Security options
x -*- Enable access key retention support x x
This option provides support for retaining authentication tokens and access keys in the kernel.
x x <*> TRUSTED KEYS x x
This option provides support for creating, sealing, and unsealing keys in the kernel.
x x -*- ENCRYPTED KEYS x x
This option provides support for create/encrypting/decrypting keys in the kernel.
x x [ ] Enable the /proc/keys file by which keys may be viewed x x
x x [ ] Restrict unprivileged access to the kernel syslog x x
This enforces restrictions on unprivileged users reading the kernel syslog via dmesg(8)
x x [*] Enable different security models x x
x x -*- Enable the securityfs filesystem x x
x x -*- Socket and Networking Security Hooks x x
a security module can use these hooks to implement socket and networking access controls.
x x [ ] XFRM (IPSec) Networking Security Hooks x x
a security module can use these hooks to implement per-packet access controls based on labels
derived from IPSec policy.
x x -*- Security hooks for pathname based access control x x
a security module can use these hooks to implement pathname based access controls.
x x [ ] Enable Intel(R) Trusted Execution Technology (Intel(R) TXT) x x
x x (0) Low address space for LSM to protect from user allocation x x
This is the portion of low virtual memory which should be protected from userspace allocation. Keeping a user from writing to low pages
can help reduce the impact of kernel NULL pointer bugs.
x x [*] NSA SELinux Support x x
x x [*] NSA SELinux boot parameter x x
x x (0) NSA SELinux boot parameter default value x x
x x [*] NSA SELinux runtime disable x x
x x [*] NSA SELinux Development Support x x
x x [*] NSA SELinux AVC Statistics
(1) NSA SELinux checkreqprot default value x x
x x [ ] NSA SELinux maximum supported policy format version x x
x x [*] Simplified Mandatory Access Control Kernel Support x x
Smack is useful for sensitivity, integrity, and a variety of other mandatory security schemes.
x x [*] TOMOYO Linux Support x x
This selects TOMOYO Linux, pathname-based access control.
x x (2048) Default maximal count for learning mode x x
x x (1024) Default maximal count for audit log x x
x x [ ] Activate without calling userspace policy loader. x x
x x (/sbin/tomoyo-init) Location of userspace policy loader x x
x x (/sbin/init) Trigger for calling userspace policy loader x x
x x [*] AppArmor support x x
This enables the AppArmor security module.
x x (1) AppArmor boot parameter default value x x
x x [*] Yama support x x
extends DAC support with additional system-wide security settings beyond regular Linux discretionary
access controls. Currently available is ptrace scope restriction.
x x [ ] Yama stacked with other LSMs x x
x x [ ] Digital signature verification using multiple keyrings x x
It defines separate keyrings for each of the different use cases - evm, ima, and modules.
x x [ ] Integrity Measurement Architecture(IMA) x x
The Trusted Computing Group(TCG) runtime Integrity Measurement Architecture(IMA) maintains a list of hash
values of executables and other sensitive system files, as they are read or executed.
x x [*] EVM support x x
EVM protects a file's security extended attributes against integrity attacks.
x x Default security module (AppArmor) --->
Cryptographic API
This option provides the core Cryptographic API.提供核心的加密API支持.这里的加密算法被广泛的应用于驱动程序通信协议等机制中.子选项可以全不选,内核中若有其他部分依赖它,会自动选上
--- Cryptographic API x x
x x *** Crypto core or helper *** x x
x x -*- Cryptographic algorithm manager x x
Create default cryptographic template instantiations such as cbc(aes).创建加密模版实例,必须要选
x x
x x [*] Disable run-time self tests x x
Disable run-time self tests that normally take place at algorithm registration.
x x {M} GF(2^128) multiplication functions x x
x x
x x
This converts an arbitrary crypto algorithm into a parallel algorithm that executes in kernel threads.
x x {M} Software async crypto daemon x x
This is a generic software asynchronous crypto daemon that converts an arbitrary synchronous software crypto algorithm
into an asynchronous algorithm that executes in a kernel thread.
x x {M} Authenc support x x
x x
Quick & dirty crypto test module.
x x *** Authenticated Encryption with Associated Data *** x x
x x
Support for Counter with CBC MAC. Required for IPsec.
x x
x x {M} Sequence Number IV Generator x x
x x *** Block modes *** x x
x x -*- CBC support x x
CBC: Cipher Block Chaining mode 。 This block cipher algorithm is required for IPSec.
x x {M} CTR support
CTR: Counter mode 。 This block cipher algorithm is required for IPSec.
