summaryrefslogtreecommitdiffstats
path: root/fragments/base
diff options
context:
space:
mode:
Diffstat (limited to 'fragments/base')
-rw-r--r--fragments/base/common54
-rw-r--r--fragments/base/crypto4
-rw-r--r--fragments/base/modules2
-rw-r--r--fragments/base/net40
-rw-r--r--fragments/base/security14
5 files changed, 114 insertions, 0 deletions
diff --git a/fragments/base/common b/fragments/base/common
new file mode 100644
index 0000000..1a26566
--- /dev/null
+++ b/fragments/base/common
@@ -0,0 +1,54 @@
+CONFIG_SMP=y
+
+CONFIG_SYSVIPC=y
+CONFIG_POSIX_MQUEUE=y
+
+CONFIG_NO_HZ_IDLE=y
+CONFIG_HIGH_RES_TIMERS=y
+
+CONFIG_IKCONFIG=y
+CONFIG_IKCONFIG_PROC=y
+
+CONFIG_SCHED_AUTOGROUP=y
+
+# We only really care about standard PC systems
+# CONFIG_X86_EXTENDED_PLATFORM is not set
+
+CONFIG_NUMA=y
+
+# The following can be disabled since it is a legacy option,
+# the kernel will use X86_64_ACPI_NUMA instead
+# CONFIG_AMD_NUMA is not set
+
+CONFIG_PARTITION_ADVANCED=y
+
+# The kernel cites 65536 as a "reasonable" value here.
+CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
+
+# We want to support transparent hugepages, though want applications
+# to ask for them specifically with madvise
+CONFIG_TRANSPARENT_HUGEPAGE=y
+CONFIG_TRANSPARENT_HUGEPAGE_MADVISE=y
+
+CONFIG_MD=y
+CONFIG_BLK_DEV_DM=y
+CONFIG_BLK_DEV_LOOP=y
+
+# CONFIG_LEGACY_PTYS is not set
+
+CONFIG_HPET=y
+
+CONFIG_HIDRAW=y
+
+CONFIG_EDAC=y
+CONFIG_EDAC_SBRIDGE=y
+# CONFIG_EDAC_LEGACY_SYSFS is not set
+
+CONFIG_RTC_CLASS=y
+
+# CONFIG_UNUSED_SYMBOLS is not set
+
+# https://lwn.net/Articles/681763/
+CONFIG_BLK_WBT=y
+CONFIG_BLK_WBT_SQ=y
+CONFIG_BLK_WBT_MQ=y
diff --git a/fragments/base/crypto b/fragments/base/crypto
new file mode 100644
index 0000000..0f63cdd
--- /dev/null
+++ b/fragments/base/crypto
@@ -0,0 +1,4 @@
+CONFIG_DM_CRYPT=y
+CONFIG_CRYPTO_AES_X86_64=y
+CONFIG_CRYPTO_USER_API_HASH=y
+CONFIG_CRYPTO_USER_API_SKCIPHER=y
diff --git a/fragments/base/modules b/fragments/base/modules
new file mode 100644
index 0000000..a3f5b21
--- /dev/null
+++ b/fragments/base/modules
@@ -0,0 +1,2 @@
+CONFIG_MODULES=y
+CONFIG_MODULE_UNLOAD=y
diff --git a/fragments/base/net b/fragments/base/net
new file mode 100644
index 0000000..b0aefe2
--- /dev/null
+++ b/fragments/base/net
@@ -0,0 +1,40 @@
+CONFIG_NET=y
+
+# "Foo over UDP" is needed for any application that wants to tunnel
+# traffic over UDP, like wireguard et al
+CONFIG_NET_FOU=y
+
+CONFIG_RFKILL=y
+
+CONFIG_NETDEVICES=y
+CONFIG_TUN=m
+CONFIG_VETH=m
+
+CONFIG_VLAN_8021Q=y
+CONFIG_BRIDGE=y
+
+CONFIG_PACKET=y
+CONFIG_PACKET_DIAG=y
+CONFIG_NETLINK_DIAG=y
+CONFIG_UNIX=y
+CONFIG_UNIX_DIAG=y
+CONFIG_INET=y
+CONFIG_XFRM_USER=y
+CONFIG_IP_ADVANCED_ROUTER=y
+CONFIG_IP_MULTIPLE_TABLES=y
+CONFIG_IP_ROUTE_VERBOSE=y
+CONFIG_SYN_COOKIES=y
+CONFIG_INET_UDP_DIAG=y
+CONFIG_INET_RAW_DIAG=y
+
+# The following options enable support for IPsec and are enabled by default.
+# We think wireguard is the superior solution, and hence disable them.
+# CONFIG_INET_XFRM_MODE_TRANSPORT is not set
+# CONFIG_INET_XFRM_MODE_TUNNEL is not set
+# CONFIG_INET_XFRM_MODE_BEET is not set
+# CONFIG_INET6_XFRM_MODE_TRANSPORT is not set
+# CONFIG_INET6_XFRM_MODE_TUNNEL is not set
+# CONFIG_INET6_XFRM_MODE_BEET is not set
+
+# We do not need IPv6-in-IPv4
+# CONFIG_IPV6_SIT is not set
diff --git a/fragments/base/security b/fragments/base/security
new file mode 100644
index 0000000..5d8b95c
--- /dev/null
+++ b/fragments/base/security
@@ -0,0 +1,14 @@
+CONFIG_REFCOUNT_FULL=y
+CONFIG_GCC_PLUGINS=y
+CONFIG_GCC_PLUGIN_STRUCTLEAK=y
+CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y
+
+# CONFIG_COMPAT_BRK is not set
+# CONFIG_SLAB_MERGE_DEFAULT is not set
+CONFIG_SLAB_FREELIST_RANDOM=y
+CONFIG_SLAB_FREELIST_HARDENED=y
+
+CONFIG_HARDENED_USERCOPY=y
+CONFIG_FORTIFY_SOURCE=y
+
+CONFIG_IO_STRICT_DEVMEM=y