[28476 views]

[]

Which kernel config options to choose?

This shall be a guide to configuring a Linux kernel for popular and modern x86_64 commodity hardware that is typically found in netbooks, laptops, desktops or off-the-shelf servers. I am not talking about embedded devices, development, big iron, other platforms, exotic hardware or peripherials. Just the standard stuff for running Linux. No discussion about modules vs. built-in. I do built-in. The basis for this article is 6.12. Please always refer also to the help text of the respective kernel option. This article does not describe every possible config option because it omits whole categories that are not relevant on such systems. If you feel that there is a mistake and I should really recommend for or against a certain option or I got something upside down, please email me. I am not a kernel developer, even if I can find my way around in the code quite well.

I am using the following ackronyms in the comments:

Main page

make menuconfig will bring up this screen. Make sure to check these.
    General setup  --->
[*] 64-bit kernel
    Processor type and features  --->
[*] Mitigations for CPU vulnerabilities  --->
    Power management and ACPI options  --->
    Bus options (PCI etc.)  --->
    Binary Emulations  --->
[*] Virtualization  --->
    General architecture-dependent options  --->
[ ] Enable loadable module support  ----
-*- Enable the block layer  --->
    Executable file formats  --->
    Memory Management options  --->
[*] Networking support  --->
    Device Drivers  --->
    File systems  --->
    Security options  --->
-*- Cryptographic API  --->
    Library routines  --->
    Kernel hacking  --->

General setup

64-bit Kernel

Y, STD

Processor type and features

Mitigations for CPU vulnerabilities

Every Y tick here costs performance on vulnerable processors.

Power management and ACPI options

Bus options (PCI etc.)

Binary Emulations

Virtualization

Y if you intend to run virtual machines on this computer (VHOST).

General architecture-dependent options

Enable loadable module support: N, SEC

Modules are a potential security problem. If you can, disable them and compile-in what you need.

Enable the block layer: Y, STD, otherwise you get not disks

IO Schedulers

Executable file formats / Emulations

Memory Management options

Data Access Monitoring

DAMON: Data Access Monitoring Framework (DAMON): N

Networking support

Networking options

other

Device Drivers

File systems

Security options

Kernel hardening options:
Memory initialization:

Cryptographic API

tbd

Library routines

AUTO: simply let the config system auto-select the necessary options.
Select compiled-in fonts: Y

Kernel hacking

Even thoug this is for DEV there are some SEC gains by enabling certain options.
printk and dmesg options: Compile-time checks and compiler options: Generic Kernel Debugging Instruments: