Which kernel config options to choose?
This shall be a guide to configuring a Linux kernel for popular and modern x86_64 commodity hardware that is typically found in netbooks, laptops, desktops or off-the-shelf servers. I am not talking about embedded devices, development, big iron, other platforms, exotic hardware or peripherials. Just the standard stuff for running Linux. No discussion about modules vs. built-in. I do built-in. The basis for this article is 6.12. Please always refer also to the help text of the respective kernel option. This article does not describe every possible config option because it omits whole categories that are not relevant on such systems. If you feel that there is a mistake and I should really recommend for or against a certain option or I got something upside down, please email me. I am not a kernel developer, even if I can find my way around in the code quite well.
I am using the following ackronyms in the comments:- DEV: useful for kernel development/debugging only, not for the general user
- EMB: for embedded systems / development, does not apply to other systems, opposite of BIG. All those Arduino, Pi, Atom, Androids, Exynos, ARM and whatnot.
- BIG: for big machines with hundreds of CPUs and TBs of RAM or HPC , opposite of EMB
- STD: a standard feature that you can't easily live without, most people need or is generally good to have
- REC: recommended feature to enable, a bit weaker than STD
- OLD: modern systems don't need or shouldn't need it, opposite of STD
- RM: removed, no longer present in newer kernels
- SEC: has security implications: enabling the option may make your system either more or less secure. Check the documentation.
- AUTO: no need to enable this manually. It will get enabled automatically if needed.
- COMPAT: recommended for backwards compatibility
- VHOST: for running the kernel as a hypervisor/host for virtual machines
- VGUEST: for running the kernel as a guest on a hypervisor
Main page
make menuconfig
will bring up this screen. Make sure to check these.
General setup ---> [*] 64-bit kernel Processor type and features ---> [*] Mitigations for CPU vulnerabilities ---> Power management and ACPI options ---> Bus options (PCI etc.) ---> Binary Emulations ---> [*] Virtualization ---> General architecture-dependent options ---> [ ] Enable loadable module support ---- -*- Enable the block layer ---> Executable file formats ---> Memory Management options ---> [*] Networking support ---> Device Drivers ---> File systems ---> Security options ---> -*- Cryptographic API ---> Library routines ---> Kernel hacking --->
General setup
- Compile also drivers which will not load: N, DEV
- Local version - append to kernel release: empty, add something if you play or bisect
- Automatically append version information to the version string: N, DEV, not necessary
- Build ID Salt: empty, SEC
- Kernel compression mode: Gzip, most compatible, size doesn't matter
- Default init path: empty, EMB
- Default hostname: empty, EMB, set only if you compile specially for a machine, will be superseded by a command-line option
- Support for paging of anonymous memory: Y, STD, even if you don't use swap
- System V IPC: Y, STD, Apache needs it for example
- POSIX Message Queues: Y, STD
- General notification queue: Y, STD
- Enable process_vm_readv/writev syscalls: Y, STD
- uselib syscall: N, OLD
- Auditing support: Y, REC, see auditd
- Enable system-call auditing support: Y, REC, RM
- IRQ subsystem: no suboptions, DEV
- Timers subsystem:
- Timer tick handling: 'Idle dynticks system', you won't have a use case for 'Full dynticks system', don't choose 'Periodic timer ticks'
- Force context tracking: N, DEV
- Force user context tracking: N, DEV
- Old Idle dynticks config: Y, COMPAT
- High Resolution Timer Support: Y, STD
- Clocksource watchdog maximum allowable skew (in us): 100
- BPF subsystem:
- Enable bpf() system call: Y, SEC, STD
- Enable BPF Just In Time compiler (BPF_JIT): Y
- Permanently enable BPF JIT and remove BPF interpreter (BPF_JIT_ALWAYS_ON): N
- Disable unprivileged BPF by default: N, SEC
- Preload BPF file system with kernel specific program and map iterators: N, DEV
- Preemption Model: 'Preemptible Kernel (Low-Latency Desktop)' gives best results
- Preemption behaviour defined on boot: N
- Core Scheduling for SMT: Y, STD
- CPU/Task time and stats accounting:
- Cputime accounting: 'Simple tick based cputime accounting'
- Fine granularity task level IRQ time accounting: N, DEV
- BSD Process Accounting: Y, for atop
- BSD Process Accounting version 3 file format: Y
- Export task/process statistics through netlink: Y, for KVM and latencytop
- Enable per-task delay accounting: Y, for latencytop
- Enable extended accounting over taskstats: Y, for latencytop
- Enable per-task storage I/O accounting: Y, for iotop
- Pressure stall information tracking: Y, atop can use it
- Require boot parameter to enable pressure stall information tracking: N, enables it by default
- CPU isolation: N, EMB, BIG
- RCU Subsystem:
- Make expert-level adjustments to RCU configuration: N, DEV, BIG
- Tree-based hierarchical RCU fanout value: 64, default, BIG
- Tree-based hierarchical RCU leaf-level fanout value: 16, default, BIG
- Accelerate last non-dyntick-idle CPU's grace periods: N, EMB/BIG
- Offload RCU callback processing from boot-selected CPUs: N, BIG
- Kernel .config support: Y, useful
- Enable access to .config through /proc/config.gz: Y, useful
- Enable kernel headers through /sys/kernel/kheaders.tar.xz: N, not useful yet
- Kernel log buffer size: 17 or 18
- CPU kernel log buffer size contribution: 12
- Temporary per-CPU printk log buffer size: 12 or 13
- Printk indexing debugfs interface: N, DEV
- Scheduler features: no suboptions, DEV
- Memory placement aware NUMA scheduler: Y, STD, if lscpu lists >1 NUMA node
- Automatically enable NUMA aware memory/task placement: Y, STD
- Control Group support: Y, STD
- Memory controller: Y, STD
- Legacy cgroup v1 memory controller: Y for now
- IO controller: Y, STD
- CPU controller: Y, STD, but only enable Group scheduling for SCHED_OTHER
- Cpuset controller: only useful on NUMA machines
- Simple CPU accounting controller: Y, STD
- Support for eBPF programs attached to cgroups: Y, STD
- Misc resource controller: Y
- Favor dynamic modification latency reduction by default: N
- Namespaces support: Y for this and all its sub-options, STD, SEC, systemd, Docker as well as web browsers heavily rely on it
- Checkpoint/restore support: N, VHOST if you do live migration of VM. Upto kernel 5.11: Mesa with amdgpu uses the kcmp() syscall controlled by this config. Since kernel 5.12 kcmp() is available without this config.
- Automatic process group scheduling: N, OLD, today openrc or systemd take care of putting sessions into cgroups anyway. Y only if nobody puts your tasks into cgroups.
- Enable deprecated sysfs features: N, OLD
- Kernel->user space relay support: Y, STD
- Initial RAM filesystem and RAM disk: Y, STD, often used for booting
- Initramfs source file(s): only if you know what you are doing
- Support initial ramdisk/ramfs compressed using: gzip at least, others don't hurt, STD
- Boot config support: N, EMB, only if you tightly control your initrd
- Compiler optimization level: -O2, STD
- Configure standard kernel features: N, STD, EMB
- Enable userfaultfd() system call: N, SEC, VHOST for VM live migration
- Embedded system: N, EMB
- Kernel Performance Events And Counters: N to sub-options
- Disable heap randomization: N, SEC
- Choose SLAB allocator: SLUB, STD
- Allow slab caches to be merged: Y, if security is utmost important say N, SEC
- Randomize slab freelist : Y, SEC
- Harden slab freelist metadata: Y, SEC
- Support allocation from separate kmalloc buckets: Y, SEC
- Page allocator randomization: Y, SEC
- SLUB per cpu partial cache: Y, we have multicore CPUs
- Randomize slab caches for normal kmalloc: N, SEC
- Profiling support: N, DEV
64-bit Kernel
Y, STDProcessor type and features
- Symmetric multi-processing support: Y, all modern CPUs are SMP
- Support x2apic: Y, STD
- Enable MSI and MSI-x delivery by posted interrupts (X86_POSTED_MSI): N, benefits on machines with high I/O to network or disk
- Enable MPS table: N, OLD
- Avoid speculative indirect branches in kernel: Y, SEC
- x86 CPU resource control support: N, VHOST
- Flexible Return and Event Delivery: N, Y in the future
- Support for extended (non-PC) x86 platforms: N, BIG/EMB
- Intel Low Power Subsystem Support: Y, if you have Haswell or later CPU on laptops
- AMD ACPI2Platform devices support: N
- Single-depth WCHAN output: Y, faster
- Linux guest support: Y if VGUEST
- Enable paravirtualization code: Y
- paravirt-ops debugging: N, DEV
- Paravirtualization layer for spinlocks: Y for KVM, XEN
- Xen guest support: Y for XEN
- KVM Guest support: Y for KVM
- Enable debug information for KVM Guests: N, DEV
- Paravirtual steal time accounting: Y
- Processor family: 'Core 2/newer Xeon', if unsure use 'Generic-x86-64'
- Old AMD GART IOMMU support: N, OLD
- Enable Maximum number of SMP Processors and NUMA Nodes: N, DEV
- Maximum number of CPUs: 16 or the real number of sockets * cores * threads
- Cluster scheduler support: Y, STD
- Multi-core scheduler support (NEW): Y, all modern CPUs are multicore
- CPU core priorities scheduler support: Y
- Reroute for broken boot IRQs: N, OLD
- Machine Check / overheating reporting: Y, REC, install mcelog
- Support for deprecated /dev/mcelog character device: Y, COMPAT
- Intel MCE features (NEW): Y for Intel CPU
- AMD MCE features (NEW): Y for AMD CPU
- Machine check injector support: N, DEV
- Performance monitoring:
- Intel uncore: Y for Intel CPU
- Intel raps: Y for Intel CPU
- AMD: Y for AMD CPU
- IOPERM and IOPL Emulation: Y, SEC
- Dell i8k legacy laptop support: N, OLD, for Dell Inspirion 8000 laptops only
- CPU microcode loading support: Y, REC, install initrd with microcode
- Intel microcode loading support: Y for Intel CPU
- AMD microcode loading support: Y for AMD CPU
- Ancient loading interface (DEPRECATED): N, OLD
- dev/cpu/*/msr: Y, STD
- /dev/cpu/*/cpuid: Y, STD
- Enable 5-level page tables support: N, BIG
- Enable statistic for Change Page Attribute: N, DEV
- AMD Secure Memory Encryption (SME) support: Y for AMD system
- Numa Memory Allocation and Scheduler Support: Y for multi-socket CPU
- Support non-standard NVDIMMs and ADR protected memory: N
- Old style AMD Opteron NUMA detection: N, OLD
- ACPI NUMA detection: Y, STD
- NUMA emulation: N, DEV
- Maximum NUMA Nodes (as a power of 2): 6, check output of lscpu
- Enable sysfs memory/probe interface: N, DEV
- Support non-standard NVDIMMs and ADR protected memory: N
- Enable to assign a node which has only movable memory: N, Y only for VGUEST, BIG
- Check for low memory corruption: N
- Indirect Branch Tracking: N, SEC
- Amount of low memory, in kilobytes, to reserve for the BIOS: 64, STD
- MTRR (Memory Type Range Register) support: Y, STD
- MTRR cleanup support: Y, STD, N for headless servers
- Intel MPX: N, OLD
- Intel Memory Protection Keys: Y, REC
- TSX enable mode: auto, SEC
- Software Guard eXtensions (SGX): N, Y if you have a real use for it, but actual security of that feature is disputed
- X86 userspace shadow stack: Y, SEC
- Enforce strict size checking for sigaltstack: N, DEV
- Intel Trust Domain Extensions (TDX) host support: N
- EFI runtime service support: Y, STD
- EFI stub support: only if you boot the kernel directly as an EFI binary and not with grub
- EFI mixed-mode support: N, only relvant on old Apple hardware
- Timer frequency: 100HZ for servers, 300HZ for desktops, 1000HZ for low-latency requirements
- kexec system call: N, DEV, SEC, only if you compile a crash-kernel too
- kexec file based system call: N, DEV, SEC, only if you compile a crash-kernel too
- Verify kernel signature during kexec_file_load() syscall: Y, SEC, if Y above
- kernel crash dumps: N, DEV, only if you compile a crash-kernel too
- Update the crash elfcorehdr on system configuration changes: Y
- Build a relocatable kernel: Y, SEC, necessary for KASLR
- Randomize the address of the kernel image: Y, SEC, this is the KASLR
- Alignment value to which kernel should be aligned: (0x1000000), don't change!
- Randomize the kernel memory sections: Y, SEC
- Linear Address Masking support: N
- Set default setting of cpu0_hotpluggable: N
- Debug CPU0 hotplug: N, DEV
- Disable the 32-bit vDSO: N, OLD. Breaks Chrome!
- vsyscall table for legacy applications: none, SEC
- Built-in kernel command line: N, Y if using an EFI Stub (see above)
- Enforce strict size checking for sigaltstack: N, DEV
Mitigations for CPU vulnerabilities
Every Y tick here costs performance on vulnerable processors.Power management and ACPI options
- Suspend to RAM and standby: Y, N for servers
- Hibernation (aka 'suspend to disk'): Y if you want, N for servers and more SEC
- Default resume partition: if you are building for a specific machine and don't want or can't specify it on the kernel command line
- Opportunistic sleep: N, EMB for Android
- Userspace opportunistic sleep: N, EMB for Android
- User space wakeup sources interface: N, EMB for Android
- Device power management core functionality: Y, STD
- Power Management Debug Support: N, DEV
- Enable workqueue power-efficient mode by default: N
- Energy Model for CPUs: N
- ACPI: Y, STD
- ACPI Serial Port Console Redirection Support: N, DEV
- ACPI Firmware Performance Data Table (FPDT) support: Y, STD
- Deprecated power /proc/acpi directories: Y, COMPAT
- AC Adapter: Y
- Battery: Y
- Button: Y
- Video: Y
- Fan: Y
- ACPI Time and Alarm (TAD) Device Support: Y
- Dock: Y for laptops
- Processor: Y
- Processor Aggregator: Y
- Thermal Zone: Y
- Allow upgrading ACPI tables via initrd: N, DEV
- PCI slot detection driver: N, DEV
- Container and Module Devices: Y
- Smart Battery System: Y for laptops
- Hardware Error Device: Y
- Allow ACPI methods to be inserted/replaced at run time: N, SEC
- ACPI NVDIMM Firmware Interface Table (NFIT): N
- ACPI Platform Error Interface (APEI): Y
- APEI Generic Hardware Error Source: Y
- APEI PCIe AER logging/recovering support: Y
- Intel DPTF (Dynamic Platform and Thermal Framework) Support: Y
- DPTF Platform Power Participant: Y
- PCH FIVR DPTF Participant: Y
- Extended Error Log support: Y
- PMIC (Power Management Integrated Circuit) operation region support: N, EMB
- ACPI configfs support: N
- ACPI Platform Firmware Runtime Update and Telemetry: N
- ACPI PCC Address Space: Y, STD, for UEFI
- Platform Runtime Mechanism Support: Y
- SFI: N, EMB
- CPU Frequency scaling: Y, REC
- CPU frequency translation statistics: Y for powertop
- CPU frequency translation statistics details: Y for powertop
- Default CPUFreq governor: ondemand
- all other governors: Y
- x86 CPU frequency scaling drivers:
- Intel P state control: Y, STD, for Intel this is the latest technology
- Processor Clocking Control interface driver: N, OLD
- AMD Processor P-State driver: Y, STD, for AMD
- AMD Processor P-State default mode: 3
- ACPI Processor P-States driver: Y, STD
- Legacy cpb sysfs knob support for AMD CPUs: Y, COMPAT
- AMD Opteron/Athlon64 PowerNow!: N, OLD
- AMD frequency sensitivity feedback powersave bias: Y for AMD CPU
- Intel Enhanced SpeedStep (deprecated): N, OLD, really no!
- Intel Pentium 4 clock modulation: N, OLD, really no!
- CPU Idle:
- CPU idle PM support: Y, REC
- Ladder governor: N, AUTO
- Menu governor: Y, AUTO
- Cpuidle Driver for Intel Processors: Y, REC, for Intel CPU
Bus options (PCI etc.)
- Support mmconfig PCI config space access: Y, STD
Binary Emulations
- IA32 Emulation: Y, STD, to run 32bit binaries or Wine
- IA32 emulation disabled by default: N, STD
- x32 ABI for 64-bit mode: N, deprecated, exotic
Virtualization
Y if you intend to run virtual machines on this computer (VHOST).- Kernel-based Virtual Machine (KVM) support: Y if you use KVM to run your VMs (qemu with -enable-kvm)
- KVM for Intel processors support: Y for Intel CPU
- KVM for AMD processors support: Y for AMD CPU
- System Management Mode emulation: Y
- Support for Microsoft Hyper-V emulation: N
- Support for Xen hypercall interface: Y for Xen
- Maximum number of vCPUs per KVM guest: 1024
- Audit KVM MMU: N, DEV
- VM legacy PCI device assignment support: Y
- Host kernel accelerator for virtio net: Y, STD, improves performance of guest OS
General architecture-dependent options
- Kprobes (KPROBES): N, DEV, unless you play with perf
- Optimize very unlikely/likely branches: Y, REC, why not
- Static call selftest: N, DEV
- Enable seccomp to safely execute untrusted bytecode: Y
- Show seccomp filter cache status in /proc/pid/seccomp_cache: N, DEV
- Stack Protector buffer overflow detection: Y, SEC
- Strong Stack Protector: Y, SEC
- Link Time Optimization (LTO): none
- Provide system calls for 32-bit time_t: Y, STD, COMPAT
- Use a virtually-mapped stack: Y, SEC
- Support for randomizing kernel stack offset on syscall entry: Y, SEC
- Default state of kernel stack offset randomization: Y, SEC
- Locking event counts collection: N
- GCOV-based kernel profiling: N, DEV
- GCC plugins: Y, SEC
- Randomize layout of sensitive kernel structures: Y, SEC
- Use cacheline-aware structure randomization: Y for performance
Enable loadable module support: N, SEC
Modules are a potential security problem. If you can, disable them and compile-in what you need.- Forced module loading: N, never used it
- Module unloading: Y, STD
- Forced module unloading: N, DEV
- Module versioning support: N, for people with binary modules
- Source checksum for all modules: N, DEV
- Module signature verification: N, SEC, unless you know exactly how module signing works and are setting userspace up correctly
Enable the block layer: Y, STD, otherwise you get not disks
- Legacy autoloading support: N, OLD
- Block layer SG support v4: Y, STD, Hard drives are accessed via the block layer. You need it.
- Block layer SG support v4 helper lib: N, AUTO
- Block layer data integrity support: Y, why not
- Allow writing to mounted block devices: Y, STD
- Block layer bio throttling support: N, VHOST
- Block device command line partition parser: N, EMB
- Enable support for block device writeback throttling: Y
- Enable support for latency based cgroup IO protection: N, VHOST
- Enable support for cost model based cgroup IO controller: N, VHOST
- Cgroup I/O controller for assigning an I/O priority class: N, VHOST
- Multiqueue writeback throttling: Y
- Block device command line partition parser: N, EMB
- Partition Types: 'PC BIOS', 'Macintosh', 'Windows Logical Disk Manager ' and 'EFI GUID' are the only relevant options today
IO Schedulers
- MQ deadline I/O scheduler: Y if not using cgroups
- Kyber: N
- BFQ: Y
- BFQ hierarchical scheduling support: Y, if using cgroups
Executable file formats / Emulations
- Kernel support for ELF binaries: Y, AUTO, this is an option from stoneage
- Write ELF core dumps with partial segments: Y, REC
- Kernel support for scripts starting with #!: Y, STD, vital for booting
- Kernel support for MISC binaries: N, SEC, Y if you know how to configure and use it
Memory Management options
- Memory model: 'Sparse Memory'
- Sparse Memory virtual memmap: Y, STD
- Allow for memory hot-add: Y for VGUEST
- Allow for memory compaction: Y, STD
- Free page reporting: N, Y for VGUEST
- Page migration: Y, AUTO
- Maximum scale factor of PCP (Per-CPU pageset) batch allocate/free: 5
- Enable bounce buffers: Y, EMB
- Enable KSM for page merging: Y for VHOST and configure via sysfs
- Low address space to protect from user allocation: 65536, SEC
- Enable recovery from hardware memory errors: Y for servers with ECC RAM
- Transparent Hugepage Support: Y, especially with a lot of RAM
- Transparent Hugepage Support sysfs defaults: 'always'
- Enable cleancache driver to cache clean pages if tmem is present: N, OLD, RM
- Enable frontswap to cache swap pages if tmem is present: N, OLD, RM
- Contiguous Memory Allocator: N
- Compressed cache for swap pages: N, Y maybe for VHOST
- Memory allocator for compressed pages: N, Y maybe for VHOST
- Defer initialisation of struct pages to kthreads: N
- Enable idle page tracking: N
- Collect percpu memory statistics: N
- Enable infrastructure for get_user_pages()-related unit tests: N, DEV
- Enable a module to run time tests on dma_pool: N, DEV
- Read-only THP for filesystems: N
- Anonymous VMA name support: N, SEC
Data Access Monitoring
DAMON: Data Access Monitoring Framework (DAMON): NNetworking support
Networking options
- Packet socket: Y, STD, used by tcpdump/Wireshark
- Packet: sockets monitoring interface: Y, STD, used by ss
- Unix domain sockets: Y, STD
- UNIX: socket monitoring interface: Y, STD, used by ss
- Transformation user configuration interface: Y, STD, this is XFRM the IPSec VPN interface
- Compatible ABI support: Y only if you have and use old IPSec software
- Transformation sub policy support: N, DEV
- Transformation migrate database: N, Y if you use Mobile IPv6
- Transformation statistics: N, DEV
- PF_KEY sockets: Y if you use IPSec
- PF_KEY MIGRATE: Y if you use Mobile IPv6
- TCP/IP networking: Y, STD
- IP: multicasting: N
- IP: advanced router: N, Y for routers, read help
- IP: kernel level autoconfiguration: N, Y if booting from the network via PXE
- IP: tunneling: N
- IP: GRE demultiplexer: N
- IP: TCP syncookie support: Y, SEC
- IP: AH transformation: Y for IPSec, even though ESP is normally used
- IP: ESP transformation: Y for IPSec
- IP: IPComp transformation: Y for IPSec
- IP: IPsec transport mode: Y for IPSec, even though tunnel mode is normally used
- IP: IPsec tunnel mode: Y for IPSec
- IP: IPsec BEET mode: N, never seen it
- Large Receive Offload (ipv4/tcp): Y
- INET: socket monitoring interface: Y, STD, used by ss
- UDP: socket monitoring interface: Y, STD, used by ss
- TCP: advanced congestion control: N, STD
- TCP: Authentication Option (RFC5925): N
- TCP: MD5 Signature Option support: N, for BGP routers only
- The IPv6 protocol: Y, becoming mainstream
- IPv6: Router Preference (RFC 4191) support: N
- IPv6: Enable RFC 4429 Optimistic DAD: N
- IPv6: AH transformation: Y for IPSec, even though ESP is normally used
- IPv6: ESP transformation: Y for IPSec
- IPv6: IPComp transformation: Y for IPSec
- IPv6: Mobility: N
- IPv6: IPsec transport mode: Y for IPSec, even though tunnel mode is normally used
- IPv6: IPsec tunnel mode: Y for IPSec
- IPv6: IPsec BEET mode: N, never seen it
- IPv6: MIPv6 route optimization mode: N
- Virtual (secure) IPv6: tunneling: N
- IPv6: IPv6-in-IPv4 tunnel: Y
- IPv6: IPv6 Rapid Deployment: Y
- IPv6: IP-in-IPv6 tunnel: N
- IPv6: GRE tunnel: N
- IPv6: Multiple Routing Tables: N
- IPv6: multicast routing: N
- NetLabel subsystem support: N
- Security Marking: Y, AUTO
- Timestamping in PHY devices: N
- Network packet filtering framework: Y, STD, SEC, used by iptables, this is your firewall!
- Network packet filtering debugging: N, DEV
- Advanced netfilter configuration: Y
- Core Netfilter Configuration: you can say Y to all options
- IP set support: N
- IP virtual server support: N
- IP: Netfilter Configuration: you can say Y to all options
- IPv6: Netfilter Configuration: you can say Y to all options
- The DCCP Protocol: N
- The SCTP Protocol: N sadly, used by Telcos mostly
- The RDS Protocol: N
- The TIPC Protocol: N
- Asynchronous Transfer Mode: N, used by DSL modems
- Layer Two Tunneling Protocol (L2TP): Y if using VPN
- 802.1d Ethernet Bridging: N, Y for VHOST
- 802.1Q/802.1ad VLAN Support: Y
- GVRP: Y
- MVRP: Y
- DECnet Support: N, OLD
- ANSI/IEEE 802.2 LLC type 2 Support: N
- The IPX protocol: N, OLD
- Appletalk protocol support: N, OLD
- CCITT X.25 Packet Layer: N
- LAPB Data Link Driver: N
- Phonet protocols family: N
- IEEE Std 802.15.4: N
- QoS and/or fair queueing: Y
- Class Based Queueing (CBQ): Y
- Controlled Delay AQM: Y
- Fair Queue Controlled Delay AQM: Y and set your default q_disc = fq_codel
- others for routers and if you know a lot about traffic shaping
- Data Center Bridging support: N
- B.A.T.M.A.N.: N, *sigh*
- Open vSwitch: N unless you do "software defined networking"
- Virtual Socket protocol: N, Y maybe for VHOST/VGUEST
- NETLINK: mmaped IO: Y
- NETLINK: socket monitoring interface: Y, STD, used by ss
- MPLS GSO: N
- High-availability Seamless Redundancy: N
- Use percpu variables to maintain network device refcount: Y
- Maximum number of fragments per skb_shared_info: 17
- Network priority cgroup: N, Y maybe for VHOST
- Network classid cgroup: N
- enable BPF Just In Time compiler: Y
other
- Amateur Radio support: N, unless you are a radio freak
- CAN bus subsystem support: N, CAN is used in vehicles
- IrDA (infrared) subsystem support: N, OLD, Bluetooth killed IR
- Bluetooth subsystem support: Y, N for servers
- Bluetooth 6LoWPAN support: Y if you are tethering your phone
- RFCOMM protocol support: Y for BT networking
- RFCOMM TTY support: N, ???
- BNEP protocol support: N, ???
- HIDP protocol support: Y for BT mouse/keyboards
- Bluetooth device drivers:
- HCI USB driver: Y, STD, most BT devices are attached via USB (even internally)
- Y to others if you have that HW
- Intel HCI PCIe driver (BT_INTEL_PCIE): Y
- RxRPC session sockets: N, unless you are using the AFS network filesystem
- Wireless: Y, N for servers
- cfg80211: Y, STD, the iw utility uses it
- nl80211 testmode command: N, DEV
- enable developer warnings: N, DEV
- cfg80211 regulatory debugging: N, DEV
- enable powersave by default: Y, STD
- cfg80211 DebugFS entries: N, DEV
- cfg80211 wireless extensions compatibility: Y, STD, makes iwconfig utility work
- Generic IEEE 802.11 Networking Stack: Y, STD
- Default rate control algorithm: 'Minstrel', STD, others may be buggy
- Enable mac80211 mesh networking (pre-802.11s) support: N, OLD
- Enable LED triggers: Y for laptops
- Export mac80211 internals in DebugFS: N, DEV
- Trace all mac80211 debug messages: N, DEV
- Select mac80211 debugging features: N, DEV
- WiMAX Wireless Broadband support: N, OLD, WiMAX only exists in some regions, superseded by LTE
- RF switch subsystem support: Y for laptops
- Plan 9 Resource Sharing Support: N, maybe for VHOST/VGUEST
- CAIF support: N
- Ceph core library: N
- NFC subsystem support: N
- Generic failover module: N, only for VHOST with NIC VF directly attched to VM
- Netlink interface for ethtool: Y
Device Drivers
- EISA support: N, OLD
- PCI support: Y, STD
- PCI support: Y, STD, it's everywhere
- PCI Express Port Bus support: Y, STD, PCIe everywhere
- PCI Express Advanced Error Reporting support: Y
- PCI Express error injector support: N, DEV
- PCI Express ECRC settings control: N
- PCI Express ASPM control: Y, power management
- Default ASPM policy: 'BIOS default', don't change
- PCI Express Downstream Port Containment support: N
- PCI Express Precision Time Measurement support: N
- PCI Express Bandwidth Change Notification: N
- Message Signaled Interrupts: Y, REC (but beware of broken devices)
- PCI Debugging: N, DEV
- PCI Stub driver: N, VHOST special purpose
- PCI IOV support: N, VHOST with special NICs only
- Native PCIe Enclosure Management (PCI_NPEM): Y
- PCI PRI support: Y, AUTO
- PCI PASID support: Y, AUTO
- Support for PCI Hotplug: Y, especially for laptops with express card slots
- ACPI PCI Hotplug driver: Y, STD
- ACPI PCI Hotplug driver IBM extensions: Y for IBM servers
- CompactPCI Hotplug driver: N, OLD
- SHPC PCI Hotplug driver: Y
- PCI host controller drivers: -
- PCI Endpoint: -
- PCI switch controller drivers: -
- PCCard (PCMCIA/CardBus) support: N, OLD, today laptops use express cards
- RapidIO support: N, only on special server HW
- Generic Driver Options:
- Support for uevent helper: N, OLD, modern udev/systemd systems use netlink
- Maintain a devtmpfs filesystem to mount at /dev: Y, STD, required for booting with udev
- Use nosuid,noexec mount options on devtmpfs: N, SEC
- Automount devtmpfs at /dev, after the kernel mounted the rootfs: Y, STD, required for booting with udev
- Select only drivers that don't need compile-time external firmware: Y, DEV
- Disable drivers features which enable custom firmware building: Y, install linux-firmware package instead
- Driver Core verbose debug messages: N
- Managed device resources verbose debug messages: N
- Test driver remove calls during probe: N
- Enable verbose DMA_FENCE_TRACE messages: N
- sync_state() behavior defaults to timeout instead of strict: N
- Firmware loader:
- Build named firmware blobs into the kernel binary: N, build firmware into initrd
- Enable the firmware sysfs fallback mechanism: N, OLD
- Enable compressed firmware support: Y
- Enable firmware caching during suspend: Y
- Driver Core verbose debug messages: N, DEV
- Managed device resources verbose debug messages: N, DEV
- Bus devices: -
- Connector: Y, AUTO, if you use MD/DM (LVM, software RAID)
- Firmware Drivers:
- BIOS Enhanced Disk Drive calls determine boot disk: N
- Export DMI identification via sysfs to userspace: Y, STD
- DMI table support in sysfs: Y
- QEMU fw_cfg device support in sysfs: N, VGUEST
- Mark VGA/VBE/EFI FB as generic system framebuffer: Y, simplefb is the future, see Graphic drivers below
- Disable EFI runtime services support by default: N
- EFI (Extensible Firmware Interface) Support:
- EFI Variable Support via sysfs: N, OLD
- Export efi runtime maps to sysfs: N, DEV
- Enable EFI fake memory map: N, EMB
- EFI Bootloader Control: Y if you do multiboot
- EFI capsule loader: N
- EFI Runtime Service Tests Support: N, DEV
- Apple Device Properties: Y on Mac
- Reset memory attack mitigation: N, SEC
- EFI Runtime Configuration Interface Table Version 2 Support: Y on Dell EMC PowerEdge
- Clear Busmaster bit on PCI bridges during ExitBootServices(): N, SEC
- GNSS receiver support: N
- Memory Technology Device: N, EMB, NAND/NOR/Flash chips
- Device Tree and Open Firmware support: N, EMB
- Parallel port support: N, OLD, dead. But then, I still have a printer with a parallel port...
- Plug and Play support: Y, STD, every x86 system has such devices
- PNP debugging message: N, DEV
- Block devices: Y, STD, you need disks
- Null test block driver: N, DEV, the name says it all
- Normal floppy disk support: N, OLD, even if you have a driver you won't find a floppy disk anymore
- Block Device Driver for Micron PCIe SSDs: Y only if you have such an SSD
- Compressed RAM block device support (ZRAM): N
- Micro Memory MM5415: N
- Loopback device support: Y, STD, needed for mounting iso images
- Number of loop devices: 8
- Cryptoloop Support: N, OLD, disk encryption is done with DM these days
- DRBD: N
- Network block device support: N, OLD, today we have iSCSI, FCoE
- RAM block device support: N, OLD, use tmpfs instead
- Packet writing on CD/DVD media: Y, if you have a CD/DVD writer
- ATA over Ethernet support: N, OLD, superseded by iSCSI
- Rados block device (RBD): N, for Ceph
- Userspace block driver: N
- check lspci for other devices
- NVME Support: Y, STD
- NVM Express block device: Y
- NVMe multipath support: N
- NVMe verbose error reporting: N
- NVMe hardware monitoring: Y
- NVM Express over Fabrics FC host driver: N
- NVM Express over Fabrics TCP host driver: N
- NVMe over Fabrics In-Band Authentication in host side: N
- NVMe Target support: N
- Misc devices:
- Dummy IRQ handler: N, DEV
- Enclosure Services: Y for server hardware
- VMware Balloon Driver: Y for VGUEST
- Generic on-chip SRAM driver: N, EMB
- EEPROM support: Y to 'I2C EEPROMs / RAMs / ROMs from most vendors' and 'SPD on DDR4', N to others
- Intel Management Engine Interface: Y
- ME Enabled Intel Chipsets: Y
- Intel Trusted Execution Environment with ME Interface: Y
- Intel HDCP2.2 services of ME Interface: Y
- Intel PXP services of ME Interface: Y
- Intel GSC Proxy services of ME Interface: Y
- VMware VMCI Driver: Y for VGUEST
- Intel MIC: N everywhere
- ATA/ATAPI/MFM/RLL support: N, OLD, today we have SATA
- SCSI device support: also for non-SCSI systems!
- RAID Transport Class: N
- SCSI device support: Y
- SCSI target support: N, it's for building storage systems
- legacy /proc/scsi/ support: Y, COMPAT
- SCSI disk support: Y, STD, also SATA disks use this
- SCSI tape support: Y only if you have a tape drive
- SCSI CDROM support: Y only if you have a CD/DVD drive
- Enable vendor-specific extensions: N, OLD
- SCSI generic support: Y
- SCSI media changer support: N probably you don't have such a beast
- Verbose SCSI error reporting: Y
- SCSI logging facility: N, DEV
- Asynchronous SCSI scanning: Y
- SCSI Transports:
- Parallel SCSI (SPI) Transport Attributes: Y for VGUEST, SPI in real hardware is uncommon
- FiberChannel Transport Attributes: Y if you plan to use FCoE or have FC hardware (servers)
- iSCSI Transport Attributes: Y if you plan to use iSCSI
- SAS Transport Attribute: Y for servers
- SAS Domain Transport Attributes: Y for servers
- SRP Transport Attributes: N
- SCSI low-level drivers: Y, check lspci for your hardware
- Adaptec AACRAID support: a common card
- LSI Logic MegaRAID SAS RAID Module: common in IBM servers
- LSI MPT Fusion SAS 2.0 Device Driver: common in IBM servers
- Microchip PQI Driver: common in HPE servers (SmartPQI)
- VMware PVSCSI driver support: Y for VGUEST
- IBM ServeRAID support: common in IBM servers (and horribly picky about disks)
- SCSI Device Handlers: N
- Serial ATA and Parallel ATA: Y
- Verbose ATA error reporting: Y
- ATA ACPI Support: Y
- SATA Zero Power Optical Disc Drive (ZPODD) support: Y
- SATA Port Multiplier support: N
- AHCI SATA support: Y, most adapters use this mode today (check BIOS settings!)
- Platform AHCI SATA support: Y? might be EMB
- ATA SFF support: Y if you don't have AHCI
- ATA BMDMA support: Y
- Intel ESB, ICH, PIIX3, PIIX4 PATA/SATA: Y for Intel chipsets, see help/lspci
- Generic ATA support: N, OLD, may interfere with modern hardware
- use lspci to find the option for your hardware!
- Multiple devices driver support: Y for software RAID or LVM
- Generic Target Core Mod: N
- Fusion MPT device support: Y for server hardware (check lspci | grep MPT)
- Fusion MPT ScsiHost drivers for SAS: Y, probably you have and LSI SAS and not FC/SPI
- IEEE 1394: OLD, Y only if your laptop still has a Firewire port
- FireWire driver stack: Y
- OHCI-1394 controllers: Y
- Storage devices (SBP-2 protocol): Y if you have a Firewire disk/iPOD
- IP networking over 1394: Y if you have a Firewire network card
- Nosy: N
- Macintosh device drivers: N, even if it's a Mac
- Network device support: Y, STD, no Internet without that...
- Network core driver support (NET_CORE): Y, STD
- Bonding driver support (BONDING): N
- Dummy net driver support (DUMMY): N
- WireGuard secure network tunnel (WIREGUARD): Y, if you use VPN
- EQL (serial line load balancing) support (EQUALIZER): N
- Fibre Channel driver support (NET_FC): N
- MAC-VLAN support (MACVLAN): Y for VHOST
- IP-VLAN support (IPVLAN): Y for VHOST
- Virtual eXtensible Local Area Network (VXLAN) (VXLAN): Y for VHOST
- Generic Network Virtualization Encapsulation (GENEVE): N
- Bare UDP Encapsulation (BAREUDP): N
- GPRS Tunneling Protocol datapath (GTP-U) (GTP): N
- Packet Forwarding Control Protocol (PFCP): N
- Automatic Multicast Tunneling (AMT) (AMT): N
- IEEE 802.1AE MAC-level encryption (MACsec) (MACSEC): N
- Network console logging support (NETCONSOLE): N, DEV
- Universal TUN/TAP device driver support: Y for VHOST
- Virtual ethernet pair device: Y if you run Docker
- Virtio network driver: Y for VGUEST (first enable VIRTIO)
- Ethernet driver support: Y and check lspci for your hardware
- FDDI driver: N
- MDIO bus device drivers: Y
- PHY Device support and infrastructure: Y
- PPP: Y only if you directly attach to modems, or for some VPNs
- SLIP: N
- USB Network Adapters: enable according to your hardware (iPhone!)
- Wireless LAN: Y, N only for servers
- Atheros Wireless Cards: common in laptops
- Intel Wireless WiFi Next Gen AGN: common in laptops
- Intel Management Engine communication over WLAN: N
- Wan interfaces support: N
- VMware VMXNET3 ethernet driver: Y for VGUEST
- Simulated networking device: N
- Failover driver: N
- ISDN support: N
- Open-Channel SSD target support: N
- Input device support
- Generic input layer: Y, STD
- Support for memoryless force-feedback devices: Y if you are a gamer, N normally
- Polled input device skeleton: Y, AUTO
- Sparse keymap support library: Y, AUTO
- Matrix keymap support library: N, AUTO
- Mouse interface: Y, STD
- Provide legacy /dev/psaux device: Y, STD, COMPAT
- Joystick interface: N normally
- Event interface: Y, STD, used by Xorg (evdev)
- Event debugging: N, DEV
- Keyboards: Y, STD, and say Y to 'AT Keyboard'
- Mice: Y, STD
- PS/2 mouse: Y, STD
- Elantech: Y if you have a touchpad
- Sentelic: Y if you have such a touchpad
- eGalax: Y if you have such a touchpad
- Serial mouse: N, OLD
- ELAN I2C Touchpad support: Y, STD, also suboptions
- Synaptics USB: Y for most touchpads
- RMI4 SMB Support: Y, STD
- RMI4 Function 03 (PS2 Guest): Y, STD
- RMI4 Function 11 (2D pointing): Y, STD
- RMI4 Function 12 (2D pointing): Y, STD
- RMI4 Function 54 (Analog diagnostics): Y
- RMI4 Function 55 (Sensor tuning): Y
- others depending on your hardware, see lsusb
- Miscellaneous devices: Y, STD
- PC Speaker support: Y if you really want that old speaker to make a beep, OLD
- User level driver support: Y for some bluetooth headsets, STD
- Synaptics RMI4 bus support: Y for touchpads
- others depending on your hardware
- Character devices:
- Virtual terminal: Y, STD
- Support for binding and unbinding console drivers: Y, STD
- Legacy (BSD) PTY support: N, SEC, OLD
- Automatically load TTY Line Disciplines: Y
- Serial drivers: TODO...
- Non-standard serial port support: N
- NULL TTY driver: N
- Serial device bus: N
- Virtio console: N, VGUEST
- IPMI top-level message handler: Y on server hardware
- Virtio console: N, VGUEST, VHOST unless you use hvc console
- Hardware Random Number Generator Core support: Y, STD
- Timer IOMEM HW Random Number Generator support: Y
- Intel HW Random Number Generator support: Y for Intel chipsets
- AMD HW Random Number Generator support: Y for AMD chipsets
- VIA HW Random Number Generator support: Y for VIA chipsets
- /dev/mem virtual device support: N, SEC, EMB
- /dev/kmem virtual device support: N, DEV, SEC
- /dev/nvram support: Y, SEC
- RAW driver: N
- HPET - High Precision Event Timer: Y, STD
- Allow mmap of HPET: Y
- Enable HPET MMAP access by default: Y
- Hangcheck timer: Y
- TPM Hardware Support (TCG_TPM): Y
- Use HMAC and encrypted transactions on the TPM bus (TCG_TPM2_HMAC): Y, STD
- TPM HW Random Number Generator support: Y
- /dev/port character device: N, SEC
- others depending on your Hardware
- Trust the CPU manufacturer to initialize Linux's CRNG: Y
- Trust the bootloader to initialize Linux's CRNG: Y
- I2C support:
- ACPI I2C Operation region support: Y
- Enable compatibility bits for old user-space: N, OLD
- I2C device interface: Y, STD
- I2C bus multiplexing support: Y, AUTO
- Autoselect pertinent helper modules: Y
- I2C Hardware Bus support:
- Intel 82801: Y for Intel chipsets
- SMBus Control Method Interface: Y
- Virtio I2C Adapter: N, VGUEST
- others depending on your Hardware
- I2C slave support: N
- I2C Core debugging message: N, DEV
- I2C Algorithm debugging messages: N, DEV
- I2C Bus debugging messages: N, DEV
- I3C support: N
- SPI support: N, used for flash firmware updates of the PCH, but mostly dangerous
- SPMI support: N
- HSI support: N, EMB
- PPS support: N, AUTO
- PTP clock support: N
- Pin controllers: N
- GPIO Support: N, EMB
- Dallas's 1-wire support: N
- Adaptive Voltage Scaling class support: N, EMB
- Power supply class support: Y, AUTO, N to all sub-options
- Board level reset or power off: N, EMB
- Hardware Monitoring support: Y
- depends on your hardware: check sensors-detect
- Apple SMC: Y on Macs
- Intel Core/Core2/Atom temperature sensor: Y for Intel CPUs
- PMBus support: Y and 'Generic PMBus devices'
- Thermal Drivers: Y
- Thermal netlink management: Y, STD
- Thermal state transition statistics: N
- Thermal subsystem debug support: N
- Expose thermal sensors as hwmon device: Y
- Default Thermal governor: step_wise
- Intel thermal drivers:
- Intel PowerClamp idle injection driver: Y
- X86 package temperature thermal driver: Y
- ACPI INT340X thermal drivers: all
- Intel PCH Thermal Reporting Driver: Y
- Intel TCC offset cooling Driver: Y
- Thermal Management driver for Intel menlow platform: N
- Intel Hardware Feedback Interface: Y
- Watchdog Timer Support
- WatchDog Timer Driver Core: Y, AUTO
- Update boot-enabled watchdog until userspace takes over: Y
- Intel TCO Timer/Watchdog: Y, common
- Intel TCO Timer/Watchdog Specific Vendor Support: Y
- check hardware
- Sound card support: Y if not server
Advanced Linux Sound Architecture: Y- Enable OSS Emulation: N, OLD
- HR-Timer backend support: Y
- Dynamic device file minor numbers: Y
- Max number of sound cards: 32, STD
- Support old ALSA API: Y, OLD
- Sound Proc FS Support: Y
- Verbose procfs contents: Y
- Verbose printk: N, DEV
- Debug: N, DEV
- Validate input data to control API: Y,SEC
- Sequencer support: N unless you connect MIDI devices
- Generic sound devices: N
- PCI sound devices: Y
- HD-Audio:
- HD Audio PCI: Y
- Support initialization patch loading for HD-audio: Y
- select codecs as per hardware
- SPI sound devices: N
- USB sound devices: if you have
- ALSA for SoC audio support: Y on laptops
- Intel ASoC SST drivers: Y depending on Intel CPU
- Intel Machine drivers: Y depending on Intel CPU
- Sound Open Firmware Support: Y depending on Intel CPU
and Y to all sub options
- X86 sound devices: Y
- Multifunction device drivers:
- Intel ICH LPC: Y
- Intel Platform Monitoring Technology (PMT) support: Y
- Graphics Support
- /dev/agpgart (AGP Support): Y, STD
- VGA Arbitration: Y, STD
- Direct Rendering Manager (XFree86 4.1.0 and higher DRI support): Y, STD
- AMD GPU: Y if you have
- Nouveau (nVidia) cards: Y if you have
- Intel 8xx/9xx/G3x/G4x/HD Graphics: Y if you have
- Simple framebuffer driver: Y, STD
- QXL virtual GPU: VGUEST
- Enable legacy drivers: N
- VESA VGA graphics support: N
- EFI-based Framebuffer Support: Y, STD
- Simple framebuffer support: Y, STD
- rest: N
- Lowlevel LCD controls: Y on laptops
- Lowlevel Backlight controls: Y on laptops
- rest as needed
- Framebuffer Console support: Y, STD
- Enable legacy fbcon hardware acceleration code: N
- Compute Acceleration Framework: Y
- Intel VPU for Meteor Lake and newer: Y on Intel
- HID bus support: Y
- HID bus core support: Y
- Battery level reporting for HID devices: Y
- /dev/hidraw raw HID device support: Y
- User-space I/O driver support for HID subsystem: Y
- Generic HID driver: Y
- Special HID drivers: as needed
- USB HID support
- USB HID transport layer: Y
- PID device support: Y for force-feedback
- /dev/hiddev raw HID device support: Y
- I2C HID support: Y
- Intel ISH HID support: Y on Intel
- AMD SFH HID Support: Y on AMD
- Virtualization drivers: Y for VGUEST
- Virtual Machine Generation ID driver: Y for qemu on KVM
- Virtual Box Guest integration support: Y for VirtualBox
- Nitro Enclaves Support: Y for guests on AWS cloud
- EFI secret area securityfs support: Y
- Virtio drivers: Y for VGUEST on KVM
- VHOST drivers: Y for VHOST
- Microsoft Hyper-V guest support: Y for VGUESR on Hyper-V
- X86 Platform Specific Device Drivers: Y
- WMI: Y, STD
- Wireless hotkey button: Y for laptops
- Intel PMC Core driver: Y, STD
- Intel Platform Monitoring Technology (PMT) Telemetry driver: Y
- Intel Platform Monitoring Technology (PMT) Crashlog driver: Y
- Intel HID Event: Y
- Intel Virtual Button: Y
- Intel P-Unit IPC Driver: Y, STD
- Intel Turbo Boost Max Technology 3.0 enumeration driver: Y
- Intel Uncore frequency control driver: Y
- Intel Vendor Specific Extended Capabilities Driver: Y
- Intel Intelligent Power Sharing: Y
- PECI support: N
- IOMMU Hardware Support: Y
- Support for Intel IOMMU using DMA Remapping Devices: Y, STD
- Support for Shared Virtual Memory with Intel IOMMU: Y
- Enable Intel DMA Remapping Devices by default: N, VHOST for PCI passthrough VT-d
- Enable Intel IOMMU scalable mode by default: N
- Intel IOMMU performance events: Y
- Support for Interrupt Remapping: Y
- USB support:
- Support for Host-side USB: Y, STD
- PCI based USB host interface: Y, STD
- USB announce new devices: Y
- USB Monitor: Y
- xHCI HCD (USB 3.0) support: Y, STD
- EHCI HCD (USB 2.0) support: Y, STD
- Root Hub Transaction Translators: Y
- Improved Transaction Translator scheduling: Y
- OHCI HCD (USB 1.1) support: N, OLD
- UHCI HCD (most Intel and VIA) support: Y, STD
- USB Mass Storage support: Y
- TODO...
File systems
- Second extended fs support: N, ext2 is covered by ext4
- Ext3 journalling file system support: N, ext3 is covered by ext4
- The Extended 4 (ext4) filesystem: Y, use ext4 as your root file system. It's fast and very reliable.
- Use ext4 for ext2/ext3 file systems: Y, see above
- Ext4 POSIX Access Control Lists: N unless you are building a Samba file server. I find ACLs really complicated to maintain. Try and figure out what a certain user can do with a file, given its ACLs...
- Ext4 Security Labels: Y, STD, even if you are not using SELinux - some userspace tools rely on it
- EXT4 debugging support: N, DEV
- JBD2 (ext4) debugging support: N, DEV. ext4 is built on top of jbd2
- Reiserfs support: N, it's not a very good file system anyway
- JFS filesystem support: N
- XFS filesystem support: N unless you want to use it for your file server for which it should be very good
- GFS2 file system support: N
- Btrfs filesystem support: N, way to unreliable
- NILFS2 file system support: N, fast on SSD/Flash but unreliable
- Dnotify support: Y, STD
- Inotify support for userspace: Y, STD
- Filesystem wide access notification: Y, STD
- fanotify permissions checking: N unless you use an on-access anti-virus
- Quota support: N unless you want to limit space for users on a server
- Kernel automounter version 4 support: Y, systemd uses it
- FUSE (Filesystem in Userspace) support: Y, STD
- Character device in Userspace support: Y
- Virtio Filesystem: if qemu guests want to access host filesystem, VGUEST
- FUSE passthrough operations support: Y
- Caches: N unless you use NFS extensively
- CD-ROM/DVD Filesystems:
- ISO 9660 CDROM file system support: Y, STD, the most common CD-ROM format, also if you want to mount iso images
- Microsoft Joliet CDROM extensions: Y, STD, used not only by Windows
- Transparent decompression extension: Y, why not
- UDF file system support: Y, STD, used by DVDs
- DOS/FAT/NT Filesystems:
- MSDOS fs support: N, OLD
- VFAT (Windows-95) fs support: Y, STD, used by EFI and commonly by USB storage
- Default codepage for FAT: 437 for most people, other values for Russian, Asian people
- Default iocharset for FAT: iso8859-1 for most people
- NTFS file system support: N unless you want to access Windows system disks
- Pseudo filesystems:
- /proc file system support: Y, STD, I'm surprised this is still an option. Nothing works without proc
- /proc/kcore support: N, DEV, SEC
- Tmpfs virtual memory file system support: Y, STD, used for many things
- Tmpfs POSIX Access Control Lists: N, see comment on ACLs above
- Tmpfs extended attributes: Y, STD, nobody tests systems without this feature
- HugeTLB file system support: N, now irrelevant thanks to transparent huge pages (THP)
- Userspace-driven configuration filesystem: N unless you use a driver that you need to configure like this
- EFI Variable filesystem: Y, STD
- Miscellaneous filesystems: say Y to the Apple file systems if you have a Mac, iPOD or iPhone
- Network File Systems: Y
- NFS client support: Y, STD, sooner or later you will want to mount an NFS export
- NFS client support for NFS version 2: Y, STD, not dead at all
- NFS client support for NFS version 3: Y, STD
- NFS client support for the NFSv3 ACL protocol extension: N
- NFS client support for NFS version 4: Y, STD, already in use
- Provide swap over NFS support: N, OLD, was once used for diskless thin clients with little memory
- NFS client support for NFSv4.1: N
- Use the legacy NFS DNS resolver: N, OLD
- NFS server support: Y not only for servers, install nfs-utils
- NFS server support for NFS version 3: Y, STD
- NFS server support for the NFSv3: N
- NFS server support for NFS version 4: Y, STD
- Provide Security Label support for NFSv4 server: N
- NFS server manual fault injection: N, DEV
- RPC: Enable dprintk debugging: N, DEV
- Ceph distributed file system: N
- CIFS support: N unless you want to mount Windows shares into your file system. But desktop environments provide Window access without mounting today through smbclient.
- NCP file system support: N, OLD
- Coda file system support: N sadly, should be good but never seen in practice
- Andrew File System support: N, once popular at universities
- Native language support: Y
- Default NLS Option: utf8, STD, don't use anything else today!
- say Y to all other options
Security options
- Restrict unprivileged access to the kernel syslog: Y, SEC
- Allow /proc/pid/mem access override: Traditional, SEC
- Enable the securityfs filesystem: Y, SEC
- Remove the kernel mapping in user mode: Y, SEC
- Harden memory copies between kernel and userspace: Y, SEC
- Allow usercopy whitelist violations to fallback to object size: Y, COMPAT
- Harden common str/mem functions against buffer overflows: Y, SEC
- First legacy 'major LSM' to be initialized: Unix Discretionary Access Controls
- Ordered list of enabled LSMs: yama,loadpin,safesetid,integrity
Memory initialization:
- Enable heap memory zeroing on allocation by default: Y, SEC
- others for even more SEC
Cryptographic API
tbd- Provide system-wide ring of trusted keys: N, SEC, for module signing
Library routines
AUTO: simply let the config system auto-select the necessary options.Select compiled-in fonts: Y
- Terminus 16x32: Y if you have a HiDPI display. Also append to your kernel command line: fbcon=font:TER16x32
Kernel hacking
Even thoug this is for DEV there are some SEC gains by enabling certain options.printk and dmesg options:
- Support symbolic error names in printf: Y
- Debug information: (1) Disable debug information
- Reduce debugging information: Y
- Produce split debuginfo in .dwo files: Y
- Make section mismatch errors non-fatal: Y
- Debug Filesystem: Y
- Kernel debugging: Y, SEC
- Miscellaneous debug code: N
- Memory Debugging:
- Default console loglevel: 7
- Support symbolic error names in printf: Y
- Debug Oops, Lockups and Hangs:
- Panic on Oops: Y, SEC
- panic timeout: -1, SEC
- Scheduler Debugging: none
- Lock Debugging (spinlocks, mutexes, etc...): none
- Stack backtrace support: Y
- Debug kernel data structures:
- Debug linked list manipulation: Y, SEC
- Debug priority linked list manipulation: Y, SEC
- Debug notifier call chains: Y, SEC
- Trigger a BUG when data corruption is detected: Y, SEC
- Debug credential management: Y, SEC
- RCU Debugging: none
- x86 Debugging: Enable verbose x86 bootup info messages: Y
- Kernel Testing and Coverage: none
- Filter access to /dev/mem: Y, SEC, if enabled under Character Devices
- Filter I/O access to /dev/mem: Y, SEC, if enabled under Character Devices
- N for everything else