[625 views]

[]

[ads]

Which kernel config options to chose?

This shall be a guide to configuring a Linux kernel for popular and modern x86_64 commodity hardware that is typically found in netbooks, laptops, desktops or off-the-shelf servers. I am not talking about embedded devices, development, big iron, other platforms, exotic hardware or peripherials. Just the standard stuff for running Linux. No discussion about modules vs. built-in. I do built-in. The basis for this article is 5.5.0-rc3. Please always refer also to the help text of the respective kernel option. This article does not describe every possible config option because it omits whole categories that are not relevant on such systems. If you feel that there is a mistake and I should really recommend for or against a certain option or I got something upside down, please email me. I am not a kernel developer, even if I can find my way around in the code quite well.

I am using the following ackronyms in the comments:

Main page

make menuconfig will bring up this screen. Make sure to check these.
    General setup  --->
[*] 64-bit kernel
    Processor type and features  --->
    Power management and ACPI options  --->
    Bus options (PCI etc.)  --->
    Binary Emulations --->
    Firmware Drivers  --->
[*] Virtualization  --->
    General architecture-dependent options --->
[ ] Enable loadable module support  --->
-*- Enable the block layer  --->
    IO Schedulers --->
    Executable file formats / Emulations  --->
    Memory Management options --->
[*] Networking support  --->
    Device Drivers  --->
    File systems  --->
    Security options  --->
-*- Cryptographic API  --->
    Library routines  --->
    Kernel hacking  --->

General setup

Processor type and features

Power management and ACPI options

Bus options (PCI etc.)

Firmware Drivers

Virtualization

Y if you intend to run virtual machines on this computer (VHOST).

General architecture-dependent options

Enable loadable module support: N, SEC

Modules are a potential security problem. If you can, disable them and compile-in what you need.

Enable the block layer: Y

IO Schedulers

Executable file formats / Emulations

Memory Management options

Networking support

Networking options

other

Device Drivers

File systems

Security options

Kernel hardening options:
Memory initialization:

Cryptographic API

tbd

Library routines

AUTO: simply let the config system auto-select the necessary options.

Kernel hacking

Even thoug this is for DEV there are some SEC gains by enabling certain options.
printk and dmesg options: Compile-time checks and compiler options: Generic Kernel Debugging Instruments: