diff --git a/vmm/scripts/kernel/build-kernel/build-kernel.sh b/vmm/scripts/kernel/build-kernel/build-kernel.sh new file mode 100755 index 00000000..d8b77123 --- /dev/null +++ b/vmm/scripts/kernel/build-kernel/build-kernel.sh @@ -0,0 +1,115 @@ +#!/bin/bash +# Copyright 2023 The Kuasar Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +kernel_merge_script="scripts/kconfig/merge_config.sh" +kernel_merge_options=("-r" "-n") +faild_merge_keyword="not in final .config" + +print_usage() { + echo "Usage: $0 [options] + --help, -h print the usage + --arch specify the hardware architecture: aarch64/x86_64 + --kernel-type specify the target kernel type: micro/mini + --kernel-dir specify the kernel source directory + --kernel-conf-dir specify the kernel tailor conf directory" +} + +merge_kernel_fragments() { + local tailor_conf_file="$1" + + if [ ! -f "$tailor_conf_file" ]; then + echo "Tailor conf file does not exist: $tailor_conf_file" + return 1 + fi + + local kernel_fragments=$(sed "s#^#${kernel_conf_dir}/#" "${tailor_conf_file}" | tr '\n' ' ') + read -a kernel_fragments_arr <<<"${kernel_fragments}" + # need to change the pwd to kernel directory to do merge kernel fragments operation + cd ${kernel_dir} + local results=$(bash "${kernel_dir}/${kernel_merge_script}" "${kernel_merge_options[@]}" "${kernel_fragments_arr[@]}") + + if [[ "${results}" == *"${faild_merge_keyword}"* ]]; then + echo "Error: failed to merge kernel fragments with ${tailor_conf_file} configuration." + echo "The kernel configs which are not present in the final .config file: " + echo "${results}" + return 1 + fi + + echo "Merge kernel fragments with ${tailor_conf_file} successfully." + return 0 +} + +build_kernel() { + cd ${kernel_dir} + make -j $(nproc) + if [ $? -ne 0 ]; then + echo "Error: Failed to build kernel." + return 1 + fi + echo "Build kernel successfully." + return 0 +} + +while [[ "$#" -gt 0 ]]; do + case $1 in + -h | --help) + print_usage + exit 0 + ;; + --arch) + arch="$2" + shift + ;; + --kernel-type) + kernel_type="$2" + shift + ;; + --kernel-dir) + kernel_dir="$2" + shift + ;; + --kernel-conf-dir) + kernel_conf_dir="$2" + shift + ;; + *) + echo "Unknown parameter passed: $1" + print_usage + exit 1 + ;; + esac + shift +done + +if [ -z "$kernel_type" ] || [ -z "$arch" ] || [ -z "$kernel_dir" ] || [ -z "$kernel_conf_dir" ]; then + print_usage + exit 1 +fi + +echo "Arch: $arch" +echo "Kernel Type: $kernel_type" +echo "Kernel Dir: $kernel_dir" +echo "Kernel Conf Dir: $kernel_conf_dir" + +# select the tailor conf file by vm type and cpu architecture +tailor_conf_file="${kernel_conf_dir}/${kernel_type}-kernel-${arch}.list" + +cd ${kernel_conf_dir} +merge_kernel_fragments $tailor_conf_file +if [ $? -ne 0 ]; then + exit 1 +fi + +build_kernel diff --git a/vmm/scripts/kernel/build-kernel/fragments/9p.conf b/vmm/scripts/kernel/build-kernel/fragments/9p.conf new file mode 100644 index 00000000..e72fe49d --- /dev/null +++ b/vmm/scripts/kernel/build-kernel/fragments/9p.conf @@ -0,0 +1,5 @@ +CONFIG_9P_FS=y +CONFIG_9P_FS_POSIX_ACL=y +CONFIG_9P_FS_SECURITY=y +CONFIG_NET_9P=y +CONFIG_NET_9P_VIRTIO=y diff --git a/vmm/scripts/kernel/build-kernel/fragments/aarch64.conf b/vmm/scripts/kernel/build-kernel/fragments/aarch64.conf new file mode 100644 index 00000000..bc14dd6c --- /dev/null +++ b/vmm/scripts/kernel/build-kernel/fragments/aarch64.conf @@ -0,0 +1,149 @@ +# +# IRQ subsystem +# +# end of IRQ subsystem + +# +# Timers subsystem +# +CONFIG_ARCH_HAS_TICK_BROADCAST=y +# end of Timers subsystem + +# +# RCU Subsystem +# +CONFIG_TASKS_RCU_GENERIC=y +# end of RCU Subsystem + +CONFIG_HAVE_FUTEX_CMPXCHG=y +# end of General setup + +CONFIG_ARM64=y +CONFIG_ARM64_PAGE_SHIFT=12 +CONFIG_ARM64_CONT_PTE_SHIFT=4 +CONFIG_ARM64_CONT_PMD_SHIFT=4 + +CONFIG_ARCH_MMAP_RND_BITS_MIN=18 +CONFIG_ARCH_MMAP_RND_BITS_MAX=33 +CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=11 +CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=16 + + +# +# ARM errata workarounds via the alternatives framework +# +CONFIG_ARM64_WORKAROUND_CLEAN_CACHE=y +CONFIG_ARM64_ERRATUM_826319=y +CONFIG_ARM64_ERRATUM_827319=y +CONFIG_ARM64_ERRATUM_824069=y +CONFIG_ARM64_ERRATUM_819472=y +CONFIG_ARM64_ERRATUM_832075=y +CONFIG_ARM64_ERRATUM_843419=y +CONFIG_ARM64_ERRATUM_1024718=y +CONFIG_ARM64_WORKAROUND_SPECULATIVE_AT=y +CONFIG_ARM64_ERRATUM_1165522=y +CONFIG_ARM64_ERRATUM_1319367=y +CONFIG_ARM64_ERRATUM_1530923=y +CONFIG_ARM64_WORKAROUND_REPEAT_TLBI=y +CONFIG_ARM64_ERRATUM_1286807=y +CONFIG_ARM64_ERRATUM_1463225=y +CONFIG_ARM64_ERRATUM_1542419=y +CONFIG_ARM64_ERRATUM_1508412=y +CONFIG_CAVIUM_ERRATUM_22375=y +CONFIG_CAVIUM_ERRATUM_23154=y +CONFIG_CAVIUM_ERRATUM_27456=y +CONFIG_CAVIUM_ERRATUM_30115=y +CONFIG_CAVIUM_TX2_ERRATUM_219=y +CONFIG_HISILICON_ERRATUM_161600802=y +CONFIG_HISILICON_ERRATUM_1980005=y +CONFIG_HISILICON_ERRATUM_HIP08_RU_PREFETCH=y + +CONFIG_ARM64_4K_PAGES=y +CONFIG_ARM64_VA_BITS_48=y +CONFIG_ARM64_VA_BITS=48 +CONFIG_ARM64_PA_BITS_48=y +CONFIG_ARM64_PA_BITS=48 + +CONFIG_CPU_LITTLE_ENDIAN=y +CONFIG_RODATA_FULL_DEFAULT_ENABLED=y + + +CONFIG_ARCH_LLC_128_LINE_SIZE=y + +CONFIG_FORCE_MAX_ZONEORDER=11 +CONFIG_UNMAP_KERNEL_AT_EL0=y + +# +# ARMv8.1 architectural features +# +CONFIG_ARM64_HW_AFDBM=y +CONFIG_ARM64_PAN=y +CONFIG_AS_HAS_LSE_ATOMICS=y +CONFIG_ARM64_VHE=y +# end of ARMv8.1 architectural features + +# +# ARMv8.2 architectural features +# +CONFIG_ARM64_RAS_EXTN=y +CONFIG_ARM64_CNP=y +# end of ARMv8.2 architectural features + +# +# ARMv8.3 architectural features +# +CONFIG_ARM64_PTR_AUTH=y +CONFIG_CC_HAS_BRANCH_PROT_PAC_RET=y +CONFIG_CC_HAS_SIGN_RETURN_ADDRESS=y +CONFIG_AS_HAS_PAC=y +CONFIG_AS_HAS_CFI_NEGATE_RA_STATE=y +# end of ARMv8.3 architectural features + +# +# ARMv8.4 architectural features +# +CONFIG_ARM64_AMU_EXTN=y +CONFIG_AS_HAS_ARMV8_4=y +CONFIG_ARM64_TLB_RANGE=y +# end of ARMv8.4 architectural features + +# +# ARMv8.5 architectural features +# +CONFIG_ARM64_BTI=y +CONFIG_CC_HAS_BRANCH_PROT_PAC_RET_BTI=y +CONFIG_ARM64_E0PD=y +CONFIG_ARM64_AS_HAS_MTE=y +CONFIG_ARM64_MTE=y +# end of ARMv8.5 architectural features + +# +# ARMv8.6 architectural