules):
- raid6 -- altivec, avx512, ssse3, avx2, mmx, sse, sse2, neon
- some operations of raid5 -- mmx (32 bit), sse (64 bit), avx
For Kernel API:
- 32-bit memcpy -- 3dnow
- 32-bit memory page clearing and copying -- sse (Athlon/K7 only), mmx
From x86/crypto, arm/crypto, powerpc/crypto:
- CAMELLIA -- avx2, avx, aes-ni
- CHACHA20 -- avx2, neon
- CAST5 -- avx
- CAST6 -- avx
- TWOFISH -- avx
- SERPENT -- avx2, avx, sse2
- SHA1 -- avx2, ssse3, neon, spe
- SHA2 -- avx2
- SHA256 -- ssse3, neon, spe
- SHA512 -- avx2, ssse3, neon
- POLY1305 -- avx2
- GHASH -- pclmulqdq (part of aes-ni), vmx (power8)
- AES -- aes-ni, neon, vmx (power8), spe
- CRC32 -- pclmulqdq, sse, neon, vmx (power8)
- CRCT10DIF -- pclmulqdq, sse, neon, vmx (power8)
Fast reboots with kexec
If you want to reboot the kernel fast avoiding the POST test, you need doas apk add kexec-tools
and enable kexec in the kernel:
Processor type and features [*] kexec system call
Hibernation to prevent data loss
Power management and ACPI options [*] Hibernation (aka 'suspend to disk')
Hibernation should be used if you have a laptop. You don't want the laptop to suddenly shut off resulting in data loss, you want it to save your work based on a percentage of battery life (this requires special script). When hibernation resumes, should lock and ask for credentials. Depending on your needs, the hibernated image can be encrypted/decrypted which again requires additional customization to scripts.
Hibernation with an unsanitized swap file is generally insecure because data and unlocked memory pages are swapped out in plaintext. To increase the security either disable swap or use an encrypted swap. The swap file/partition is typically used as the hibernation resume image.
Building
Before building, you may want to remove as many modules as possible. This will reduce the time to compile greatly. Also, you may want to use ccache for faster recompiles especially if you are searching for the minimal set of options or modules to use or include.
You should then do an abuild -r
to attempt to build it.
Installing
To install it you do a doas apk add linux-NAME
where NAME is your custom kernel name.
Testing
Before you test, you should install the lts kernel too, using apk add linux-lts
. You may be missing a module and can't boot, so you use the other kernel as the fallback boot kernel. Don't forget to update your bootloader configuration.
To test, first you should make a bootable Alpine USB image. Then, when you have your rescue USB done, you reboot
the computer.
To test it, you basically do trial and error. Sometimes your config is missing something if you want to have a bare minimum setting.
If you are curious about correctness testing, some kernel modules or components do preform self tests at the beginning of the boot process. The tools may have test suites that you run with the make command.