config-qubes

## Qubes specific config settings.
##
## Lines starting with ## are comments.


################################################################################
## Enable expert options

CONFIG_EXPERT=y


################################################################################
## Use xz to save space on /boot

# CONFIG_KERNEL_GZIP is not set
# CONFIG_KERNEL_ZSTD is not set
CONFIG_KERNEL_XZ=y


################################################################################
## Enable /proc/config.gz to help debugging etc.

CONFIG_IKCONFIG=y
CONFIG_IKCONFIG_PROC=y


################################################################################
## Enable some more hardening options

CONFIG_GCC_PLUGINS=y
CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y
CONFIG_GCC_PLUGIN_STRUCTLEAK=y
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y
## XXX: What's about RANDSTRUCT?

## Those depend on CONFIG_EXPERT
CONFIG_ARCH_MMAP_RND_BITS=32
CONFIG_ARCH_MMAP_RND_COMPAT_BITS=16

# CONFIG_KEXEC is not set
# CONFIG_CRASH_DUMP is not set

CONFIG_LEGACY_VSYSCALL_NONE=y

CONFIG_SECURITY_DMESG_RESTRICT=y

CONFIG_INTEL_IOMMU_DEFAULT_ON=y

# CONFIG_PROC_KCORE is not set

CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
CONFIG_INIT_ON_FREE_DEFAULT_ON=y

CONFIG_PANIC_ON_OOPS=y
CONFIG_PANIC_ON_OOPS_VALUE=1
CONFIG_PANIC_TIMEOUT=-1

CONFIG_SCHED_STACK_END_CHECK=y
CONFIG_DEBUG_TIMEKEEPING=y

CONFIG_IO_STRICT_DEVMEM=y

CONFIG_SECURITY_YAMA=y

# CONFIG_HIBERNATION is not set

CONFIG_STACKPROTECTOR=y
CONFIG_STACKPROTECTOR_STRONG=y


################################################################################
## Disable PCI hotplug to prevent DMA attacks via ExpressCard or Thunderbolt
## ports. QubesOS/qubes-issues#1673

# CONFIG_HOTPLUG_PCI is not set


################################################################################
## Deactivate selinux by default

# CONFIG_DEFAULT_SECURITY_SELINUX is not set
CONFIG_DEFAULT_SECURITY_DAC=y
CONFIG_LSM="yama,loadpin,safesetid,integrity"


################################################################################
## Enable paravirt spinlocks. This should be more performant.

CONFIG_PARAVIRT_SPINLOCKS=y


################################################################################
## Disable DEBUG_WX. Xen PV guests currently have some WX pages, so suppress
## the useless Warning.

# CONFIG_DEBUG_WX is not set


################################################################################
## Set USB drivers to module to allow attaching PCI devices to pciback before
## those get loaded.

CONFIG_USB_UHCI_HCD=m
CONFIG_USB_OHCI_HCD=m
CONFIG_USB_EHCI_HCD=m
CONFIG_USB_XHCI_HCD=m


################################################################################
## USB gadget driver support for testing qvm-usb

CONFIG_USB_GADGET=m
CONFIG_USB_CONFIGFS=m
CONFIG_USB_CONFIGFS_MASS_STORAGE=y
CONFIG_USB_DUMMY_HCD=m


################################################################################
## Enable AppArmor
## It's optionally used by Whonix (https://www.whonix.org/wiki/AppArmor).

CONFIG_SECURITY_APPARMOR=y

################################################################################
## Enable memory hotplug of Xen balloon driver. This is useful to map a lot of
## grant tables, without using otherwise usable physical address space

CONFIG_XEN_BALLOON_MEMORY_HOTPLUG=y
CONFIG_XEN_UNPOPULATED_ALLOC=y

################################################################################
## Allow grant tables to be turned into dma-bufs and back. Needed by GUI daemon.
CONFIG_XEN_GRANT_DMA_ALLOC=y
CONFIG_XEN_GNTDEV_DMABUF=y

################################################################################
## Help crash debugging by saving crash messages to EFI variables

CONFIG_EFI_VARS_PSTORE=y


################################################################################
## Support Linux installs where /sbin/ and /usr/sbin/ have not been merged

CONFIG_MODPROBE_PATH="/sbin/modprobe"


################################################################################
## workaround for running (unsupported) pv vms on qubes 4.1
## also need to blacklist the module in the vm/template!
CONFIG_INTEL_PMC_CORE=m

## Technically, CONFIG_XEN_VIRTIO_FORCE_GRANT=y is a good idea, but we don't
## use virtio devices under Xen yet. On the other hand, this interfere with
## running Xen nested within KVM. CONFIG_XEN_VIRTIO under PV (dom0) behaves as
## CONFIG_XEN_VIRTIO_FORCE_GRANT, so disable whole CONFIG_XEN_VIRTIO.

# CONFIG_XEN_VIRTIO is not set

## Without kernel preemption, long-running operations in the dom0 kernel (such
## as dm-thin metadata lookups or dm-crypt encryption and decryption) can make
## the entire system less responsive.  It is easy to trigger this with e.g.
## a parallel kernel build.
CONFIG_PREEMPT=y

################################################################################
## TODO: from diff to old config

## CONFIG_X86_AMD_PLATFORM_DEVICE=y
##
## # CONFIG_X86_MCELOG_LEGACY is not set
## # CONFIG_X86_MCE_INJECT is not set
##
## CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK=y
##
## sensors from 0f976d972a1671a303fad30a5e690304b0b82ee0
##
## Intel ME driver e0f8e9ca81b80d897b190f48a4af80eff3198cb1

## Avoid kernel conflict with EfiACPIMemoryNVS region on some
## AMD Threadripper platforms
CONFIG_PHYSICAL_START=0x200000
CONFIG_PHYSICAL_ALIGN=0x200000