features +# +CONFIG_ARM64_TWED=y +# end of ARMv8.6 architectural features + +# +# ARMv8.7 architectural features +# +CONFIG_ARM64_EPAN=y +# end of ARMv8.7 architectural features + +CONFIG_ARM64_SVE=y +# end of Kernel Features + +CONFIG_ARM64_TAGGED_ADDR_ABI=y + +# Firmware +CONFIG_ARM_SDE_INTERFACE=y + +# +# General architecture-dependent options +# +CONFIG_ARCH_HAS_RELR=y +# end of General architecture-dependent options + +CONFIG_OF_KOBJ=y +CONFIG_OF_ADDRESS=y +CONFIG_OF_NET=y +CONFIG_DMA_OF=y diff --git a/vmm/scripts/kernel/build-kernel/fragments/acpi.conf b/vmm/scripts/kernel/build-kernel/fragments/acpi.conf new file mode 100644 index 00000000..22a23c38 --- /dev/null +++ b/vmm/scripts/kernel/build-kernel/fragments/acpi.conf @@ -0,0 +1,13 @@ +CONFIG_ACPI=y +CONFIG_ACPI_BUTTON=y +CONFIG_ACPI_PROCESSOR_IDLE=y +CONFIG_ACPI_PROCESSOR=y +CONFIG_ACPI_HOTPLUG_CPU=y +CONFIG_ACPI_TABLE_UPGRADE=y +CONFIG_ACPI_CONTAINER=y +CONFIG_ACPI_PCI_SLOT=y +CONFIG_ACPI_HOTPLUG_MEMORY=y +CONFIG_ACPI_CONFIGFS=y +CONFIG_ACPI_APEI=y +CONFIG_ACPI_APEI_GHES=y +CONFIG_ACPI_APEI_PCIEAER=y diff --git a/vmm/scripts/kernel/build-kernel/fragments/base.conf b/vmm/scripts/kernel/build-kernel/fragments/base.conf new file mode 100644 index 00000000..d28f82d7 --- /dev/null +++ b/vmm/scripts/kernel/build-kernel/fragments/base.conf @@ -0,0 +1,159 @@ +# +# General setup +# +CONFIG_INIT_ENV_ARG_LIMIT=32 +CONFIG_LOCALVERSION="" +CONFIG_BUILD_SALT="" +CONFIG_DEFAULT_INIT="" +CONFIG_DEFAULT_HOSTNAME="kuasar" +CONFIG_SWAP=y +CONFIG_SYSVIPC=y +CONFIG_SYSVIPC_SYSCTL=y +CONFIG_POSIX_MQUEUE=y +CONFIG_POSIX_MQUEUE_SYSCTL=y + +# +# Timers subsystem +# +CONFIG_TICK_ONESHOT=y +CONFIG_NO_HZ_COMMON=y +CONFIG_NO_HZ_IDLE=y +CONFIG_CONTEXT_TRACKING=y +CONFIG_NO_HZ=y +CONFIG_HIGH_RES_TIMERS=y +# end of Timers subsystem + +CONFIG_PREEMPT_NONE=y + +# +# CPU/Task time and stats accounting +# +CONFIG_VIRT_CPU_ACCOUNTING=y +CONFIG_VIRT_CPU_ACCOUNTING_GEN=y +# end of CPU/Task time and stats accounting + +CONFIG_CPU_ISOLATION=y + +# +# RCU Subsystem +# +CONFIG_TREE_RCU=y +CONFIG_TREE_SRCU=y +CONFIG_RCU_STALL_COMMON=y +CONFIG_RCU_NEED_SEGCBLIST=y +# end of RCU Subsystem + +# Kernel Log related config +CONFIG_LOG_BUF_SHIFT=17 +CONFIG_LOG_CPU_MAX_BUF_SHIFT=12 +CONFIG_PRINTK_SAFE_LOG_BUF_SHIFT=13 + +CONFIG_CC_HAS_INT128=y +CONFIG_ARCH_SUPPORTS_INT128=y + +CONFIG_SCHED_AUTOGROUP=y +CONFIG_BLK_DEV_INITRD=y +CONFIG_INITRAMFS_SOURCE="" +CONFIG_RD_GZIP=y +CONFIG_INITRAMFS_FILE_METADATA="" +CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y +CONFIG_LD_ORPHAN_WARN=y +CONFIG_SYSCTL=y + +CONFIG_BPF=y +CONFIG_MULTIUSER=y +CONFIG_SYSFS_SYSCALL=y +CONFIG_FHANDLE=y +CONFIG_POSIX_TIMERS=y +CONFIG_PRINTK=y +CONFIG_BUG=y +CONFIG_ELF_CORE=y +CONFIG_BASE_FULL=y +CONFIG_FUTEX=y +CONFIG_FUTEX_PI=y +CONFIG_EPOLL=y +CONFIG_SIGNALFD=y +CONFIG_TIMERFD=y +CONFIG_EVENTFD=y +CONFIG_SHMEM=y +CONFIG_AIO=y +CONFIG_IO_URING=y +CONFIG_ADVISE_SYSCALLS=y +CONFIG_MEMBARRIER=y +CONFIG_KALLSYMS=y +CONFIG_KALLSYMS_BASE_RELATIVE=y +CONFIG_BPF_SYSCALL=y +CONFIG_RSEQ=y + +# +# Kernel Performance Events And Counters +# +CONFIG_PERF_EVENTS=y +# end of Kernel Performance Events And Counters + +CONFIG_VM_EVENT_COUNTERS=y +CONFIG_SLAB=y +CONFIG_SLAB_MERGE_DEFAULT=y +# end of General setup + +CONFIG_64BIT=y +CONFIG_STACKTRACE=y +CONFIG_GENERIC_BUG=y +CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y +CONFIG_ZONE_DMA=y +CONFIG_ZONE_DMA32=y + + +CONFIG_PGTABLE_LEVELS=4 +CONFIG_NR_CPUS=255 +CONFIG_SCHED_MC=y +CONFIG_SCHED_SMT=y + +CONFIG_RELOCATABLE=y + +# +# Executable file formats +# +CONFIG_BINFMT_ELF=y +CONFIG_ELFCORE=y +CONFIG_BINFMT_SCRIPT=y +CONFIG_BINFMT_MISC=y +CONFIG_COREDUMP=y +# end of Executable file formats + +# +# General architecture-dependent options +# +CONFIG_MMU_GATHER_TABLE_FREE=y +CONFIG_HAVE_ARCH_SECCOMP=y +CONFIG_SECCOMP=y +CONFIG_SECCOMP_FILTER=y +CONFIG_STACKPROTECTOR=y +CONFIG_STACKPROTECTOR_STRONG=y +CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y +CONFIG_STRICT_KERNEL_RWX=y + +# end of General architecture-dependent options + +CONFIG_RT_MUTEXES=y +CONFIG_BASE_SMALL=0 + +CONFIG_INLINE_SPIN_UNLOCK_IRQ=y +CONFIG_INLINE_READ_UNLOCK=y +CONFIG_INLINE_READ_UNLOCK_IRQ=y +CONFIG_INLINE_WRITE_UNLOCK=y +CONFIG_INLINE_WRITE_UNLOCK_IRQ=y +CONFIG_MUTEX_SPIN_ON_OWNER=y +CONFIG_RWSEM_SPIN_ON_OWNER=y +CONFIG_LOCK_SPIN_ON_OWNER=y +CONFIG_QUEUED_SPINLOCKS=y +CONFIG_QUEUED_RWLOCKS=y +CONFIG_FREEZER=y + +# +# printk and dmesg options +# +CONFIG_PRINTK_TIME=y +CONFIG_CONSOLE_LOGLEVEL_DEFAULT=7 +CONFIG_CONSOLE_LOGLEVEL_QUIET=4 +CONFIG_MESSAGE_LOGLEVEL_DEFAULT=4 diff --git a/vmm/scripts/kernel/build-kernel/fragments/block.conf b/vmm/scripts/kernel/build-kernel/fragments/block.conf new file mode 100644 index 00000000..5a277e40 --- /dev/null +++ b/vmm/scripts/kernel/build-kernel/fragments/block.conf @@ -0,0 +1,13 @@ +CONFIG_BLOCK=y +CONFIG_BLK_SCSI_REQUEST=y +CONFIG_BLK_DEV_BSG=y + +CONFIG_BLK_DEV=y +CONFIG_VIRTIO_BLK=y + +# +# Partition Types +# +CONFIG_MSDOS_PARTITION=y +CONFIG_EFI_PARTITION=y +# end of Partition Types diff --git a/vmm/scripts/kernel/build-kernel/fragments/cgroup.conf b/vmm/scripts/kernel/build-kernel/fragments/cgroup.conf new file mode 100644 index 00000000..adfe6a1e --- /dev/null +++ b/vmm/scripts/kernel/build-kernel/fragments/cgroup.conf @@ -0,0 +1,17 @@ +CONFIG_CGROUPS=y +CONFIG_PAGE_COUNTER=y +CONFIG_MEMCG=y +CONFIG_MEMCG_SWAP=y +CONFIG_MEMCG_KMEM=y +CONFIG_BLK_CGROUP=y +CONFIG_CGROUP_WRITEBACK=y +CONFIG_CGROUP_SCHED=y +CONFIG_FAIR_GROUP_SCHED=y +CONFIG_CFS_BANDWIDTH=y +CONFIG_CGROUP_PIDS=y +CONFIG_CGROUP_FREEZER=y +CONFIG_CPUSETS=y +CONFIG_PROC_PID_CPUSET=y +CONFIG_CGROUP_DEVICE=y +CONFIG_CGROUP_CPUACCT=y +CONFIG_SOCK_CGROUP_DATA=y diff --git a/vmm/scripts/kernel/build-kernel/fragments/character.conf b/vmm/scripts/kernel/build-kernel/fragments/character.conf new file mode 100644 index 00000000..2d4981ec --- /dev/null +++ b/vmm/scripts/kernel/build-kernel/fragments/character.conf @@ -0,0 +1,39 @@ +# +# Input device support +# +CONFIG_INPUT=y + +# +# Character devices +# +CONFIG_TTY=y +CONFIG_VT=y +CONFIG_CONSOLE_TRANSLATIONS=y +CONFIG_VT_CONSOLE=y +CONFIG_HW_CONSOLE=y +CONFIG_VT_HW_CONSOLE_BINDING=y +CONFIG_UNIX98_PTYS=y + +# +# Serial drivers +# +CONFIG_SERIAL_EARLYCON=y +CONFIG_SERIAL_8250=y +CONFIG_SERIAL_8250_DEPRECATED_OPTIONS=y +CONFIG_SERIAL_8250_CONSOLE=y +CONFIG_SERIAL_8250_DMA=y +CONFIG_SERIAL_8250_NR_UARTS=1 +CONFIG_SERIAL_8250_RUNTIME_UARTS=1 + +# +# Non-8250 serial port support +# +CONFIG_SERIAL_CORE=y +CONFIG_SERIAL_CORE_CONSOLE=y +# end of Serial drivers + +CONFIG_HVC_DRIVER=y +CONFIG_VIRTIO_CONSOLE=y +CONFIG_HW_RANDOM=y +CONFIG_HW_RANDOM_VIRTIO=y +CONFIG_DEVMEM=y diff --git a/vmm/scripts/kernel/build-kernel/fragments/cpu.conf b/vmm/scripts/kernel/build-kernel/fragments/cpu.conf new file mode 100644 index 00000000..e8085de3 --- /dev/null +++ b/vmm/scripts/kernel/build-kernel/fragments/cpu.conf @@ -0,0 +1,8 @@ +CONFIG_HZ_1000=y +CONFIG_HZ=1000 +CONFIG_SCHED_HRTICK=y + +CONFIG_PARAVIRT=y +CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000 + +CONFIG_SMP=y diff --git a/vmm/scripts/kernel/build-kernel/fragments/debug.conf b/vmm/scripts/kernel/build-kernel/fragments/debug.conf new file mode 100644 index 00000000..6fdd9714 --- /dev/null +++ b/vmm/scripts/kernel/build-kernel/fragments/debug.conf @@ -0,0 +1,22 @@ +# tracing +CONFIG_TRACEPOINTS=y +CONFIG_TRACING=y +CONFIG_EVENT_TRACING=y +CONFIG_FTRACE=y +CONFIG_PROC_KCORE=y + +CONFIG_KPROBES=y +CONFIG_PROBE_EVENTS=y +CONFIG_UPROBES=y +CONFIG_UPROBE_EVENTS=y +CONFIG_KRETPROBES=y + +CONFIG_LOCKUP_DETECTOR=y +CONFIG_SOFTLOCKUP_DETECTOR=y +CONFIG_DETECT_HUNG_TASK=y + +# +# Generic Kernel Debugging Instruments +# +CONFIG_DEBUG_FS=y +CONFIG_DEBUG_FS_ALLOW_ALL=y diff --git a/vmm/scripts/kernel/build-kernel/fragments/device.conf b/vmm/scripts/kernel/build-kernel/fragments/device.conf new file mode 100644 index 00000000..b61c5186 --- /dev/null +++ b/vmm/scripts/kernel/build-kernel/fragments/device.conf @@ -0,0 +1,49 @@ +# +# Generic Driver Options +# +CONFIG_DEVTMPFS=y +CONFIG_DEVTMPFS_MOUNT=y + +# +# Firmware loader +# +CONFIG_FW_LOADER=y +CONFIG_EXTRA_FIRMWARE="" +# end of Firmware loader + +CONFIG_ALLOW_DEV_COREDUMP=y + +# +# Bus devices +# +CONFIG_CONNECTOR=y +CONFIG_PROC_EVENTS=y + + +CONFIG_SSB_POSSIBLE=y +CONFIG_BCMA_POSSIBLE=y + +CONFIG_DUMMY_CONSOLE=y +CONFIG_DUMMY_CONSOLE_COLUMNS=80 +CONFIG_DUMMY_CONSOLE_ROWS=25 + +CONFIG_RTC_CLASS=y +CONFIG_RTC_HCTOSYS=y +CONFIG_RTC_HCTOSYS_DEVICE="rtc0" +CONFIG_RTC_SYSTOHC=y +CONFIG_RTC_SYSTOHC_DEVICE="rtc0" + + +# +# RTC interfaces +# +CONFIG_RTC_INTF_SYSFS=y +CONFIG_RTC_INTF_PROC=y +CONFIG_RTC_INTF_DEV=y + +CONFIG_RAS=y + +# +# DMA Devices +# +CONFIG_DMADEVICES=y diff --git a/vmm/scripts/kernel/build-kernel/fragments/filesystem.conf b/vmm/scripts/kernel/build-kernel/fragments/filesystem.conf new file mode 100644 index 00000000..2055cbf3 --- /dev/null +++ b/vmm/scripts/kernel/build-kernel/fragments/filesystem.conf @@ -0,0 +1,41 @@ +# +# File systems +# +CONFIG_FS_IOMAP=y +CONFIG_EXT4_FS=y +CONFIG_EXT4_USE_FOR_EXT2=y +CONFIG_EXT4_FS_POSIX_ACL=y +CONFIG_EXT4_FS_SECURITY=y +CONFIG_JBD2=y +CONFIG_FS_MBCACHE=y +CONFIG_FS_POSIX_ACL=y +CONFIG_EXPORTFS=y +CONFIG_EXPORTFS_BLOCK_OPS=y +CONFIG_FILE_LOCKING=y +CONFIG_FSNOTIFY=y +CONFIG_DNOTIFY=y +CONFIG_INOTIFY_USER=y +CONFIG_AUTOFS_FS=y +CONFIG_FUSE_FS=y +CONFIG_VIRTIO_FS=y +CONFIG_OVERLAY_FS=y +CONFIG_OVERLAY_FS_REDIRECT_DIR=y +CONFIG_OVERLAY_FS_INDEX=y + +# +# Pseudo filesystems +# +CONFIG_PROC_FS=y +CONFIG_PROC_SYSCTL=y +CONFIG_PROC_PAGE_MONITOR=y +CONFIG_PROC_CHILDREN=y +CONFIG_KERNFS=y +CONFIG_SYSFS=y +CONFIG_TMPFS=y +CONFIG_TMPFS_POSIX_ACL=y +CONFIG_TMPFS_XATTR=y +CONFIG_HUGETLBFS=y +CONFIG_HUGETLB_PAGE=y +CONFIG_MEMFD_CREATE=y +CONFIG_CONFIGFS_FS=y +# end of Pseudo filesystems diff --git a/vmm/scripts/kernel/build-kernel/fragments/firmware.conf b/vmm/scripts/kernel/build-kernel/fragments/firmware.conf new file mode 100644 index 00000000..05da7dde --- /dev/null +++ b/vmm/scripts/kernel/build-kernel/fragments/firmware.conf @@ -0,0 +1,12 @@ +# +# EFI (Extensible Firmware Interface) Support +# +CONFIG_EFI_STUB=y +CONFIG_EFI=y + +CONFIG_EFI_ESRT=y + +CONFIG_EFI_RUNTIME_WRAPPERS=y + +CONFIG_EFI_GENERIC_STUB_INITRD_CMDLINE_LOADER=y +# end of EFI (Extensible Firmware Interface) Support diff --git a/vmm/scripts/kernel/build-kernel/fragments/hotplug.conf b/vmm/scripts/kernel/build-kernel/fragments/hotplug.conf new file mode 100644 index 00000000..56815c32 --- /dev/null +++ b/vmm/scripts/kernel/build-kernel/fragments/hotplug.conf @@ -0,0 +1,7 @@ +CONFIG_HOTPLUG_CPU=y +CONFIG_MEMORY_HOTPLUG=y +CONFIG_MEMORY_HOTPLUG_SPARSE=y +CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE=y +CONFIG_HOTPLUG_PCI=y +CONFIG_HOTPLUG_PCI_ACPI=y +CONFIG_HOTPLUG_PCI_SHPC=y diff --git a/vmm/scripts/kernel/build-kernel/fragments/ipv6.conf b/vmm/scripts/kernel/build-kernel/fragments/ipv6.conf new file mode 100644 index 00000000..53b41e32 --- /dev/null +++ b/vmm/scripts/kernel/build-kernel/fragments/ipv6.conf @@ -0,0 +1,9 @@ +CONFIG_IPV6=y +# +# IPv6: Netfilter Configuration +# +CONFIG_NF_DUP_IPV6=y +CONFIG_NF_LOG_IPV6=y +# end of IPv6: Netfilter Configuration + +CONFIG_NF_DEFRAG_IPV6=y diff --git a/vmm/scripts/kernel/build-kernel/fragments/mem.conf b/vmm/scripts/kernel/build-kernel/fragments/mem.conf new file mode 100644 index 00000000..8d9eec24 --- /dev/null +++ b/vmm/scripts/kernel/build-kernel/fragments/mem.conf @@ -0,0 +1,19 @@ +CONFIG_ARCH_SPARSEMEM_DEFAULT=y +CONFIG_ARCH_SELECT_MEMORY_MODEL=y + +# +# Memory Management options +# +CONFIG_SELECT_MEMORY_MODEL=y +CONFIG_SPARSEMEM_MANUAL=y +CONFIG_SPARSEMEM=y +CONFIG_SPARSEMEM_EXTREME=y +CONFIG_SPARSEMEM_VMEMMAP=y +CONFIG_SPLIT_PTLOCK_CPUS=4 +CONFIG_MEMORY_BALLOON=y +CONFIG_PAGE_REPORTING=y +CONFIG_PHYS_ADDR_T_64BIT=y +CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 + +CONFIG_MEMCG_QOS=y +CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y diff --git a/vmm/scripts/kernel/build-kernel/fragments/mini-kernel-aarch64.conf b/vmm/scripts/kernel/build-kernel/fragments/mini-kernel-aarch64.conf new file mode 100644 index 00000000..c97c7889 --- /dev/null +++ b/vmm/scripts/kernel/build-kernel/fragments/mini-kernel-aarch64.conf @@ -0,0 +1,2 @@ +CONFIG_PCI_HOST_GENERIC=y +CONFIG_OF_PMEM=y