You are not logged in.

#1 2018-05-27 04:44:58

sleekmason
Member
Registered: 2018-05-22
Posts: 142

How To - Kernel Compile With Custom Options

This guide is meant to provide a basis for compiling the Linux kernel, whether the latest stable kernel from the Debian Stretch Repositories, or any kernel listed in the Linux Kernel Archives. https://www.kernel.org/

Guide updated as of: 12 October 2018

There are currently 12 sections:

1.  Dependencies.
2.  Compiling the Debian stable kernel source from the repository.
3.  Compiling the Linux Kernel Source fro the Linux Kernel Archives.
4.  Initial Configuration and Install.
5.  After boot.
6.  Dual booting.
7.  Configuration.
8.  Scaling Drivers and Governors.
9.  IO Schedulers/enabling BFQ.
10. Patches
11. Ideas to get you started.
12. Links.

Why compile your own kernel?

Both the Linux Kernel Archives, and the Debian repositories (though a version or two behind), offer the latest Linux kernels, fully patched with the newest security measures. This includes support for the dreaded spectre and meltdown problems of late, as well as new and exciting features, and fixes for older drivers. So, if you:

1. Want the latest in Linux kernel security features, both new and revised.
2. Have hardware that is currently unsupported and would like to activate/install certain drivers.
3. Need to deactivate an item that is causing conflicts.
4. Want to remove as much cruft as possible for speed and size.
5. Want to learn about what controls both your computer and software at the kernel level.
6. Like to tinker and explore.  You will not get bored.
7. Like having absolute control over your system.

Compiling and installing a kernel will not, in itself, cause any issues or damage. If your new kernel if corrupted, it either will not boot, or will quickly show if there is a problem after boot. 

If you do have a problem, simply boot into your previous kernel and remove the offending version using apt-get remove --purge linux-Image-<version> linux-headers-<version>.

LinuxKernel.th.jpg Older model of the Linux Kernel.

--------------------

***Dependencies

In order to compile your new kernel, some development programs need to be downloaded and installed:

First update the repositories:

sudo apt update

Download and install the programs with:

sudo apt install build-essential libncurses5-dev libssl1.0-dev libelf-dev bison flex bc fakeroot

--------------------

***Compiling the Debian stable kernel from the repositories

Is there any reason to use the Debian kernel source v.s. the Linux kernel source?

Maybe.  This will depend on your needs.  Debian kernel security patches come from the upstream Linux Kernel, and are applied on a regular basis in order to be fully up to date with the very latest security from the upstream source.

However, Debian may apply other patches that allow certain Debian packages to work better within the existing Debian framework.

Mostly this applies to "out of tree" modules/drivers that Debian is implementing for different architectures.  What affect this has on the end user depends on several factors, including architecture, programs used, transition of Debian versions from testing to stable, etc . .  For MOST daily use, the upstream source from the Linux Kernel Archives can certainly be used.

To get the Debian kernel source at the current maximum patch level, you will need to install the Debian kernel source package using apt.

First find out what the latest kernel source package is by using apt-cache:

apt-cache search linux-source

Here is the example output from the code above:

apt-cache search linux-source
linux-source-4.9 - Linux kernel source for version 4.9 with Debian patches
linux-source - Linux kernel source (meta-package)
linux-source-4.17 - Linux kernel source for version 4.17 with Debian patches
linux-source-4.18 - Linux kernel source for version 4.18 with Debian patches
linux-source-4.16 - Linux kernel source for version 4.16 with Debian patches

kernel version 4.18 is the latest source in the example:

sudo apt install linux-source-4.18

The Debian kernel source will install to /usr/src.  We do not want or need to work on it from /usr/src. Working on the kernel from your home directory makes for a safer environment.

Make a folder in your home directory where you will be working:

mkdir ~/kernels

Now move the newly downloaded source to your new kernel directory:

sudo mv /usr/src/linux-source-4.18.tar.xz ~/kernels

Change your working directory to ~/kernels:

cd kernels

Extract the source file from the tarball:

tar xaf linux-source-4.18.tar.xz

You shouldn't need to change permissions on the resultant file as it is being extracted in $HOME, but if so:

sudo chmod -R 755 ~/kernels/linux-source-4.18

You should then remove the source paths/tree in /usr/src after moving the file to ~/kernels.  This will keep /usr/src from getting cluttered up with different sources.

Remove the cruft left behind when you moved the source to ~/kernels:

sudo apt purge linux-source-4.18

For more information on the Debian kernel source:
https://kernel-team.pages.debian.net/ke … tasks.html

-- From this point, please scroll down to Initial Configuration and Install --

--------------------

***Compiling the Linux kernel from the Linux Kernel Archives

Simply download any available image you would like to compile from the Linux Kernel Archives: https://www.kernel.org/

Make a directory in /home to work from:

mkdir kernels

Change your working directory to ~/kernels:

cd kernels

Place your source tarball into ~/kernels and extract using:

tar xaf linux-source-4.18.tar.xz

--------------------

***Initial Configuration and Install

Once extracted, change directories and/or open a terminal in the resultant folder. (linux-source-4.18)

We need to clean up any files that may have been altered prior to release and make sure the kernel source tree is completely clean:

make clean && make mrproper

Next we open the configuration file (.config) that will instruct the compiler on what to add or leave out depending on your choices.  The first code we run will sync all the items between kernel releases, removing and adding items as necessary.

make oldconfig

Make oldconfig uses the existing kernel configuration on your system to determine the default settings applied during distribution install. Make oldconfig only needs to be done (and should be) at the change of the major kernel release number, i.e. from 4.15 to 4.16.

Accept all of the defaults by hitting enter repeatedly (just hold it down), or look through them if you want.  It's quite a list. The defaults are meant to protect the user.  Nothing should be automatically turned on unless it has been deemed necessary and safe.  The number of changed items between releases is generally under 20 or so, but the initial list could be a few hundred items if there are large separations between versions.

When you get to the end, save the file.

Now open menuconfig, which will be the goto from now on:

make menuconfig

This will present you with a full menu to change the huge number of options the kernel contains. I have made up a list of some of the most common changes later in this guide, but for now:

Under General setup —> find, Local version – append to kernel release
click on Local version – append to kernel release, and type in 1.

For each new compilation, change the number sequentially to keep things a bit more orderly.

Compiling at this point is advised, so you will know the first kernel will work without issue. Other changes should be made on a subsequent compile.

Next,  compile the kernel image and headers. There are other files created as well that can be ignored if you want, but may be useful.

Make the kernel with:

make deb-pkg

Or, if you have a dual-core processor:

make -j3 deb-pkg 

Compilation can take anywhere from ten minutes to two hours depending on hardware and kernel configuration. You don't need a fancy computer to compile, it's just a longer wait. The configuration file is stored in the Linux kernel folder as .config. Show hidden files in your file manager to see it.

When the compile is finished, cd to ~/kernels and install the kernel image, and kernel headers using:

sudo dpkg -i linux-image.xyz linux-image.xyz where xyz = version number..

In order to make things easier, you should use tab-completion in the terminal.

Dpkg will automatically update your initramfs and grub menu after installation.

Reboot into your new kernel!

--------------------

***After Boot

To see what happens with the Linux kernel on boot, and possibly address errors, in a terminal:

To see your currently running kernel:

uname -r

To get a read out of the kernel boot process.

dmesg

If you want to know what drivers you are currently using:

lspci -k

If you believe you may have a failed driver:

dmesg | grep failed

To find the size of your currently running kernel, uname -r to get the version, then use the version number to find out running kernel size.  I'm using kernel version 4.17.01:

ls -lha /boot | grep 4.17.01

And here is the output:

-rw-r--r--  1 root root 103K Jun  7 13:02 config-4.17.01
-rw-r--r--  1 root root 6.4M Jun  7 16:51 initrd.img-4.17.01
-rw-r--r--  1 root root 1.8M Jun  7 13:02 System.map-4.17.01
-rw-r--r--  1 root root 3.6M Jun  7 13:02 vmlinuz-4.17.01

The main changes in the kernel size from recompiling will be the initrd.img, shown here at 6.4 mb.

To get a complete list of your computers hardware, from the menu, open accessories --> System Information. The program Hardinfo comes installed with BunsenLabs and is an excellent tool to retrieve information.

There are links at the bottom of the post that can provide good information on the items found in the kernel.

--------------------

***Dual-booting

If you choose to dual-boot, and BunsenLabs is not your core distribution, you will need to boot into the distribution that installed grub to the mbr.
Then:

sudo update-grub

to have BunsenLabs show in the grub boot menu.

This also goes for those that are not currently dual booting, but would like to give it a go.  Grub automatically adds and updates the boot menu for all partitions. This means you can avoid installing grub altogether in the second distribution.  After install, boot into the distribution that installed grub to the mbr, and update-grub.

Another way to add another distribution to the Grub boot menu, is by placing the below into /etc/grub.d/40_custom. In this example, I am dual booting with antiX as my second distribution on sda5.

menuentry 'Antix' {
    set root=(hd0,5)
    linux /vmlinuz root=/dev/sda5 ro quiet
    initrd /initrd.img
}

*NOTE - You can add any other kernel parameters after quiet if required. (example - scsi_mod.use_blk_mq=1 if using bfq in the other distro.)

Then:

update-grub

If you want, you can replace; root=/dev/sda5, with root=UUID=$12345uuid... where $12345uuid... IS the actual UUID of /dev/sda5. This method may be more reliable, as fewer errors can develop from improper partition naming.

In a terminal:

ls -lha /dev/disk/by-uuid

This will show you the partitions by name, as well as the uuid of each partition on your computer.

This thread discusses best practices:   https://forums.bunsenlabs.org/viewtopic … 521#p72521
The Archwiki on Dual-booting:   https://wiki.archlinux.org/index.php/GRUB#Dual-booting
--------------------

***Configuration

One of the first things to do, is set up a way to see the differences in the configuration (.config) files between builds. This is important for keeping track of changes through the different builds you will be making.  Sometimes you may only want to change one or two items in the configuration file, and having a way to keep track of these changes is important.

The program Diff is a fine to use on it's own, but for a bit more simplicity and understanding, I advise copying the "diffconfig" script from the kernel headers you installed.  It is made specifically for comparing kernel configuration files.

The script can be found at /usr/src/linux-<version>/scripts. The output is much cleaner.

Once you have opened menuconfig to start your custom configuration, the directions on navigating the menus appear at the top. 

In particular, one should note / and SHIFT+/

Pressing / will give you a search box useful for finding drivers and other configuration options, while SHIFT+/ while an item is highlighted, will give the description of the item, it's current state, and other dependencies and reverse dependencies necessary to function.

For example, here is the description obtained by pressing SHIFT + / while in:

General setup  --->  uselib syscall.

Here is the description:

CONFIG_USELIB:                                                          │  
  │                                                                         │  
  │ This option enables the uselib syscall, a system call used in the       │  
  │ dynamic linker from libc5 and earlier.  glibc does not use this         │  
  │ system call.  If you intend to run programs built on libc5 or           │  
  │ earlier, you may need to enable this syscall.  Current systems          │  
  │ running glibc can safely disable this.                                  │  
  │                                                                         │  
  │ Symbol: USELIB [=n]                                                     │  
  │ Type  : bool                                                            │  
  │ Prompt: uselib syscall                                                  │  
  │   Location:                                                             │  
  │     -> General setup                                                    │  
  │   Defined at init/Kconfig:284

As you can see, I have it disabled as it is no longer necessary in the kernel.
Pressing the space bar will change the selected items status and the arrow keys move you through the lists, and through the items listed at the bottom of the display.


Know that menuconfig and oldconfig are not the only ways to get started on your journey.  Using make localmodconfig is one of my favorites for shrinking the size of the kernel.

Please note that localmodconfig only reads active hardware and drivers. Plugging in a USB device beforehand ensures the option for USB storage remains activated. Plugging in an item for each type, (not every slot) of the external hardware ports you have is advised.

This also applies to internal devices.  An example would be if you occasionally used zram instead of swap.  In this case, you have made a block device from existing space.  If however, it is not activated when doing a make localmodconfig, the options will be turned off in the configuration file.


A surprising number of different options are available to '"pre-configure" your kernel. Here they are:


config
Updates the current kernel configuration by using a line-oriented program.

menuconfig - Used for this guide, and my default goto.
Updates the current kernel configuration by using a text based menu program.

xconfig - Many prefer this over menuconfig.
Updates the current kernel configuration by using a QT-based graphical program.

gconfig
Updates the current kernel configuration by using a GTK+-based graphical program.

oldconfig
Updates the current kernel configuration by using the current .config file and prompting for any new options that have been added to the kernel.

silentoldconfig
Just like oldconfig, but prints nothing to the screen except when a question needs to be answered.

randconfig
Generates a new kernel configuration with random answers to all of the different options.

defconfig
Generates a new kernel configuration with the default answer being used for all options. The default values are taken from a file located in the arch/$ARCH/defconfig file, where $ARCH refers to the specific architecture for which the kernel is being built.

allmodconfig
Generates a new kernel configuration in which modules are enabled whenever possible.

allyesconfig
Generates a new kernel configuration with all options set to yes.

allnoconfig
Generates a new kernel configuration with all options set to no.