CTS: Cipher Text Stealing
This is the Cipher Text Stealing mode as described by Section 8 of rfc2040 and referenced by rfc3962.
x x -*- ECB support x x
x x {M} LRW support x x
x x {M} PCBC support x x
x x {M} XTS support x x
x x *** Hash modes *** x x
x x -*- HMAC support x x
x x
x x
x x *** Digest *** x x
x x -*- CRC32c CRC algorithm x x
x x {*} CRC32c INTEL hardware acceleration x x
x x {M} GHASH digest algorithm x x
x x {M} MD4 digest algorithm x x
x x -*- MD5 digest algorithm
{M} Michael MIC keyed digest algorithm x x
x x
x x
x x
x x
x x -*- SHA1 digest algorithm x x
x x -*- SHA224 and SHA256 digest algorithm x x
x x
x x
x x
x x *** Ciphers *** x x
x x -*- AES cipher algorithms x x
x x {M} AES cipher algorithms (i586) x x
最佳的对称加密算法(Rijndael),128/192/256位,强度最高,快速且节省内存(针对i586的版本)
x x
x x
x x {M} ARC4 cipher algorithm x x
脆弱的流对称加密算法
x x
x x
对称加密算法
x x
x x {M} DES and Triple DES EDE cipher algorithms x x
x x {M} FCrypt cipher algorithm x x
x x
x x
x x
x x
x x
x x < > Serpent cipher algorithm (i586/SSE2) x x
x x
较弱的对称加密算法
x x
很强的对称加密算法,使用较广
x x
x x *** Compression *** x x
x x {M} Deflate compression algorithm x x
压缩算法,当在IPSec中使用IPCOMP协议时才需要
x x
{M} LZO compression algorithm x x
x x *** Random Number Generation *** x x
x x
x x
x x
x x [*] Hardware crypto devices ---> x x
仅有VIA C7系列处理器支持硬件加密(VIA PadLock高级加密引擎)
x x < > Asymmetric (public-key cryptographic) key type --->
Virtualization
to see options for using your Linux host to run other operating systems inside virtual machines (guests).
x x --- Virtualization x x
x x
Support hosting fully virtualized guest machines using hardware virtualization extensions.
x x
Provides support for KVM on Intel processors equipped with the VT extensions.
x x
x x [ ] Audit KVM MMU x x
This option adds a R/W kVM module parameter 'mmu_audit', which allows audit KVM MMU at runtime.
x x
This kernel module can be loaded in host kernel to accelerate guest networking with virtio_net.
x x < > TCM_VHOST fabric module (EXPERIMENTAL) x x
Say M here to enable the TCM_VHOST fabric module for use with virtio-scsi guests
x x < > Linux hypervisor example code x x
This is a very simple module which allows you to run multiple instances of the same Linux kernel, using the
"lguest" command found in the Documentation/virtual/lguest directory.
Library routines
This interface let you select features and parameters for the build.
{M} CRC-CCITT functions x x
This option is provided for the case where no in-kernel-tree modules require CRC-CCITT functions, but a module built outside
the kernel tree does. 传送8-bit字符,欧洲标准
x x -*- CRC16 functions x x
This option is provided for the case where no in-kernel-tree modules require CRC16 functions, but a module built outside
the kernel tree does.美国标准
x x -*- CRC calculation for the T10 Data Integrity Field x x
This option is only needed if a module that's not in the kernel tree needs to calculate CRC checks for use with the
SCSI data integrity subsystem.
x x {M} CRC ITU-T V.41 functions x x
x x -*- CRC32/CRC32c functions x x
用于点对点的同步数据传输中,传输网络数据包所必须的
x x [ ] CRC32 perform self test on init x x
x x CRC32 implementation (Slice by 8 bytes) ---> x x
x x
x x {M} CRC32c (Castagnoli, et al) Cyclic Redundancy-Check x x
用于点对点的同步数据传输中,比如iSCSI设备
x x {M} CRC8 function x x
x x -*- XZ decompression support x x
x x [*] x86 BCJ filter decoder x x
x x [*] PowerPC BCJ filter decoder x x
x x [*] IA-64 BCJ filter decoder x x
x x [*] ARM BCJ filter decoder x x
x x [*] ARM-Thumb BCJ filter decoder x x
x x [*] SPARC BCJ filter decoder x x
x x
- - Force CPU masks off stack x x
x x - - Disable obsolete cpumask functions x x
x x -*- Averaging functions x x
x x {M} CORDIC algorithm x x
x x [ ] JEDEC DDR data
Data from JEDEC specs for DDR SDRAM memories, particularly the AC timing parameters and addressing
information. This data is useful for drivers handling DDR SDRAM controllers.
kernel configuration最后的两排分别是
Load an Alternate Configuration File
读入一个外部配置文件
Save an Alternate Configuration File
将配置保存到一个外部文件
内核配置选项的内容基本到此结束。总体内容还是很多的,需要根据实际情况进行选择。
回到开始的第一节 linux内核编译过程及配置说明解释(1),下面继续完成后面的内容。
配置完成后,退出保存
这样就在当前目录下生成了.config配置文件。
前两步(1)搭建编译环境,下载内核;(2)配置内核已完成
第3步:
编译内核
编译内核包含两部分的工作,其一是编译内核,即编译配置选项中标记为Y的那部分,这部分内核最终形成bzIamge镜像文件;其二是编译内核模块,即编译配置选项中标记为M的那部分内核,这部分形成以.ko结尾的内核模块目标文件。
上述两部分编译工作可以依次通过make bzImage和make modules完成,也可以通过一条make命令直接完成。编译内核的整个过程比较漫长,因此可以对make加-j参数来提高编译的效率。在make时使用该选项会为编译过程分配n个并发任务,这样可以缩短编译时间。n的取值为cpu个数的二倍。
root@loongson-desktop:/home/loongson/lijy-backup/lijy-test/kernel/linux-3.8# make -j2
scripts/kconfig/conf --silentoldconfig Kconfig
make[1]: 没有什么可以做的为 `all'。
CHK include/generated/uapi/linux/version.h
make[1]: 没有什么可以做的为 `relocs'。
CHK include/generated/utsrelease.h
CALL scripts/checksyscalls.sh
CHK include/generated/compile.h
这个时间等待比较久。。。
第4步:
安装
安装过程分为两部分,首先对内核模块进行安装,这个过程会将刚刚编译内核模块时生成的内核模块复制到/lib/modules/3.8.0/目录下,其中3.8.0为对应的内核版本。使用的命令如下:
make modules_install
接着命令安装编译好的内核
make install
安装内核的过程主要完成了以下的工作:
1.将编译内核时生成的内核镜像bzImage拷贝到/boot目录下,并将这个镜像命名为vmlinuz-3.8.0。如果使用x86的cpu,则该镜像位于arch/x86/boot/目录下(处于正在编译的内核源码下)。
2.将~/linux-3.8.0/目录下的System.map拷贝到/boot/目录下,重新命名为System.map-3.8.0。该文件中存放了内核的符号表。
3.将~/linux-3.8.0/目录下的.config拷贝到/boot/目录下,重新命名为config-3.8.0第5步:
创建initrd.img文件
initrd.img即为初始化的ramdisk文件,它是一个镜像文件,将一些最基本的驱动程序和命令工具打包到镜像文件里。该镜像文件的作用是在系统还没有挂载根分区前,系统需要执行一些操作,比如挂载scsi驱动,此时将initrd文件释放到内存中,作为一个虚拟的根分区,然后执行相关脚本,运行insmod命令加载需要的模块。
具体的创建方法如下:
/linux-3.8# mkinitramfs 3.8.0 -o /boot/initrd.img-3.8.0
第6步:
更新grub
最后一步则是更新grub启动菜单,使用下面的命令则可以自动更新启动菜单:
update-grub2
这样会将刚才编译好的内核放在启动菜单的首位,如果需要修改启动菜单中默认系统的启动顺序,则修改/boot/grub/grub.cfg文件中的set default=的值即可。
最后一步,我在实践中,其实不用修改default值,重启后系统直接就进入的是刚刚编译的内核版本。
#更新后grub.cfg文件添加了的启动选项:
if [ "$linux_gfx_mode" != "text" ]; then load_video; fi
menuentry 'Ubuntu,Linux 3.8.0' --class ubuntu --class gnu-linux --class gnu --class os {
recordfail
gfxmode $linux_gfx_mode
insmod gzio
insmod part_msdos
insmod ext2
set root='(hd0,msdos8)'
search --no-floppy --fs-uuid --set=root 05006591-e65b-4b40-b038-0d5ce347dac2
linux /boot/vmlinuz-3.8.0 root=UUID=05006591-e65b-4b40-b038-0d5ce347dac2 ro quiet splash $vt_handoff
initrd /boot/initrd.img-3.8.0
}
menuentry 'Ubuntu,Linux 3.8.0 (恢复模式)' --class ubuntu --class gnu-linux --class gnu --class os {
recordfail
gfxmode $linux_gfx_mode
insmod gzio
insmod part_msdos
search --no-floppy --fs-uuid --set=root 05006591-e65b-4b40-b038-0d5ce347dac2
initrd /boot/initrd.img-3.8.0
}
recordfail
insmod gzio
insmod part_msdos
insmod ext2
echo '载入 Linux 3.8.0 ...'
echo '载入初始化内存盘...'
initrd /boot/initrd.img-3.8.0
}
submenu "3.2.0-23-generic-pae Previous Linux versions" {
menuentry 'Ubuntu,Linux 3.2.0-23-generic-pae' --class ubuntu --class gnu-linux --class gnu --class os {
recordfail
gfxmode $linux_gfx_mode
insmod gzio
insmod part_msdos
insmod ext2
set root='(hd0,msdos8)'
search --no-floppy --fs-uuid --set=root 05006591-e65b-4b40-b038-0d5ce347dac2
linux /boot/vmlinuz-3.2.0-23-generic-pae root=UUID=05006591-e65b-4b40-b038-0d5ce347dac2 ro quiet splash $vt_handoff
initrd /boot/initrd.img-3.2.0-23-generic-pae
}
menuentry 'Ubuntu,Linux 3.2.0-23-generic-pae (恢复模式)' --class ubuntu --class gnu-linux --class gnu --class os {
recordfail
insmod gzio
insmod part_msdos
insmod ext2
set root='(hd0,msdos8)'
search --no-floppy --fs-uuid --set=root 05006591-e65b-4b40-b038-0d5ce347dac2
echo '载入 Linux 3.2.0-23-generic-pae ...'
linux /boot/vmlinuz-3.2.0-23-generic-pae root=UUID=05006591-e65b-4b40-b038-0d5ce347dac2 ro recovery nomodeset
echo '载入初始化内存盘...'
initrd /boot/initrd.img-3.2.0-23-generic-pae
}
}
#default 值,已修改为使用原来的内核启动
### BEGIN /etc/grub.d/00_header ###
if [ -s $prefix/grubenv ]; then
set have_grubenv=true
load_env
fi
set default="2"
这样,生成的内核过程到此结束。
可参考:
http://edsionte.com/techblog/archives/3289