diff --git a/vmm/scripts/kernel/build-kernel/fragments/mini-kernel-x86_64.conf b/vmm/scripts/kernel/build-kernel/fragments/mini-kernel-x86_64.conf new file mode 100644 index 00000000..e69de29b diff --git a/vmm/scripts/kernel/build-kernel/fragments/module.conf b/vmm/scripts/kernel/build-kernel/fragments/module.conf new file mode 100644 index 00000000..4f777a2f --- /dev/null +++ b/vmm/scripts/kernel/build-kernel/fragments/module.conf @@ -0,0 +1,8 @@ +CONFIG_MODULE_SIG_FORMAT=y +CONFIG_MODULES=y +CONFIG_MODULE_FORCE_LOAD=y +CONFIG_MODULE_UNLOAD=y +CONFIG_MODULE_FORCE_UNLOAD=y +CONFIG_MODVERSIONS=y +CONFIG_MODULE_SRCVERSION_ALL=y +CONFIG_MODULE_SIG=y diff --git a/vmm/scripts/kernel/build-kernel/fragments/namespace.conf b/vmm/scripts/kernel/build-kernel/fragments/namespace.conf new file mode 100644 index 00000000..6254019c --- /dev/null +++ b/vmm/scripts/kernel/build-kernel/fragments/namespace.conf @@ -0,0 +1,6 @@ +CONFIG_NAMESPACES=y +CONFIG_UTS_NS=y +CONFIG_IPC_NS=y +CONFIG_USER_NS=y +CONFIG_PID_NS=y +CONFIG_NET_NS=y diff --git a/vmm/scripts/kernel/build-kernel/fragments/net.conf b/vmm/scripts/kernel/build-kernel/fragments/net.conf new file mode 100644 index 00000000..6e38e8b9 --- /dev/null +++ b/vmm/scripts/kernel/build-kernel/fragments/net.conf @@ -0,0 +1,70 @@ +CONFIG_NET=y +CONFIG_SKB_EXTENSIONS=y + +# +# Networking options +# +CONFIG_PACKET=y +CONFIG_UNIX=y +CONFIG_UNIX_SCM=y +CONFIG_XFRM=y +CONFIG_XFRM_ALGO=y +CONFIG_XFRM_USER=y +CONFIG_XFRM_SUB_POLICY=y +CONFIG_INET=y +CONFIG_IP_MULTICAST=y +CONFIG_IP_PNP=y +CONFIG_IP_PNP_DHCP=y +CONFIG_SYN_COOKIES=y +CONFIG_TCP_CONG_ADVANCED=y +CONFIG_TCP_CONG_BBR=y +CONFIG_DEFAULT_BBR=y +CONFIG_DEFAULT_TCP_CONG="bbr" +CONFIG_TCP_MD5SIG=y +CONFIG_STP=y +CONFIG_BRIDGE=y +CONFIG_BRIDGE_IGMP_SNOOPING=y +CONFIG_HAVE_NET_DSA=y +CONFIG_LLC=y +CONFIG_NET_SCHED=y + +# +# Queueing/Scheduling +# +CONFIG_NET_SCH_CBQ=y +CONFIG_NET_SCH_MULTIQ=y +CONFIG_NET_SCH_FQ_CODEL=y +CONFIG_NET_SCH_FQ=y + +# +# Classification +# +CONFIG_NET_CLS=y +CONFIG_NET_CLS_CGROUP=y +CONFIG_NET_EMATCH=y +CONFIG_NET_EMATCH_STACK=32 +CONFIG_NET_SCH_FIFO=y + +CONFIG_DNS_RESOLVER=y +CONFIG_VSOCKETS=y +CONFIG_VSOCKETS_DIAG=y +CONFIG_VSOCKETS_LOOPBACK=y +CONFIG_VIRTIO_VSOCKETS=y +CONFIG_VIRTIO_VSOCKETS_COMMON=y +CONFIG_NET_SWITCHDEV=y +CONFIG_RPS=y +CONFIG_RFS_ACCEL=y +CONFIG_XPS=y +CONFIG_CGROUP_NET_PRIO=y +CONFIG_CGROUP_NET_CLASSID=y +CONFIG_NET_RX_BUSY_POLL=y +CONFIG_BQL=y +CONFIG_NET_FLOW_LIMIT=y + +CONFIG_GRO_CELLS=y +CONFIG_FAILOVER=y + +CONFIG_NETDEVICES=y +CONFIG_NET_CORE=y +CONFIG_VETH=y +CONFIG_VIRTIO_NET=y diff --git a/vmm/scripts/kernel/build-kernel/fragments/netfiler.conf b/vmm/scripts/kernel/build-kernel/fragments/netfiler.conf new file mode 100644 index 00000000..71c1cdf9 --- /dev/null +++ b/vmm/scripts/kernel/build-kernel/fragments/netfiler.conf @@ -0,0 +1,182 @@ +CONFIG_NETFILTER=y +CONFIG_NETFILTER_ADVANCED=y + +# +# Core Netfilter Configuration +# +CONFIG_NETFILTER_INGRESS=y +CONFIG_NETFILTER_NETLINK=y +CONFIG_NETFILTER_FAMILY_ARP=y +CONFIG_NETFILTER_NETLINK_ACCT=y +CONFIG_NETFILTER_NETLINK_QUEUE=y +CONFIG_NETFILTER_NETLINK_LOG=y +CONFIG_NETFILTER_NETLINK_OSF=y +CONFIG_NF_CONNTRACK=y +CONFIG_NF_LOG_COMMON=y +CONFIG_NETFILTER_CONNCOUNT=y +CONFIG_NF_CONNTRACK_MARK=y +CONFIG_NF_CONNTRACK_ZONES=y +CONFIG_NF_CONNTRACK_EVENTS=y +CONFIG_NF_CONNTRACK_TIMEOUT=y +CONFIG_NF_CONNTRACK_TIMESTAMP=y +CONFIG_NF_CONNTRACK_LABELS=y +CONFIG_NF_CT_PROTO_DCCP=y +CONFIG_NF_CT_PROTO_GRE=y +CONFIG_NF_CT_PROTO_SCTP=y +CONFIG_NF_CT_PROTO_UDPLITE=y +CONFIG_NF_CONNTRACK_FTP=y +CONFIG_NF_CONNTRACK_BROADCAST=y +CONFIG_NF_CONNTRACK_SNMP=y +CONFIG_NF_CONNTRACK_PPTP=y +CONFIG_NF_CONNTRACK_SANE=y +CONFIG_NF_CONNTRACK_SIP=y +CONFIG_NF_CONNTRACK_TFTP=y +CONFIG_NF_CT_NETLINK=y +CONFIG_NF_CT_NETLINK_TIMEOUT=y +CONFIG_NF_CT_NETLINK_HELPER=y +CONFIG_NETFILTER_NETLINK_GLUE_CT=y +CONFIG_NF_NAT=y +CONFIG_NF_NAT_FTP=y +CONFIG_NF_NAT_SIP=y +CONFIG_NF_NAT_TFTP=y +CONFIG_NF_NAT_REDIRECT=y +CONFIG_NF_NAT_MASQUERADE=y +CONFIG_NETFILTER_SYNPROXY=y +CONFIG_NETFILTER_XTABLES=y + +# +# Xtables combined modules +# +CONFIG_NETFILTER_XT_MARK=y +CONFIG_NETFILTER_XT_CONNMARK=y +CONFIG_NETFILTER_XT_SET=y + +# +# Xtables targets +# +CONFIG_NETFILTER_XT_TARGET_CHECKSUM=y +CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y +CONFIG_NETFILTER_XT_TARGET_CONNMARK=y +CONFIG_NETFILTER_XT_TARGET_CT=y +CONFIG_NETFILTER_XT_TARGET_DSCP=y +CONFIG_NETFILTER_XT_TARGET_HL=y +CONFIG_NETFILTER_XT_TARGET_HMARK=y +CONFIG_NETFILTER_XT_TARGET_IDLETIMER=y +CONFIG_NETFILTER_XT_TARGET_LOG=y +CONFIG_NETFILTER_XT_TARGET_MARK=y +CONFIG_NETFILTER_XT_NAT=y +CONFIG_NETFILTER_XT_TARGET_NETMAP=y +CONFIG_NETFILTER_XT_TARGET_NFLOG=y +CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y +CONFIG_NETFILTER_XT_TARGET_RATEEST=y +CONFIG_NETFILTER_XT_TARGET_REDIRECT=y +CONFIG_NETFILTER_XT_TARGET_MASQUERADE=y +CONFIG_NETFILTER_XT_TARGET_TEE=y +CONFIG_NETFILTER_XT_TARGET_TPROXY=y +CONFIG_NETFILTER_XT_TARGET_TRACE=y +CONFIG_NETFILTER_XT_TARGET_TCPMSS=y +CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=y + +# +# Xtables matches +# +CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y +CONFIG_NETFILTER_XT_MATCH_BPF=y +CONFIG_NETFILTER_XT_MATCH_CGROUP=y +CONFIG_NETFILTER_XT_MATCH_CLUSTER=y +CONFIG_NETFILTER_XT_MATCH_COMMENT=y +CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y +CONFIG_NETFILTER_XT_MATCH_CONNLABEL=y +CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y +CONFIG_NETFILTER_XT_MATCH_CONNMARK=y +CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y +CONFIG_NETFILTER_XT_MATCH_CPU=y +CONFIG_NETFILTER_XT_MATCH_DCCP=y +CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y +CONFIG_NETFILTER_XT_MATCH_DSCP=y +CONFIG_NETFILTER_XT_MATCH_ECN=y +CONFIG_NETFILTER_XT_MATCH_HL=y +CONFIG_NETFILTER_XT_MATCH_IPVS=y +CONFIG_NETFILTER_XT_MATCH_MAC=y +CONFIG_NETFILTER_XT_MATCH_SOCKET=y +# end of Core Netfilter Configuration + +CONFIG_IP_SET=y +CONFIG_IP_SET_MAX=256 + +CONFIG_IP_VS=y +CONFIG_IP_VS_TAB_BITS=12 + +# +# IPVS transport protocol load balancing support +# +CONFIG_IP_VS_PROTO_TCP=y +CONFIG_IP_VS_PROTO_UDP=y +CONFIG_IP_VS_PROTO_AH_ESP=y +CONFIG_IP_VS_PROTO_ESP=y +CONFIG_IP_VS_PROTO_AH=y +CONFIG_IP_VS_PROTO_SCTP=y + +# +# IPVS scheduler +# +CONFIG_IP_VS_RR=y +CONFIG_IP_VS_WRR=y +CONFIG_IP_VS_LC=y +CONFIG_IP_VS_WLC=y +CONFIG_IP_VS_FO=y +CONFIG_IP_VS_OVF=y +CONFIG_IP_VS_LBLC=y +CONFIG_IP_VS_LBLCR=y +CONFIG_IP_VS_DH=y +CONFIG_IP_VS_SH=y +CONFIG_IP_VS_MH=y +CONFIG_IP_VS_SED=y +CONFIG_IP_VS_NQ=y +# +# IPVS SH scheduler +# +CONFIG_IP_VS_SH_TAB_BITS=8 + +# +# IPVS MH scheduler +# +CONFIG_IP_VS_MH_TAB_INDEX=12 + +# +# IPVS application helper +# +CONFIG_IP_VS_NFCT=y + +# +# IP: Netfilter Configuration +# +CONFIG_NF_DEFRAG_IPV4=y +CONFIG_NF_SOCKET_IPV4=y +CONFIG_NF_TPROXY_IPV4=y +CONFIG_NF_DUP_IPV4=y +CONFIG_NF_LOG_IPV4=y +CONFIG_NF_REJECT_IPV4=y +CONFIG_NF_NAT_SNMP_BASIC=y +CONFIG_NF_NAT_PPTP=y +CONFIG_IP_NF_IPTABLES=y +CONFIG_IP_NF_MATCH_AH=y +CONFIG_IP_NF_MATCH_ECN=y +CONFIG_IP_NF_MATCH_RPFILTER=y +CONFIG_IP_NF_MATCH_TTL=y +CONFIG_IP_NF_FILTER=y +CONFIG_IP_NF_TARGET_REJECT=y +CONFIG_IP_NF_TARGET_SYNPROXY=y +CONFIG_IP_NF_NAT=y +CONFIG_IP_NF_TARGET_MASQUERADE=y +CONFIG_IP_NF_TARGET_NETMAP=y +CONFIG_IP_NF_TARGET_REDIRECT=y +CONFIG_IP_NF_MANGLE=y +CONFIG_IP_NF_TARGET_CLUSTERIP=y +CONFIG_IP_NF_TARGET_ECN=y +CONFIG_IP_NF_TARGET_TTL=y +CONFIG_IP_NF_RAW=y +CONFIG_IP_NF_ARPTABLES=y +CONFIG_IP_NF_ARPFILTER=y +CONFIG_IP_NF_ARP_MANGLE=y +# end of IP: Netfilter Configuration diff --git a/vmm/scripts/kernel/build-kernel/fragments/nfs.conf b/vmm/scripts/kernel/build-kernel/fragments/nfs.conf new file mode 100644 index 00000000..d94749b9 --- /dev/null +++ b/vmm/scripts/kernel/build-kernel/fragments/nfs.conf @@ -0,0 +1,8 @@ +CONFIG_NETWORK_FILESYSTEMS=y +CONFIG_NFS_FS=y +CONFIG_NFS_V2=y +CONFIG_NFS_V3=y +CONFIG_NFS_V4=y +CONFIG_NFS_V4_1=y +CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN="kernel.org" +CONFIG_NFS_COMMON=y diff --git a/vmm/scripts/kernel/build-kernel/fragments/nvdimm.conf b/vmm/scripts/kernel/build-kernel/fragments/nvdimm.conf new file mode 100644 index 00000000..50d7553a --- /dev/null +++ b/vmm/scripts/kernel/build-kernel/fragments/nvdimm.conf @@ -0,0 +1,10 @@ +CONFIG_LIBNVDIMM=y +CONFIG_BLK_DEV_PMEM=y +CONFIG_ND_BLK=y +CONFIG_ND_CLAIM=y +CONFIG_ND_BTT=y +CONFIG_BTT=y +CONFIG_DAX_DRIVER=y +CONFIG_DAX=y +CONFIG_NVMEM=y +CONFIG_NVMEM_SYSFS=y diff --git a/vmm/scripts/kernel/build-kernel/fragments/pci.conf b/vmm/scripts/kernel/build-kernel/fragments/pci.conf new file mode 100644 index 00000000..681a078e --- /dev/null +++ b/vmm/scripts/kernel/build-kernel/fragments/pci.conf @@ -0,0 +1,26 @@ +CONFIG_PCI=y +CONFIG_PCIEPORTBUS=y +CONFIG_HOTPLUG_PCI_PCIE=y +CONFIG_PCIEAER=y +CONFIG_PCIEASPM=y +CONFIG_PCIEASPM_DEFAULT=y +CONFIG_PCI_STUB=y +CONFIG_PCI_MSI=y +CONFIG_PCI_MSI_IRQ_DOMAIN=y +CONFIG_PCI_QUIRKS=y +CONFIG_PCI_IOV=y +CONFIG_PCI_REALLOC_ENABLE_AUTO=y +CONFIG_PCI_ATS=y +CONFIG_PCI_PASID=y +CONFIG_PCI_LABEL=y +CONFIG_PCIE_BUS_DEFAULT=y + +# +# PCI Endpoint +# +CONFIG_PCI_ENDPOINT=y +CONFIG_PCI_ENDPOINT_CONFIGFS=y +# end of PCI Endpoint + +CONFIG_VIRTIO_PCI=y +CONFIG_VIRTIO_PCI_LEGACY=y diff --git a/vmm/scripts/kernel/build-kernel/fragments/scsi.conf b/vmm/scripts/kernel/build-kernel/fragments/scsi.conf new file mode 100644 index 00000000..a2b0eaa1 --- /dev/null +++ b/vmm/scripts/kernel/build-kernel/fragments/scsi.conf @@ -0,0 +1,16 @@ +# +# SCSI device support +# +CONFIG_SCSI_MOD=y +CONFIG_SCSI=y +CONFIG_SCSI_DMA=y + +# +# SCSI support type (disk, tape, CD-ROM) +# +CONFIG_BLK_DEV_SD=y +CONFIG_CHR_DEV_ST=y +CONFIG_CHR_DEV_SG=y +CONFIG_CHR_DEV_SCH=y +CONFIG_SCSI_LOWLEVEL=y +CONFIG_SCSI_VIRTIO=y diff --git a/vmm/scripts/kernel/build-kernel/fragments/security.conf b/vmm/scripts/kernel/build-kernel/fragments/security.conf new file mode 100644 index 00000000..7bc9227c --- /dev/null +++ b/vmm/scripts/kernel/build-kernel/fragments/security.conf @@ -0,0 +1,43 @@ +# +# Security options +# +CONFIG_KEYS=y +CONFIG_SECURITY=y +CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y +CONFIG_HARDENED_USERCOPY=y +CONFIG_DEFAULT_SECURITY_DAC=y +CONFIG_LSM="no" + +CONFIG_INIT_STACK_NONE=y +CONFIG_CRYPTO=y + +# +# Crypto core or helper +# +CONFIG_CRYPTO_ALGAPI=y +CONFIG_CRYPTO_ALGAPI2=y +CONFIG_CRYPTO_HASH=y +CONFIG_CRYPTO_HASH2=y +CONFIG_CRYPTO_RNG2=y + +# +# Digest +# +CONFIG_CRYPTO_CRC32C=y +CONFIG_CRYPTO_CRCT10DIF=y +CONFIG_CRYPTO_MD5=y + +# +# Ciphers +# +CONFIG_CRYPTO_AES=y + +# +# Compression +# +CONFIG_CRYPTO_DEFLATE=y + +# +# Random Number Generation +CONFIG_CRYPTO_HW=y +CONFIG_CRYPTO_DEV_VIRTIO=y diff --git a/vmm/scripts/kernel/build-kernel/fragments/virtio.conf b/vmm/scripts/kernel/build-kernel/fragments/virtio.conf new file mode 100644 index 00000000..2d9b9201 --- /dev/null +++ b/vmm/scripts/kernel/build-kernel/fragments/virtio.conf @@ -0,0 +1,7 @@ +CONFIG_VIRT_DRIVERS=y +CONFIG_VIRTIO=y +CONFIG_VIRTIO_MENU=y +CONFIG_VIRTIO_BALLOON=y +CONFIG_VIRTIO_INPUT=y +CONFIG_VIRTIO_MMIO=y +CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES=y diff --git a/vmm/scripts/kernel/build-kernel/fragments/vlan.conf b/vmm/scripts/kernel/build-kernel/fragments/vlan.conf new file mode 100644 index 00000000..fc8a8d9e --- /dev/null +++ b/vmm/scripts/kernel/build-kernel/fragments/vlan.conf @@ -0,0 +1,2 @@ +CONFIG_VLAN_8021Q=y +CONFIG_DCB=y diff --git a/vmm/scripts/kernel/build-kernel/fragments/x86_64.conf b/vmm/scripts/kernel/build-kernel/fragments/x86_64.conf new file mode 100644 index 00000000..92976a1e --- /dev/null +++ b/vmm/scripts/kernel/build-kernel/fragments/x86_64.conf @@ -0,0 +1,107 @@ +# +# General setup +# +CONFIG_KERNEL_GZIP=y + +# +# Timers subsystem +# +CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y +# end of Timers subsystem + +# +# IRQ subsystem +# +CONFIG_GENERIC_IRQ_MATRIX_ALLOCATOR=y +# end of IRQ subsystem + + +CONFIG_KALLSYMS_ABSOLUTE_PERCPU=y +# end of General setup + +CONFIG_X86_64=y +CONFIG_X86=y +CONFIG_INSTRUCTION_DECODER=y +CONFIG_OUTPUT_FORMAT="elf64-x86-64" + +CONFIG_ARCH_MMAP_RND_BITS_MIN=28 +CONFIG_ARCH_MMAP_RND_BITS_MAX=32 +CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=8 +CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=16 + + +# +# Processor type and features +# +CONFIG_X86_64_SMP=y +CONFIG_X86_X2APIC=y +CONFIG_X86_MPPARSE=y +CONFIG_HYPERVISOR_GUEST=y +CONFIG_PARAVIRT_SPINLOCKS=y +CONFIG_X86_HV_CALLBACK_VECTOR=y +CONFIG_KVM_GUEST=y +CONFIG_ARCH_CPUIDLE_HALTPOLL=y +CONFIG_PARAVIRT_CLOCK=y +CONFIG_MCORE2=y +CONFIG_X86_INTERNODE_CACHE_SHIFT=6 +CONFIG_X86_L1_CACHE_SHIFT=6 +CONFIG_X86_INTEL_USERCOPY=y +CONFIG_X86_USE_PPRO_CHECKSUM=y +CONFIG_X86_P6_NOP=y +CONFIG_X86_TSC=y +CONFIG_X86_CMPXCHG64=y +CONFIG_X86_CMOV=y +CONFIG_X86_MINIMUM_CPU_FAMILY=64 +CONFIG_X86_DEBUGCTLMSR=y +CONFIG_IA32_FEAT_CTL=y +CONFIG_X86_VMX_FEATURE_NAMES=y +CONFIG_PROCESSOR_SELECT=y +CONFIG_CPU_SUP_INTEL=y +CONFIG_CPU_SUP_AMD=y +CONFIG_CPU_SUP_HYGON=y +CONFIG_CPU_SUP_ZHAOXIN=y +CONFIG_HPET_TIMER=y +CONFIG_NR_CPUS_RANGE_BEGIN=2 +CONFIG_NR_CPUS_RANGE_END=512 +CONFIG_NR_CPUS_DEFAULT=64 +CONFIG_SCHED_MC_PRIO=y +CONFIG_X86_LOCAL_APIC=y +CONFIG_X86_IO_APIC=y + +CONFIG_X86_16BIT=y +CONFIG_X86_ESPFIX64=y +CONFIG_X86_VSYSCALL_EMULATION=y +CONFIG_X86_IOPL_IOPERM=y +CONFIG_X86_MSR=y +CONFIG_X86_CPUID=y +CONFIG_X86_DIRECT_GBPAGES=y + +CONFIG_X86_PMEM_LEGACY=y + +CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y +CONFIG_X86_INTEL_TSX_MODE_OFF=y + +CONFIG_PHYSICAL_ALIGN=0x1000000 +CONFIG_LEGACY_VSYSCALL_EMULATE=y +CONFIG_MODIFY_LDT_SYSCALL=y + +# CPU +CONFIG_SPECULATION_MITIGATIONS=y +CONFIG_PAGE_TABLE_ISOLATION=y +CONFIG_RETPOLINE=y + +# x86 assembly +CONFIG_AS_AVX512=y +CONFIG_AS_SHA1_NI=y +CONFIG_AS_SHA256_NI=y +CONFIG_AS_TPAUSE=y + +# +# General architecture-dependent options +# +CONFIG_OPROFILE_NMI_TIMER=y +CONFIG_HAVE_HARDLOCKUP_DETECTOR_PERF=y +CONFIG_HAVE_ARCH_SOFT_DIRTY=y +CONFIG_HAVE_RELIABLE_STACKTRACE=y +CONFIG_HAVE_STATIC_CALL_INLINE=y +# end of General architecture-dependent options diff --git a/vmm/scripts/kernel/build-kernel/how-to-tailor-linux-kernel-for-kuasar-security-container.md b/vmm/scripts/kernel/build-kernel/how-to-tailor-linux-kernel-for-kuasar-security-container.md new file mode 100644 index 00000000..5f5bbb38 --- /dev/null +++ b/vmm/scripts/kernel/build-kernel/how-to-tailor-linux-kernel-for-kuasar-security-container.md @@ -0,0 +1,209 @@ +This document describes the tailoring and building methods of the linux kernel for the kuasar security container in different scenarios. Developers can quickly and automatically build a linux kernel image which adapts to the kuasar security container by using the provided `build-kernel.sh` script. + +## Tailoring Method + +Linux kernel tailoring is a process of removing or retaining some kernel features or modules based on actual application scenario requirements to achieve the purposes of optimizing system performance, reducing memory usage, and improving security. +Generally, there are two methods to tailor the linux kernel: + +1. **Subtraction Tailoring**: Disable the configuration options of unnecessary features based on the default kernel configuration. +2. **Addition Tailoring**: Developers know which kernel capabilities are needed, and combine the various kernel feature configuration options from scratch. + +The two tailoring methods have their own advantages and disadvantages: + + * **The advantage of the "subtraction" tailoring method is that it is simple and convenient**, and can quickly tailor the kernel to meet functional requirements. However, the disadvantage is that every time the kernel version is updated, **the manual tailoring process needs to be repeated, and the tailoring process cannot be automated and inherited**. + * **The advantage of the "addition" tailoring mode is that the kernel can quickly and automatically tailored for different versions of the kernel**, and the memory footprint of the tailored kernel is very small. **The disadvantage is that it is difficult to get started**. Developers need to be familiar with the features of the kernel and know how to divide the kernel configuration options according to the kernel features. **This may require a significant amount of time for the first tailoring.** + +After analyzing the advantages and disadvantages of the two tailoring methods mentioned above, and considering the requirements of supporting multiple versions of linux kernel, minimal kernel memory overhead requirement, and easy expansion of kernel tailoring configuration in the usage scenario of kuasar vmm sandbox, **the "addition" tailoring method is the most suitable choice**. + +## Analysis of Kernel Capabilities Required by Kuasar Security Container + +Currently, security container is currently mainly used in serverless computing and the hybrid deployment of trusted and untrusted containers. The different characteristics of these two scenarios also have different requirements for the kernel capabilities of security container. + + - **Serverless computing scenario** + The characteristics of this scenario are that the functions provided by the application are very simple, which are mainly focused on computation, sensitive to delay, have short running time, and require high density of single-machine deployment. + **These characteristics require the kernel to meet basic computing and network communication capabilities, and the kernel's memory overhead must be small enough.** + - **Trusted and untrusted applications deployed together** + The characteristic of this scenario is that the applications are typically standard linux monolithic applications with complex functionality and high performance requirements, such as multi-tenant AI training/inference scenarios. To reduce performance loss, accelerator hardware devices need to be directly passthrough to secure containers. In addition, the device driver module can be loaded and complex networking modes can be supported. + **The requirements for the kernel in these scenarios are advanced capabilities, including support for hardware device pass-through, multiple network modes, and loadable kernel modules.