Note that the allyesconfig, allmodconfig, allnoconfig, and randconfig targets also take advantage of the environment variable KCONFIG_ALLCONFIG. If that variable points to a file, that file will be used as a list of configuration values that you require to be set to a specific value. In other words, the file overrides the normal behavior of the make targets.

For more information: http://archive.oreilly.com/pub/a/linux/ … rence.html

--------------------

***Scaling Drivers and Governors



To find out whether you are currently using the pstates driver or the acpi-cpufrq driver:

cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_driver

To find out which governor is in use on your system:

cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor

For all of the above info, plus current running frequencies:

cpufreq-info

The results of which will look something like:

 cpufreq-info
cpufrequtils 008: cpufreq-info (C) Dominik Brodowski 2004-2009
Report errors and bugs to cpufreq@vger.kernel.org, please.
analyzing CPU 0:
  driver: acpi-cpufreq
  CPUs which run at the same hardware frequency: 0
  CPUs which need to have their frequency coordinated by software: 0
  maximum transition latency: 10.0 us.
  hardware limits: 1.20 GHz - 2.10 GHz
  available frequency steps: 2.10 GHz, 1.60 GHz, 1.20 GHz
  available cpufreq governors: ondemand, performance, schedutil
  current policy: frequency should be within 1.20 GHz and 2.10 GHz.
                  The governor "ondemand" may decide which speed to use
                  within this range.
  current CPU frequency is 1.75 GHz.
analyzing CPU 1:
  driver: acpi-cpufreq
  CPUs which run at the same hardware frequency: 1
  CPUs which need to have their frequency coordinated by software: 1
  maximum transition latency: 10.0 us.
  hardware limits: 1.20 GHz - 2.10 GHz
  available frequency steps: 2.10 GHz, 1.60 GHz, 1.20 GHz
  available cpufreq governors: ondemand, performance, schedutil
  current policy: frequency should be within 1.20 GHz and 2.10 GHz.
                  The governor "ondemand" may decide which speed to use
                  within this range.
  current CPU frequency is 1.28 GHz.

The pstates information below was taken from -  The Linux kernel user’s and administrator’s guide on pstates. (link below).

The Linux kernel supports a scaling subsystem that consists of three layers. The core, scaling governors, and scaling drivers.

The majority of modern processors are capable of operating in a number of different clock frequency and voltage configurations, often referred to as Operating Performance Points or pstates.

Scaling drivers talk to the hardware. They provide scaling governors with information on the available pstates (or pstate ranges in some cases), and access hardware interfaces to change pstates as requested by the scaling governor used.

Governors are basically scaling algorithms for one of two scaling drivers; The Intel pstates driver, and the acpi-cpufreq driver.
With the pstate driver, there are only two available governors, Performance and Powersave.

The default pstate governor, depends on the .config option -- CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE , with the Performance governor being the default.

If you are using acpi-cpufreq as your scaling driver, all of the Governors are used as they traditionally have, before the pstates driver was introduced to the Linux Kernel.

There are currently 6 governors that come with the Linux kernel without patching.

performance
powersave
conservative
on-demand
schedutil
userspace

Note, People have reported mixed results with pstates.  If you are having issues, you may want to disable the pstates driver and use acpi-cpufreq instead.  Also, try different scaling governors for your specific needs.

If you want to disable pstates and use acpi-cpufreq as your scaling driver, then add this at boot time.

intel_pstate=disable

When using the acpi-cpufreq scaling driver, the only two governors I personally would consider for desktop/laptop use, are Ondemand, and Schedutil. That being said, I am also not worried about my battery, and this could/should be considered when making a selection

The Schedutil governor will probably become the default goto in the future.   

If you would like more local information from our forum about the Ondemand settings and how to use them:
    Adjusting some of the settings in the ondemand governor, babble style!

Main source for pstates information:
https://www.kernel.org/doc/html/v4.12/a … ssive-mode

--------------------

***IO Schedulers

Be aware, If you have a solid state drive, IO schedulers may not be necessary.

Please see this link for more information: https://forums.bunsenlabs.org/viewtopic.php?id=3402


The CFQ IO Scheduler comes default on most Linux distributions, and is a fine choice for those who do common tasks like email, web surfing, documents, etc . . If however, you also do video editing, kernel compiling, and other load intensive operations, you may want to consider the BFQ IO Scheduler, which no longer needs to be patched to the kernel since version 4.12.

Here is the method for activating and using the BFQ IO scheduler:


After enabling the BFQ scheduler under: Enable the block layer  --->  in menuconfig, you can enable and try out the BFQ IO Scheduler with a simple command line change to the grub boot menu.

From Here: http://algo.ing.unimo.it/people/paolo/disk_sched/
"BFQ is a proportional-share storage-I/O scheduler that also supports hierarchical scheduling with a cgroups interface."

From the IO scheduler wiki here: https://en.wikipedia.org/wiki/I/O_scheduling
Input/output (I/O) scheduling is the method that computer operating systems use to decide in which order the block I/O operations will be submitted to storage volumes. I/O scheduling is sometimes called disk scheduling.

What this means in general is that IO schedulers choose what and when files are accessed/copied to disk.

I/O schedulers can have many purposes depending on the goals; common purposes include:

- To minimize time wasted by hard disk seeks.
- To prioritize a certain processes' I/O requests.
- To give a share of the disk bandwidth to each running process.
- To guarantee that certain requests will be issued before a particular deadline.

Your current IO scheduler is probably "cfq". Check with:

sudo cat /sys/block/sda/queue/scheduler

You should see:

noop deadline [cfq]

*Note (Your drive may be different than "sda" and should be adjusted accordingly.)

BFQ is based on CFQ code, but it implements a more accurate scheduling policy. BFQ distributes the throughput to I/O-bound processes as desired, even if it fluctuates, independently of the device parameters and with any workload.

Soft real-time applications enjoy up to 3-time lower latencies than under CFQ and do not suffer from almost any glitch even in presence of heavy background workloads.

BFQ achieves a high throughput on SSDs without losing low-latency guarantees.   (for solid state).

BFQ achieves up to 30% higher aggregate disk throughput than CFQ with most of the workloads considered, or the same throughput with the others.

Basically, if you do a lot of file transfer from video editing, copying files, backup, etc . . . BFQ is a good scheduler to use.

Also BFQ is the default I/O scheduler in Manjaro, Mageia, OpenMandriva, Sabayon, Arch Linux ARM.  Interesting tidbit that.


To Use the BFQ Scheduler after enabling it in the kernel configuration file:

REBOOT your computer, and at the grub screen, use the DOWN arrow and type "e" to edit the grub command line.
Add this line to the end of that line, making sure to  leave a space between.

scsi_mod.use_blk_mq=1

Once you have booted into your system, to see a list of available schedulers, open a terminal and:

sudo cat /sys/block/sda/queue/scheduler

Your output should be:

[mq-deadline] kyber bfq none

This shows that BFQ is now available for use, though not enabled yet. If you don't see it, you either didn't type in the command correctly at the grub boot menu, or didn't enable it during kernel compile.

Next change the scheduler to BFQ by using:

sudo echo bfq > /sys/block/sda/queue/scheduler

This will change the current scheduler you are using to BFQ.

Run the cat command again and you should see:

mq-deadline kyber [bfq] none

If so, then you are now using BFQ for the current session.  Try all of the schedulars listed if you like.

Now, after using BFQ for a bit and you want to make it permanent on boot, you will need to edit /etc/default/grub.

sudo nano /etc/default/grub

Then add scsi_mod.use_blk_mq=1 after "quiet" like so and save.

GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT=" vga=791 quiet scsi_mod.use_blk_mq=1 "
GRUB_CMDLINE_LINUX=""

Your grub file may be different than above.
Once you have the line the way you want, hit "F2" to open the "save file" prompt,  type "y" and ENTER.

Update grub. If you don't, nothing changes.

sudo update-grub

Be careful here, screwing up you grub file may, or may not allow you to boot if you get it wrong.
 
IF you do mess up, simply reboot, drop down one in the menu and type "e" again to bring up the prompt, and change it back to the original.

In order to have BFQ as the default scheduler upon boot, you will need to create a file in /etc/udev/rules.d indicating such.

To make the file 60-block.rules in /etc/udev/rules.d:

sudo nano /etc/udev/rules.d/60-scheduler.rules

-
Add this line:

ACTION=="add|change", KERNEL=="sd*[!0-9]|sr*", ATTR{queue/scheduler}="bfq"

Hit F2 and save.
upon REBOOT, check with:

sudo cat /sys/block/sda/queue/scheduler

--------------------

***Patches

Patches are an easy way to get some of the cool features that others have developed for the Linux Kernel.  They are easy to implement, and easy to use.

As an example, lets say I want to patch gcc to allow for the march=native option.  This option tells the GCC compiler to find all of the information about your computer, rather than depend on an "arch" setting that could be wrong.

Here is the link to a patch written for not only march=native, but provides a better list under Processor type and features--> Processor Family, changing the number of possible types to well over 20. "Generic-x86-64" is the default.

https://github.com/graysky2/kernel_gcc_patch

In order to use a patch, download or copy the code to a text file. Download is in the link.

For this purpose, I am using the 4.17.4 stable kernel with the "enable_additional_cpu_optimizations_for_gcc_v4.9+_kernel_v4.13+.patch"

Yeah, that's the name:)  you can, however, change it to whatever you want.  Since I'm using TAB completion, it doesn't bother me at all, and definitely describes the patch.

Place the patch into your kernel tree directory, open a terminal, and:

 patch -p1 < enable_additional_cpu_optimizations_for_gcc_v4.9+_kernel_v4.13+.patch

If it doesn't work, you will be informed why. Some will, some won't.  This one does on 4.17.4, and I now have march=native checked by default.

"man patch" in a terminal will show all of the options.

Run "make oldconfig" to see a list of the changes, their default setting, and location.

Afterwards, run "make menuconfig" as you normally would.

There are different patches all over if you do a decent search.  If you find a super duper cool patch, let us all know by posting in the thread.

--------------------

***Ideas to get you started

I've made up a list of many of the changes I have made that serve well for laptops and desktops that don't require special debugging or hardware options.  Running through some of these will give you a feel for how to use menuconfig, and what you can expect from compiling your own kernel.

Many items here are simply not necessary for a laptop computer that is being used for common tasks; web surfing, email, usb, bluetooth, etc . . ..

Changing schedulers, governors, timers, debugging, and other kernel parameters can greatly enhance the kernels speed, most noticeable on boot, opening programs, and file transfer.

The smaller the kernel size, the faster the reads.

Networking and drivers are machine dependent, while security, crypto, and the like are personal.
There are over 4,300 options in the config file.

Upon opening make menuconfig:

Under General Setup:
1. () Local version – append to kernel release – – – Add a 1 to this to get started;)
2. POSIX Message Queues – – – Disable unless using solaris.
3. uselib syscall – – – Disable – Glibc doesn’t use this.
4. Auditing support - - - Disable
5. Kernel .config support---Enable-Gives access to the kernel config file
6. Enable access to .config through /proc/config.gz---Enable-Nice feature to have. You will also need to go into "security options" and uncheck "Restrict unprivileged access to the kernel syslog"
7. Memory placement aware NUMA scheduler – – – Disable – soon deprecated.
8. Configure standard kernel features (expert). – – – Enable, then INSIDE:
     Enable ELF core dumps – – – Disable
     Enable PC-Speaker support – – – Disable – -unless you like beeps-
     Load all symbols for debugging/ksymoops – – – Disable – debugging.
NOTE* You can also disable standard kernel features, then go to Kernel Hacking, and remove all debugging. One depends on the other.
9. Enable SLUB debugging support – – – Disable – debugging.
10  Choose SLAB allocator (SLAB (Unqueued Allocator))  ---> --- Change to SLUB
11. SLUB per cpu partial cache. – – – EITHER – performance (N) on mine.
12. Profiling support – – – Disable – used by oprofile.


Enable loadable module support —>
1. Forced module loading – – – Disable – Really shouldn’t need this.
2. Forced module unloading – – – Disable – Really shouldn’t need this.
3. Module versioning support – – – Disable – for using modules from other kernels/systems.


Enable the block layer —>
1. Zoned block device support – – – Disable – Unless you have a ZAC or ZBC Storage device.
2. Block layer debugging information in debugfs – – – Disable – Debugging.
3. For interfacing with Opal enabled SEDs – – – Disable – Unless you know what this is.
4. Under Partition Types —>
Advanced partition selection – – – Disable – Unless using hard disks from another system.
5. Enable any IO Schedulers you wish to use.


Processor type and features —>
1. Enable MPS table. – – – If 64 bit, Disable, if not, read.
2. Linux guest support – – – Disable – Unless running under Hypervisor
3. Processor family (Generic-x86-64) – – – Change to yours! – cat /proc/cpuinfo to find out.
4. Supported processor vendors – – – Enable – and remove unused vendors.
5. Old AMD GART IOMMU support – – – Disable – Unless AMD Athlon64, Opteron, turion, etc. Then maybe.
6. IBM Calgary IOMMU support – – – Disable – Unless using IBM.
7. Maximum number of CPUs – – – Change to 4 or 8 Each adds 8 kb (256 x 8 = 2048).
8. CPU core priorities scheduler support – – – Enable – If using Intel – New support in latest kernel possible.
9. Reroute for broken boot IRQs – – – Disable – unless affected – read.
10. Enable support for 16-bit segments – – – Disable – Unless running Wine.
11. Numa Memory Allocation and Scheduler Support – – – READ – I disabled on mine.
12. Contiguous Memory Allocator – – – READ – I disabled on mine.
13. x86 architectural random number generator – – – Disable – How many do you need?
14. Supervisor Mode Access Prevention – – – Disable – Read – Security feature in newer intel.
15. EFI runtime service support – – – Disable – unless you have EFI support.
16. Timer frequency – – – Change to 1000HZ.
17. kexec system call – – – Disable – If you need this, you will know what it is:)
18. Build a relocatable kernel – – – Disable.


Power management and ACPI options —>
1. Enable workqueue power-efficient mode by default. – – Disable – Read.


Bus options (PCI etc.) —> Your on your own, and good to go through once you get a feel for re-compiling.


Executable file formats / Emulations —> I would leave this as is.


Networking support —> There is a lot here. Here's three.
1. Amateur Radio support – – – Disable – unless using amateur radio.
2. CAN bus subsystem support – – – Disable – Medical equipment type stuff.
3. Bluetooth subsystem support – – – Disable – Unless using Bluetooth.


Device Drivers —> On your own, but there are a bunch that can probably go right off. Most (or all) staging drivers can go, along with chrome and android, and a lot more


Firmware Drivers —> On your own. Some are removable, but I'd leave these alone overall.


File systems —>
1. Reiserfs support – – – Disable – Unless you formatted with Reiser.
2. JFS filesystem support. – – – Disable – Unless formatted with.
3. XFS filesystem support. – – – Disable – Unless formatted with.
4. GFS2 file system support. – – – Disable – Unless using a cluster.
5. OCFS2 file system support. – – – Disable – Unless using.
6. Btrfs assert support – – – Disable – Just this. Keep the file system.
7. NILFS2 file system support. – – – Disable – unless used.
8. F2FS filesystem support. – – – Disable – Read.
9. Direct Access (DAX) support. – – – Disable – unless needed.
10. Quota support – – – Disable – unless setting user limits.
11. Kernel automounter version 4 support│ – – – Disable – Distributed network stuff.
12. Overlay filesystem support. – – – Disable – Unless you know what this is.
13. Caches —>
Gather statistical information on local caching – – Disable – Debugging.
Gather latency information on local caching – – – Disable – Debugging.
Filesystem caching on files – – – Disable – READ FIRST.


Kernel hacking —>
1. printk and dmesg options —>
Show timing information on printks – – – Disable – unneeded for common tasks.
2. Compile-time checks and compiler options —>
Enable unused/obsolete exported symbols – – – Disable – unused.
3. Magic SysRq key – – – Disable – READ I don’t need this.
4. Kernel debugging – – – Disable – Debugging.
5. Tracers – – – Disable – unneeded.
6. (go back 2) Stack backtrace support – – – Disable – unneeded.
7. Runtime Testing – – – Disable – self tests.
8. Early printk via the EFI framebuffer – – – Disable – Debugging.
9. TOM Punit debug driver – – – Disable – Debugging.


Security options —> On your own, But be aware that you can remove many of the different security measures that may not be necessary for your usage.  I offer no advice here.
Cryptographic API —> On your own;)
Virtualization —> On your own. Are you running kvm or using virtio?
Library routines —> On your own, but I advise leaving these alone unless you want a mess on your hands:)

Some items may not be disabled unless other items are.  Going back to uncheck something that appeared un-checkable at first is a good idea.

Remember You can disable "standard kernel features" under the general section, then go to Kernel Hacking, and remove all debugging. One depends on the other.

--------------------

--------------------

***Links

The Linux Kernel Documentation (provides info on latest release as well):
https://www.kernel.org/doc/html/latest/index.html

This site explains the different active kernel releases, and the definition of distro kernels:
https://www.kernel.org/category/releases.html

The Arch Wiki on kernel development:
https://wiki.archlinux.org/index.php/Ke … ompilation

A lot of the configuration items can be looked up here:
https://lwn.net/Kernel/Index/

Pstate and acpi-cpufreq information:
https://www.kernel.org/doc/html/v4.12/a … ssive-mode

To find out what's going on with kernel development:
https://lwn.net/Kernel/

Last edited by sleekmason (2018-10-12 21:27:05)


"Nothing in the world can take the place of Persistence. Talent will not; nothing is more common than unsuccessful men with talent. Genius will not; unrewarded genius is almost a proverb. Education will not; the world is full of educated derelicts. Persistence and determination alone are omnipotent." - Calvin Coolidge

Offline

#2 2018-05-27 12:30:05

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: How To - Kernel Compile With Custom Options

Thanks for this, if I can just make a note on this point:

sleekmason wrote:

the BFQ IO Scheduler

It is possible to drop the I/O scheduler completely with the stock BunsenLabs kernel, this may be advantageous for solid-state devices which do not need queuing, see my guide here:

https://forums.bunsenlabs.org/viewtopic.php?id=3402

And also a quick question about this bit:

sleekmason wrote:

Add the following:

deb http://ftp.us.debian.org/debian/ stretch main contrib non-free
#deb http://ftp.us.debian.org/debian/ testing main contrib non-free

Why add the testing repositories?

If they are un-commented an upgrade would almost certainly completely wreck the system and they seem to serve no purpose at all in your guide.

Obligatory link:

https://wiki.debian.org/DontBreakDebian … nkenDebian


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#3 2018-05-27 13:07:59

sleekmason
Member
Registered: 2018-05-22
Posts: 142

Re: How To - Kernel Compile With Custom Options

it is possible to drop the I/O scheduler completely with the stock BunsenLabs kernel, this may be advantageous for solid-state devices which do not need queuing, see my guide here:

While this how-to is about kernel compilation and not schedulers or solid state drives, I'll be happy to include your link on solid state if you like.
*Edit - added under configuration options.

Why add the testing repositories?

If they are un-commented an upgrade would almost certainly completely wreck the system and they seem to serve no purpose at all in your guide.

Please re-read my guide.  I explain very clearly the danger involved, including instructing people to read the guide through once before starting.
This:

Development files are needed for kernel compilation, and here is where the standard warnings and caveats apply about the dangers of using different repos other than those shipped with the distro.
While the sources used here are Debian, they dip into testing (as of this writing), depending on what kernel version you plan to compile.
The 4.17rc6 kernel image for instance, requires use of the testing repository. Kernel version 4.15 may not.
I personally have had no issues so far using testing for development files when needed.  Your mileage may vary. know how to repair or reinstall if needed.

and this:

Don't forget to re-comment the previously added repositories after install.  Failure to do so, coupled with a dist-upgrade might
cause all the fun you never knew you wanted.

People can do as they wish.  The latest kernel required testing repos on my system. 
Please compile linux image 4.17rc6 with only stable repos and I will rewrite.

Thank you for your feedback.

Last edited by sleekmason (2018-05-27 13:16:45)


"Nothing in the world can take the place of Persistence. Talent will not; nothing is more common than unsuccessful men with talent. Genius will not; unrewarded genius is almost a proverb. Education will not; the world is full of educated derelicts. Persistence and determination alone are omnipotent." - Calvin Coolidge

Offline

#4 2018-05-27 13:25:02

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: How To - Kernel Compile With Custom Options

sleekmason wrote:

Please re-read my guide.

Oh yes, sorry, I missed that bit.

Can you please post the full output of

apt policy libc6

It does look like the newer version of flex pulls in the above package from testing and if this is the case then your system could break during an upgrade or package installation and should probably be re-installed from scratch.

The BunsenLabs developers strongly recommend sticking with the default kernel.


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#5 2018-05-27 13:31:16

sleekmason
Member
Registered: 2018-05-22
Posts: 142

Re: How To - Kernel Compile With Custom Options

Sure,
$ apt policy libc6
libc6:
  Installed: 2.27-3
  Candidate: 2.27-3
  Version table:
*** 2.27-3 100
        100 /var/lib/dpkg/status
     2.24-11+deb9u3 500
        500 http://ftp.us.debian.org/debian stretch/main amd64 Packages


"Nothing in the world can take the place of Persistence. Talent will not; nothing is more common than unsuccessful men with talent. Genius will not; unrewarded genius is almost a proverb. Education will not; the world is full of educated derelicts. Persistence and determination alone are omnipotent." - Calvin Coolidge

Offline

#6 2018-05-27 13:35:17

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: How To - Kernel Compile With Custom Options

^ I would advise re-installing but you could try

sudo dpkg --install --force-downgrade /var/cache/apt/archives/libc6_2.24-11+deb9u3_amd64.deb

You really don't want buster's libc6 in a Debian stable based system.

EDIT: also:

empty@hegel:~ $ uname -a
Linux hegel 4.16.0-12.1-liquorix-amd64 #1 ZEN SMP PREEMPT liquorix 4.16-4.1~sid (2018-05-26) x86_64 GNU/Linux
empty@hegel:~ $ cat /sys/class/block/sda/queue/scheduler                                                                                                                                                           
mq-deadline kyber [bfq] none
empty@hegel:~ $

The Liquorix kernel works fine with BL-He, even the headers are installable.

https://liquorix.net/

Last edited by Head_on_a_Stick (2018-05-27 13:38:54)


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#7 2018-05-27 13:51:35

sleekmason
Member
Registered: 2018-05-22
Posts: 142

Re: How To - Kernel Compile With Custom Options

The BunsenLabs developers strongly recommend sticking with the default kernel.

Why? Changing kernels is easy, and can not harm your system. If it doesn't work, simply reboot.

The Bunsenlabs kernel needs some serious work.

Off the top of my head - 
Still using slab instead of slub. Slub is far better now.
Timer frequency of 200 instead of 1000 (recommended)
Low latency desktop has shown superior usage for the preemtion model
Every option for debugging is turned on. Why? For the developer maybe . .
Maximum number of CPUs is over 500. Yes, 500.  each one adding a page for use @ 8kb
Everything enabled or moduled by default. 
The size of the kernel is huge!
I can continue this list with a bunch more that should be addressed.

Recompiling the same kernel from 10 years ago and simply allowing the new options by default does not a good kernel make.

Keeping obsolete options enabled (like the five different system calls, three of which are obsolete!) makes for a slower experience as everything gets populated.

These, and many more items should be adjusted for user use, and released as such.


"Nothing in the world can take the place of Persistence. Talent will not; nothing is more common than unsuccessful men with talent. Genius will not; unrewarded genius is almost a proverb. Education will not; the world is full of educated derelicts. Persistence and determination alone are omnipotent." - Calvin Coolidge

Offline

#8 2018-05-27 13:56:53

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: How To - Kernel Compile With Custom Options

sleekmason wrote:

The BunsenLabs developers strongly recommend sticking with the default kernel.

Why?

Because BunsenLabs is based on Debian stable and aims to be reliable, also the coverage of the Debian Security Team is of vital importance, especially in respect of the kernel.


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#9 2018-05-27 14:21:22

sleekmason
Member
Registered: 2018-05-22
Posts: 142

Re: How To - Kernel Compile With Custom Options

Just did a dist upgrade with ZERO problems.

Because BunsenLabs is based on Debian stable and aims to be reliable, also the coverage of the Debian Security Team is of vital importance, especially in respect of the kernel.

1.The Debian kernel is based on the Linux Kernel Image with all of the security measures in place.
2. The configuration that ships with the distro is the same configuration used to initially start the kernel configuration. Nothing changes without user input.

3. Newer the kernel, better the security. In the latest4.17rc6 their 200,000 lines of code removed, making the kernel smaller than 4.16. and ADDED support for some older hardware.

4. Again, this guide is for those who want to change thier kernel with custom options.  Nobody is making you do anything.


"Nothing in the world can take the place of Persistence. Talent will not; nothing is more common than unsuccessful men with talent. Genius will not; unrewarded genius is almost a proverb. Education will not; the world is full of educated derelicts. Persistence and determination alone are omnipotent." - Calvin Coolidge

Offline

#10 2018-05-27 14:31:00

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: How To - Kernel Compile With Custom Options

sleekmason wrote:

Just did a dist upgrade with ZERO problems.

^ Or as the skydiver with the broken parachute said:

So far, so good...

Any packages that have a libc6 dependency lower than the buster version will now be uninstallable on your box and you may have brought other packages in with your little experiment.

sleekmason wrote:

Newer the kernel, better the security.

^ I would strongly disagree with this assertion: the kernel developers seem hell-bent on adding as many features as possible as quickly as possible and all of these added features have the possibility of adding new vulnerabilities.

The Debian Security Team keeps track of any kernel vulnerabilities and backports the fixes very quickly indeed — with your suggested method the user would have to keep track of vulnerabilities themselves and manually recompile the new version (with all the extra, added, undiscovered vulnerabilities).

sleekmason wrote:

In the latest4.17rc6 their 200,000 lines of code removed, making the kernel smaller than 4.16. and ADDED support for some older hardware

That does indeed sound excellent but using an RC kernel in a Debian stable based system just seems silly to me.


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#11 2018-05-27 14:31:54

sleekmason
Member
Registered: 2018-05-22
Posts: 142

Re: How To - Kernel Compile With Custom Options

It does look like the newer version of flex pulls in the above package from testing and if this is the case then your system could break during an upgrade or package installation and should probably be re-installed from scratch.

This is clearly not a problem at this time and should be ammended.

I would advise re-installing but you could try

Not sure why you feel the need to write as if I am having problems. I have no issues after dist-upgrade, and should be noted as such with a caveat for future upgrades as a possibility only.


"Nothing in the world can take the place of Persistence. Talent will not; nothing is more common than unsuccessful men with talent. Genius will not; unrewarded genius is almost a proverb. Education will not; the world is full of educated derelicts. Persistence and determination alone are omnipotent." - Calvin Coolidge

Offline

#12 2018-05-27 14:33:34

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: How To - Kernel Compile With Custom Options

sleekmason wrote:

Not sure why you feel the need to write as if I am having problems.

My comments are actually aimed at the wider "studio" audience wink


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#13 2018-05-27 14:41:23

sleekmason
Member
Registered: 2018-05-22
Posts: 142

Re: How To - Kernel Compile With Custom Options

^ I would strongly disagree with this assertion: the kernel developers seem hell-bent on adding as many features as possible as quickly as possible and all of these added features have the possibility of adding new vulnerabilities.

The Debian Security Team keeps track of any kernel vulnerabilities and backports the fixes very quickly indeed — with your suggested method the user would have to keep track of vulnerabilities themselves and manually recompile the new version (with all the extra, added, undiscovered vulnerabilities).

Yes, Anybody who compiles thier own kernel will be presented with new features, including security features in every major release.
Anybody not compiling thier own kernel doesn't have to worry about it.  What's your point?

That does indeed sound excellent but using an RC kernel in a Debian stable based system just seems silly to me.

Seriously?  4.17 goes mainstream in a couple of weeks and will be trickling down soon.  Will it still be silly when it arrives?

Again, This is a guide for those who want to compile thier own kernel, with understanding of all of the above.  This has literally no bearing on anything else. I'm sure people can figure out for themselves what they might want to do.  I'm not cramming anything down anybody's throat.


"Nothing in the world can take the place of Persistence. Talent will not; nothing is more common than unsuccessful men with talent. Genius will not; unrewarded genius is almost a proverb. Education will not; the world is full of educated derelicts. Persistence and determination alone are omnipotent." - Calvin Coolidge

Offline

#14 2018-05-27 14:42:08

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: How To - Kernel Compile With Custom Options

sleekmason wrote:

Please compile linux image 4.17rc6 with only stable repos and I will rewrite

This is Debian's guide for recompiling kernels from upstream:

https://kernel-handbook.debian.net/ch-c … rg-package

^ That method won't pull in a non-compatible libc6 version wink


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#15 2018-05-27 14:43:01

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: How To - Kernel Compile With Custom Options

sleekmason wrote:

Yes, Anybody who compiles thier own kernel will be presented with new features, including security features in every major release.
Anybody not compiling thier own kernel doesn't have to worry about it.  What's your point?

I wrote:

The BunsenLabs developers strongly recommend sticking with the default kernel.


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#16 2018-05-27 14:45:21

sleekmason
Member
Registered: 2018-05-22
Posts: 142

Re: How To - Kernel Compile With Custom Options

My comments are actually aimed at the wider "studio" audience wink

Then should be corrected for the current truth, not some imagined future.  Warning in the guide are clear, as is my statement of no issues.  Creating issues that don't exist currently does nobody any good.
Thank you for all of your concerns and comments. The issues you brought up are valid and should be addressed.


"Nothing in the world can take the place of Persistence. Talent will not; nothing is more common than unsuccessful men with talent. Genius will not; unrewarded genius is almost a proverb. Education will not; the world is full of educated derelicts. Persistence and determination alone are omnipotent." - Calvin Coolidge

Offline

#17 2018-05-27 14:45:25

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: How To - Kernel Compile With Custom Options

sleekmason wrote:

I'm not cramming anything down anybody's throat.

No but you have posted a guide which will break the dependency chain in a BunsenLabs Helium system, that's not cool.


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#18 2018-05-27 15:07:48

sleekmason
Member
Registered: 2018-05-22
Posts: 142

Re: How To - Kernel Compile With Custom Options

No but you have posted a guide which will break the dependency chain in a BunsenLabs Helium system, that's not cool.

Simply not true.  I have posted a guide that MAY eventually break something, but maybe not.
Right now, Not.

BunsenLabs makes clear that it welcomes ALL users, not just BunsenLabs, and that you may/should do as you wish.

Not cool is disecting someone's work without acknowledging when they have been mistaken after correction.
Not cool is implicating that my system was/is broken, when clearly it is not.
Not cool is suggesting your own how-to on a unrelated subject as the answer to all of this. ( This doesn't change the fact that the info is useful, and I don't mind sharing it).

I am always willing to correct when I am wrong, and always willing to entertain others idea, problems, or complaints.  I believe I have adequately answered all current concerns concerning this issue. If something crops up, it will be addressed.

This how-to in no ways interfere with the bunsenlab distro.  Warning are in place. People have choices.

Again, thank you for your concerns.


"Nothing in the world can take the place of Persistence. Talent will not; nothing is more common than unsuccessful men with talent. Genius will not; unrewarded genius is almost a proverb. Education will not; the world is full of educated derelicts. Persistence and determination alone are omnipotent." - Calvin Coolidge

Offline

#19 2018-05-27 15:18:17

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: How To - Kernel Compile With Custom Options

sleekmason wrote:

I have posted a guide that MAY eventually break something, but maybe not.

Your system is broken *now* because BunsenLabs Helium should be using the stretch version of libc6.

I will add a note to the top of the thread linking the official Debain documentation on this subject (which does not draw in a non-standard libc6 version) as the preferred method.

EDIT: note added.

Last edited by Head_on_a_Stick (2018-05-27 15:24:17)


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#20 2018-05-27 15:29:07

sleekmason
Member
Registered: 2018-05-22
Posts: 142

Re: How To - Kernel Compile With Custom Options

Excellent idea.  If you have a running solution for this, that would be awesome as well. Thank you for going over everything. 

Somebody else running through the guide would be great if anybody currently has the time.
I would hope if people do encounter issues, they let us know here asap.  Thanks again, and thanks for making BunsenLabs an awesome distro. It's the one I keep finding myself booting into:)


"Nothing in the world can take the place of Persistence. Talent will not; nothing is more common than unsuccessful men with talent. Genius will not; unrewarded genius is almost a proverb. Education will not; the world is full of educated derelicts. Persistence and determination alone are omnipotent." - Calvin Coolidge

Offline

#21 2018-05-27 21:41:26

verndog
Member
Registered: 2018-05-22
Posts: 42

Re: How To - Kernel Compile With Custom Options

Head_on_a_Stick wrote:

...

sleekmason wrote:

Newer the kernel, better the security.

^ I would strongly disagree with this assertion: the kernel developers seem hell-bent on adding as many features as possible as quickly as possible and all of these added features have the possibility of adding new vulnerabilities.

The Debian Security Team keeps track of any kernel vulnerabilities and backports the fixes very quickly indeed — with your suggested method the user would have to keep track of vulnerabilities themselves and manually recompile the new version (with all the extra, added, undiscovered vulnerabilities).

...

I was wondering about this issue regarding security. Thanks @Head_on_a_Stick, you have answered a question I was going to ask elsewhere.

Offline

#22 2018-05-28 00:28:30

sleekmason
Member
Registered: 2018-05-22
Posts: 142

Re: How To - Kernel Compile With Custom Options

The security patches that Debian uses come from the upstream kernel source. Not from Debian. 
Debian may submit bug reports, etc., but kernel security comes with each new Linux Kernel version posted.  The Debian security team patches are the same security issues that have already been addressed in the upstream kernel.  Not the other way around.

For instance, here is linus Torvalds discussing how the latest patch addresses the new spectre issues.
https://lwn.net/Articles/755739/
You can be sure the fix will get to Debian within a day or two, and incorporated into whatever version they are currently working on.

Debian uses the Linux Kernel just like every other distribution, and keeps the same version with just security updates from upstream as they work out kinks and bugs (system calls, and such).

This link has people discussing the merits of Debian vs other distros as far as security. You will see that they generally have no opinion because security is not distro specific, but kernel specific. 
The hype about Debian's security is just that.  They are quick to implement the patches that are submitted upstream.  That's all.
https://www.infoworld.com/article/31188 … urity.html

The latest release IS the most secure.
If you want to know more about security issues affecting the Linux kernel:
https://lwn.net/Alerts/

To find out what's going on with the kernel:
https://lwn.net/Kernel/

As a note:

the kernel developers seem hell-bent on adding as many features as possible as quickly as possible and all of these added features have the possibility of adding new vulnerabilities.

This is certainly true of arm, where kernel developers try to implement as many items as possible.  Arm is much more complex.
Here is a link to a kernel how-to on xda developers I wrote for the gpad.  I also maintained two separate versions for different use.  The steps involved are nuts.
https://forum.xda-developers.com/showth … ?t=2628951

In the kernels linked you will find ton's of governors, IO schedulers, and other features that I brought to the gpad, and some I was unable to implement:)

In Linux, This just simply is not the case. Everything comes down from above.  Very few people are trying to release kernel versions for linux in general, and the one's that do, have their own issues to keep on top of.  It's just too hard to incorporate everything at once.

I hope this answers your question a little more thoroughly, and may give a better sense of the security measures in the Linux kernel.   Regards,


"Nothing in the world can take the place of Persistence. Talent will not; nothing is more common than unsuccessful men with talent. Genius will not; unrewarded genius is almost a proverb. Education will not; the world is full of educated derelicts. Persistence and determination alone are omnipotent." - Calvin Coolidge

Offline

#23 2018-05-28 00:39:09

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: How To - Kernel Compile With Custom Options

sleekmason wrote:

The hype about Debian's security is just that.  They are quick to implement the patches that are submitted upstream.  That's all.

I think you are unfairly diminishing the hard work of the Security Team.

And my point remains: if the user is not relying on Debian to provide timely security updates then what is your proposed method for said user to track new vulnerabilities and ensure that their kernel is kept sufficiently up to date?


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#24 2018-05-28 00:48:04

DeepDayze
Member
From: In Linux Land
Registered: 2017-05-28
Posts: 541

Re: How To - Kernel Compile With Custom Options

I like your post Sleek but keep in mind that the BL team has based their work on Stable and adding Testing/Sid repos indeed do pose a danger and note that backporting kernels from those other repos can end up requiring dependencies that are not available in Stretch, thus the risk that Testing/Sid packages can then get pulled in thus risking breakage of stable.

If you wanted to, you CAN upgrade Helium to Sid and it has been smooth in my case and you can then use the latest kernels.


Real Men Use Linux

Offline

#25 2018-05-28 00:49:22

DeepDayze
Member
From: In Linux Land
Registered: 2017-05-28
Posts: 541

Re: How To - Kernel Compile With Custom Options

A case in point: Kernel 4.17 depends on a newer version of libc6 than what is available in Stretch. To backport it may require patching to make it work with the libc6 in Stretch, unless I am wrong.

Last edited by DeepDayze (2018-05-28 00:50:22)


Real Men Use Linux

Offline

Board footer

Powered by FluxBB