diff options
Diffstat (limited to '')
-rw-r--r-- | fragments/base/common | 54 | ||||
-rw-r--r-- | fragments/base/crypto | 4 | ||||
-rw-r--r-- | fragments/base/modules | 2 | ||||
-rw-r--r-- | fragments/base/net | 40 | ||||
-rw-r--r-- | fragments/base/security | 14 |
5 files changed, 114 insertions, 0 deletions
diff --git a/fragments/base/common b/fragments/base/common new file mode 100644 index 0000000..1a26566 --- /dev/null +++ b/fragments/base/common @@ -0,0 +1,54 @@ +CONFIG_SMP=y + +CONFIG_SYSVIPC=y +CONFIG_POSIX_MQUEUE=y + +CONFIG_NO_HZ_IDLE=y +CONFIG_HIGH_RES_TIMERS=y + +CONFIG_IKCONFIG=y +CONFIG_IKCONFIG_PROC=y + +CONFIG_SCHED_AUTOGROUP=y + +# We only really care about standard PC systems +# CONFIG_X86_EXTENDED_PLATFORM is not set + +CONFIG_NUMA=y + +# The following can be disabled since it is a legacy option, +# the kernel will use X86_64_ACPI_NUMA instead +# CONFIG_AMD_NUMA is not set + +CONFIG_PARTITION_ADVANCED=y + +# The kernel cites 65536 as a "reasonable" value here. +CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 + +# We want to support transparent hugepages, though want applications +# to ask for them specifically with madvise +CONFIG_TRANSPARENT_HUGEPAGE=y +CONFIG_TRANSPARENT_HUGEPAGE_MADVISE=y + +CONFIG_MD=y +CONFIG_BLK_DEV_DM=y +CONFIG_BLK_DEV_LOOP=y + +# CONFIG_LEGACY_PTYS is not set + +CONFIG_HPET=y + +CONFIG_HIDRAW=y + +CONFIG_EDAC=y +CONFIG_EDAC_SBRIDGE=y +# CONFIG_EDAC_LEGACY_SYSFS is not set + +CONFIG_RTC_CLASS=y + +# CONFIG_UNUSED_SYMBOLS is not set + +# https://lwn.net/Articles/681763/ +CONFIG_BLK_WBT=y +CONFIG_BLK_WBT_SQ=y +CONFIG_BLK_WBT_MQ=y diff --git a/fragments/base/crypto b/fragments/base/crypto new file mode 100644 index 0000000..0f63cdd --- /dev/null +++ b/fragments/base/crypto @@ -0,0 +1,4 @@ +CONFIG_DM_CRYPT=y +CONFIG_CRYPTO_AES_X86_64=y +CONFIG_CRYPTO_USER_API_HASH=y +CONFIG_CRYPTO_USER_API_SKCIPHER=y diff --git a/fragments/base/modules b/fragments/base/modules new file mode 100644 index 0000000..a3f5b21 --- /dev/null +++ b/fragments/base/modules @@ -0,0 +1,2 @@ +CONFIG_MODULES=y +CONFIG_MODULE_UNLOAD=y diff --git a/fragments/base/net b/fragments/base/net new file mode 100644 index 0000000..b0aefe2 --- /dev/null +++ b/fragments/base/net @@ -0,0 +1,40 @@ +CONFIG_NET=y + +# "Foo over UDP" is needed for any application that wants to tunnel +# traffic over UDP, like wireguard et al +CONFIG_NET_FOU=y + +CONFIG_RFKILL=y + +CONFIG_NETDEVICES=y +CONFIG_TUN=m +CONFIG_VETH=m + +CONFIG_VLAN_8021Q=y +CONFIG_BRIDGE=y + +CONFIG_PACKET=y +CONFIG_PACKET_DIAG=y +CONFIG_NETLINK_DIAG=y +CONFIG_UNIX=y +CONFIG_UNIX_DIAG=y +CONFIG_INET=y +CONFIG_XFRM_USER=y +CONFIG_IP_ADVANCED_ROUTER=y +CONFIG_IP_MULTIPLE_TABLES=y +CONFIG_IP_ROUTE_VERBOSE=y +CONFIG_SYN_COOKIES=y +CONFIG_INET_UDP_DIAG=y +CONFIG_INET_RAW_DIAG=y + +# The following options enable support for IPsec and are enabled by default. +# We think wireguard is the superior solution, and hence disable them. +# CONFIG_INET_XFRM_MODE_TRANSPORT is not set +# CONFIG_INET_XFRM_MODE_TUNNEL is not set +# CONFIG_INET_XFRM_MODE_BEET is not set +# CONFIG_INET6_XFRM_MODE_TRANSPORT is not set +# CONFIG_INET6_XFRM_MODE_TUNNEL is not set +# CONFIG_INET6_XFRM_MODE_BEET is not set + +# We do not need IPv6-in-IPv4 +# CONFIG_IPV6_SIT is not set diff --git a/fragments/base/security b/fragments/base/security new file mode 100644 index 0000000..5d8b95c --- /dev/null +++ b/fragments/base/security @@ -0,0 +1,14 @@ +CONFIG_REFCOUNT_FULL=y +CONFIG_GCC_PLUGINS=y +CONFIG_GCC_PLUGIN_STRUCTLEAK=y +CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y + +# CONFIG_COMPAT_BRK is not set +# CONFIG_SLAB_MERGE_DEFAULT is not set +CONFIG_SLAB_FREELIST_RANDOM=y +CONFIG_SLAB_FREELIST_HARDENED=y + +CONFIG_HARDENED_USERCOPY=y +CONFIG_FORTIFY_SOURCE=y + +CONFIG_IO_STRICT_DEVMEM=y |