** + +Based on the directory structure of kernel features output by the `make menuconfig` command and combined with the typical scenarios of security container, the kernel features can be divided into the following categories: + * Basic general configuration (without architecture differentiation) + * CPU architecture configuration + * Firmware configuration + * CPU + * Memory management + * ACPI driver + * PCI bus + * Hotplug/Unhotplug + * Kernel module + * Scheduling + * Storage management + * Block storage + * NVDIMM non-volatile memory + * SCSI protocol + * File system + * Ext4/Xfs basic file system + * 9p/Virtio-fs shared file system + * NFS file system + * Fuse file system + * Network management + * IPv4/IPv6 support + * VLAN network + * Netfilter packet filtering + * Cgroup resource control management + * NameSpace isolation + * Security features + * Device drivers + * Character device driver + * Virtio device driver + * Debug capability + +## Security Container Guest Kernel Classification + +We abstract the kernel capabilities corresponding to the preceding two typical scenarios of security container. The kernel used by security container are classified into the following types: + + * **micro-kernel**: The lightweight kernel adopts the MMIO bus structure with minimal memory overhead, and is used in conjunction with lightweight virtual machine mode (such as StratoVirt hypervisor's microVM virtual machine mode, Cloud-Hypervisor/Firecracker light-weight virtualization engine), making it suitable for serverless computing scenarios. + * **mini-kernel**: The kernel is miniaturized and adopts a PCI bus structure, providing advanced kernel functions such as ACPI/SCSI/NFS/kernel module loading, with rich features. The mini-kernel has rich functions and is combined with the standard VM mode. (e.g. standard VM mode for StratoVirt and Qemu) It is applicable to complex scenarios, such as trusted applications and untrusted applications deployed in the same machine.** + +## Kernel Tailoring and Building Guide + +### Description of Tailoring Command Parameters + +``` +$ ./build-kernel.sh --help +Usage: ./build-kernel.sh [options] + --help, -h print the usage + --arch specify the hardware architecture: aarch64/x86_64 + --kernel-type specify the target kernel type: micro/mini + --kernel-dir specify the kernel source directory + --kernel-conf-dir specify the kernel tailor conf directory +``` + +> **Note** +> +> * `--arch`: specifies the target platform architecture of the kernel. The valid value can be aarch64 or x86_64. +> * `--kernel-type`: specifies the guest kernel type of the security container to be built. The valid value can be micro (for serverless computing) or mini (for trusted and untrusted applications). +> * `--kernel-dir`: specifies the absolute path of the kernel source code directory. +> * `--kernel-conf-dir`: specifies the absolute path of the directory where the kernel tailoring configuration files are stored. + +### Tailoring and Building Kernels + +The following is an example for tailoring and building the mini type guest kernel in the aarch64 architecture: + +``` +$ ./build-kernel.sh --arch aarch64 --kernel-type mini --kernel-dir /home/test/kernel/linux-5.10/ --kernel-conf-dir /home/test/kuasar/vmm/scripts/kernel/build-kernel + +Kernel Type: mini +Kernel Dir: /home/jpf/kernel/linux-5.10/ +Kernel Conf Dir: /home/jpf/kuasar/vmm/scripts/kernel/build-kernel +Merge kernel fragments with /home/jpf/kuasar/vmm/scripts/kernel/build-kernel/small-kernel-aarch64.list successfully. + SYNC include/config/auto.conf.cmd + CC scripts/mod/devicetable-offsets.s + HOSTCC scripts/mod/modpost.o + ...... + AR init/built-in.a + LD vmlinux.o + MODPOST vmlinux.symvers + MODINFO modules.builtin.modinfo + GEN modules.builtin + LD .tmp_vmlinux.kallsyms1 + KSYMS .tmp_vmlinux.kallsyms1.S + AS .tmp_vmlinux.kallsyms1.S + LD .tmp_vmlinux.kallsyms2 + KSYMS .tmp_vmlinux.kallsyms2.S + AS .tmp_vmlinux.kallsyms2.S + LD vmlinux + SORTTAB vmlinux + SYSMAP System.map + MODPOST modules-only.symvers + GEN Module.symvers + OBJCOPY arch/arm64/boot/Image + GZIP arch/arm64/boot/Image.gz +Build kernel successfully. +``` + +> Note: +> When the version of the kernel was changed by user or some customized patches applied for the kernel, the dependency relationships of some CONFIG configuration options in the kernel may change. When automatically generating the config configuration for the tailored kernel, an error message similar to **"CONFIG_XXX not in final .config"** may appear., it means that the kernel configuration item that needs to be enabled in the kernel fragment file is not present in the final kernel configuration file `.config`. + +> The reason for this error message is that the dependency relationships of the kernel configuration options in the tailored kernel fragment file list have changed. This may occur when the kernel version undergoes significant changes and the configuration dependency of the original `CONFIG_XXX` changes, or it may be due to existing problems with the dependency relationships of the kernel configuration options in the original kernel fragment file. +> +> **Solution:** +> +> 1. In the directory of the built kernel source code, use the configuration GUI of `make menuconfig` to locate the problematic `CONFIG_XXX` configuration option, and check its dependency relationship with other kernel configuration options. +> 2. Based on the kernel configuration dependency relationship found in Step 1, adjust the kernel configuration options in the kernel fragment file (which may involve adding new kernel configuration options or deleting some existing ones). + +### Customizing Tailored Kernel Configuration Options ### + +The core workflow of the `build-kernel.sh` script is as follows: +1. Based on the input target architecture and kernel type information, the script locates the corresponding tailored configuration file in the kernel tailored configuration directory. The rule for matching the tailored configuration files is `-kernel-.list`. +2. The script merges all kernel configuration option fragments stored in the tailored configuration file using the `scripts/kconfig/merge_config.sh` script which stored in the kernel source directory, and generates the final `.config` file for kernel building. +3. Executing the kernel building process, generating the kernel binary image. + +There are two ways for developers to customize some of the kernel tailoring configuration options: + * After the `build-kernel.sh` script automatically generates the merged kernel tailored configuration file `.config`, manually adjust it through the `make menuconfig` configuration GUI. + * Directly modify the kernel tailored configuration file `-kernel-.list` which stored in the `kuasar/vmm/scripts/kernel/build-kernel/` directory and add or remove kernel fragments as needed. + +The format of the contents in the kernel tailoring configuration file `-kernel-.list` is: + +``` +fragments/aarch64.conf +fragments/base.conf +fragments/block.conf +fragments/cgroup.conf +fragments/character.conf +fragments/cpu.conf +fragments/device.conf +fragments/filesystem.conf +fragments/mem.conf +fragments/namespace.conf +fragments/net.conf +fragments/security.conf +fragments/virtio.conf +``` + +Each line in the file represents a kernel fragment file that needs to be included, and all kernel configuration options in that fragment file will be added to the final generated kernel configuration file `.config`. For example, the contents of the kernel fragment file `fragments/cgroup.conf` are as follows: + +``` +CONFIG_CGROUPS=y +CONFIG_PAGE_COUNTER=y +CONFIG_MEMCG=y +CONFIG_MEMCG_SWAP=y +CONFIG_MEMCG_KMEM=y +CONFIG_BLK_CGROUP=y +CONFIG_CGROUP_WRITEBACK=y +CONFIG_CGROUP_SCHED=y +CONFIG_FAIR_GROUP_SCHED=y +CONFIG_CFS_BANDWIDTH=y +CONFIG_CGROUP_PIDS=y +CONFIG_CGROUP_FREEZER=y +CONFIG_CPUSETS=y +CONFIG_PROC_PID_CPUSET=y +CONFIG_CGROUP_DEVICE=y +CONFIG_CGROUP_CPUACCT=y +CONFIG_SOCK_CGROUP_DATA=y +``` + +## Tailored Kernel Memory Footprint Test ## + +### Testing Method + +Start a new StratoVirt microVM type lightweight virtual machine sandbox instance through `crictl runp` command and observe various indicator data. + +Measurement method for various test indicators: + * **Kernel image file size**: Obtain directly by `ls -ahl ` command. + * **Kernel memory overhead**: The total physical memory used by the Guest OS (which can be acquired by `pmem -p ` command ) **subtracts** the RSS memory overhead of the init process in the Guest OS. + * **Kernel cold start time**: Check the time consumed by the guest kernel to start the user-mode init process by `dmesg` command executed in the Guest OS. + +### Test Results + +| Test Type | Kernel image file size (MB) | Kernel memory overhead (MB) | Kernel Cold Start Time (ms) | +| --------------------------- | --------------------------- | ----------------------------------- | ------------------------- | +| kuasar-aarch64-micro-kernel | *7.7* | 46.2 | *48.3* | +| kuasar-aarch64-mimi-kernel | 11 | *43.2* | 67.4 | +| kata-aarch64-kernel | 12 | 45.4 | 73.1 | +| kuasar-x86_64-micro-kernel | *3.5* | *60.2* | *63.2* | +| kuasar-x86_64-mini-kernel | 5 | 107.4 | 106.9 | +| kata-x86_64-kernel | 5.8 | 85 | 120.4 | + +- In the **aarch64 architecture**, Kuasar has a **34% decrease** in kernel cold-start time compared to the guest kernel tailored by Kata-Containers, and the kernel memory overhead remains basically the same. +- In the **x86_64 architecture**, Kuasar has a **47.5% decrease** in kernel cold-start time compared to the guest kernel tailored by Kata, and **29% decrease** in memory baseline overhead. \ No newline at end of file diff --git a/vmm/scripts/kernel/build-kernel/micro-kernel-aarch64.list b/vmm/scripts/kernel/build-kernel/micro-kernel-aarch64.list new file mode 100644 index 00000000..4c25620d --- /dev/null +++ b/vmm/scripts/kernel/build-kernel/micro-kernel-aarch64.list @@ -0,0 +1,13 @@ +fragments/aarch64.conf +fragments/base.conf +fragments/block.conf +fragments/cgroup.conf +fragments/character.conf +fragments/cpu.conf +fragments/device.conf +fragments/filesystem.conf +fragments/mem.conf +fragments/namespace.conf +fragments/net.conf +fragments/security.conf +fragments/virtio.conf diff --git a/vmm/scripts/kernel/build-kernel/micro-kernel-x86_64.list b/vmm/scripts/kernel/build-kernel/micro-kernel-x86_64.list new file mode 100644 index 00000000..9fbd2a26 --- /dev/null +++ b/vmm/scripts/kernel/build-kernel/micro-kernel-x86_64.list @@ -0,0 +1,13 @@ +fragments/x86_64.conf +fragments/base.conf +fragments/block.conf +fragments/cgroup.conf +fragments/character.conf +fragments/cpu.conf +fragments/device.conf +fragments/filesystem.conf +fragments/mem.conf +fragments/namespace.conf +fragments/net.conf +fragments/security.conf +fragments/virtio.conf diff --git a/vmm/scripts/kernel/build-kernel/mini-kernel-aarch64.list b/vmm/scripts/kernel/build-kernel/mini-kernel-aarch64.list new file mode 100644 index 00000000..a8877d01 --- /dev/null +++ b/vmm/scripts/kernel/build-kernel/mini-kernel-aarch64.list @@ -0,0 +1,25 @@ +fragments/9p.conf +fragments/aarch64.conf +fragments/acpi.conf +fragments/base.conf +fragments/block.conf +fragments/cgroup.conf +fragments/character.conf +fragments/cpu.conf +fragments/device.conf +fragments/filesystem.conf +fragments/firmware.conf +fragments/hotplug.conf +fragments/ipv6.conf +fragments/mem.conf +fragments/namespace.conf +fragments/net.conf +fragments/netfiler.conf +fragments/nfs.conf +fragments/nvdimm.conf +fragments/pci.conf +fragments/scsi.conf +fragments/security.conf +fragments/mini-kernel-aarch64.conf +fragments/virtio.conf +fragments/vlan.conf diff --git a/vmm/scripts/kernel/build-kernel/mini-kernel-x86_64.list b/vmm/scripts/kernel/build-kernel/mini-kernel-x86_64.list new file mode 100644 index 00000000..c478c771 --- /dev/null +++ b/vmm/scripts/kernel/build-kernel/mini-kernel-x86_64.list @@ -0,0 +1,25 @@ +fragments/9p.conf +fragments/acpi.conf +fragments/base.conf +fragments/block.conf +fragments/cgroup.conf +fragments/character.conf +fragments/cpu.conf +fragments/device.conf +fragments/filesystem.conf +fragments/firmware.conf +fragments/hotplug.conf +fragments/ipv6.conf +fragments/mem.conf +fragments/namespace.conf +fragments/net.conf +fragments/netfiler.conf +fragments/nfs.conf +fragments/nvdimm.conf +fragments/pci.conf +fragments/scsi.conf +fragments/security.conf +fragments/mini-kernel-x86_64.conf +fragments/virtio.conf +fragments/vlan.conf +fragments/x86_64.conf