1 <html devsite> 2 <head> 3 <title>Kernel Configuration</title> 4 <meta name="project_path" value="/_project.yaml" /> 5 <meta name="book_path" value="/_book.yaml" /> 6 </head> 7 <body> 8 <!-- 9 Copyright 2017 The Android Open Source Project 10 11 Licensed under the Apache License, Version 2.0 (the "License"); 12 you may not use this file except in compliance with the License. 13 You may obtain a copy of the License at 14 15 http://www.apache.org/licenses/LICENSE-2.0 16 17 Unless required by applicable law or agreed to in writing, software 18 distributed under the License is distributed on an "AS IS" BASIS, 19 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 20 See the License for the specific language governing permissions and 21 limitations under the License. 22 --> 23 24 25 26 <p>Use the following configuration settings as a base for an Android kernel 27 configuration. Settings are organized into <code>android-base</code> and 28 <code>android-recommended</code> .cfg files: 29 30 <ul> 31 <li><code>android-base</code>. These options enable core Android features and 32 should be enabled by all devices.</li> 33 34 <li><code>android-recommended</code>. These options enable advanced Android 35 features and are optional for devices.</li> 36 </ul> 37 38 <p>Both the android-base.cfg and android-recommended.cfg files are located in 39 the android-common kernel repo at 40 <a href="https://android.googlesource.com/kernel/common/">https://android.googlesource.com/kernel/common/</a>. 41 <p>In version 4.8 of the upstream Linux kernel, a new location (kernel/configs) 42 was designated for kernel configuration fragments. The android base and 43 recommended config fragments are located in that directory for branches based on 44 4.8 or later. For kernel branches based on releases prior to 4.8, the config 45 fragments are located in the android/ directory.</p> 46 47 <p>For details on controls already undertaken to strengthen the kernel on your 48 devices, see <a href="/security/overview/kernel-security.html">System 49 and Kernel Security</a>. For details on required settings, see the 50 <a href="/compatibility/cdd.html">Android Compatibility Definition 51 Document (CDD)</a>.</p> 52 53 <h2 id="generating">Generating kernel config</h2> 54 <p>For devices that have a minimalist defconfig, you can use the following to 55 enable options:</p> 56 57 <pre class="devsite-click-to-copy"> 58 ARCH=<em>arch</em> scripts/kconfig/merge_config.sh <em>path</em>/<em>device</em>_defconfig android/configs/android-base.cfg android/configs/android-recommended.cfg 59 </pre> 60 61 <p>This generates a .config file you can use to save a new defconfig or 62 compile a new kernel with Android features enabled.</p> 63 64 <h2 id="usb">Enabling USB host mode options</h2> 65 66 <p>For USB host mode audio, enable the following options:</p> 67 <pre class="devsite-click-to-copy"> 68 CONFIG_SND_USB=y 69 CONFIG_SND_USB_AUDIO=y 70 # CONFIG_USB_AUDIO is for a peripheral mode (gadget) driver 71 </pre> 72 73 <p>For USB host mode MIDI, enable the following option:</p> 74 <pre class="devsite-click-to-copy"> 75 CONFIG_SND_USB_MIDI=y 76 </pre> 77 78 <h2 id="Seccomp-BPF-TSYNC">Seccomp-BPF with TSYNC</h2> 79 <p>Seccomp-BPF is a kernel security technology that enables the creation of 80 sandboxes to restrict the system calls a process is allowed to make. The TSYNC 81 feature enables the use of Seccomp-BPF from multithreaded programs. This ability 82 is limited to architectures that have seccomp support upstream: ARM, ARM64, x86, 83 and x86_64.</p> 84 85 <h3 id="backport-ARM-32">Backporting for Kernel 3.10 for ARM-32, X86, X86_64</h3> 86 87 <p>Ensure that <code>CONFIG_SECCOMP_FILTER=y</code> is enabled in the Kconfig 88 (verified as of the Android 5.0 CTS), then cherry-pick the following changes 89 from the AOSP kernel/common:android-3.10 repository: <a href="https://android. 90 googlesource.com/kernel/common/+log/9499cd23f9d05ba159 91 fac6d55dc35a7f49f9ce76..a9ba4285aa5722a3b4d84888e78ba8adc0046b28">9499cd23f9d05ba159fac6d55dc35a7f49f9ce76..a9ba4285aa5722a3b4d84888e78ba8adc0046b28</a> 92 </p> 93 94 <ul> 95 <li><a href="https://android.googlesource.com/kernel/common/+/a03a2426ea9f1d9dada33cf4a824f63e8f916c9d">a03 96 a242 arch: Introduce smp_load_acquire(), smp_store_release()</a> by Peter 97 Zijlstra</li> 98 <li><a href="https://android.googlesource.com/kernel/common/+/987a0f1102321853565c4bfecde6a5a58ac6db11">987a0f 99 1 introduce for_each_thread() to replace the buggy while_each_thread()</a> by 100 Oleg Nesterov</li> 101 <li><a href="https://android.googlesource.com/kernel/common/+/2a30a4386e4a7e1283157c4cf4cfcc0306b22ac8">2a30a43 102 seccomp: create internal mode-setting function</a> by Kees Cook</li> 103 <li><a href="https://android.googlesource.com/kernel/common/+ 104 /b8a9cff6dbe9cfddbb4d17e2dea496e523544687">b8a9cff 105 seccomp: extract check/assign mode helpers</a> by Kees Cook</li> 106 <li><a href="https://android.googlesource.com/kernel/common/+/8908dde5a7fdca974374b0dbe6dfb10f69df7216">8908dde 107 seccomp: split mode setting routines</a> by Kees Cook</li> 108 <li><a href="https://android.googlesource.com/kernel/common/+/e985fd474debedb269fba27006eda50d0b6f07ef">e985fd4 seccomp: add 109 "seccomp" syscall</a> by Kees Cook</li> 110 <li><a href="https://android.googlesource.com/kernel/common/+/9d0ff 111 694bc22fb458acb763811a677696c60725b">9d0ff69 112 sched: move no_new_privs into new atomic flags</a> by Kees Cook</li> 113 <li><a href="https://android.googlesource.com/kernel/common/+/b6a12bf4dd762236c7f637b19cfe10a268304b9b">b6a12bf 114 seccomp: split filter prep from check and apply</a> by Kees Cook</li> 115 <li><a href="https://android.googlesource.com/kernel/common/+/61b6b882a0abfeb627d25a069cfa1d232b84c8eb">61b6b88 116 seccomp: introduce writer locking</a> by Kees Cook</li> 117 <li><a href="https://android.googlesource.com/kernel/common/+/c852ef778224ecf5fe995d74ad96087038778bca">c852ef7 118 seccomp: allow mode setting across threads</a> by Kees Cook</li> 119 <li><a href="https://android.googlesource.com/kernel/common/+/f14a5db2398afed8f416d244e6da6b23940997c6">f14a5db 120 seccomp: implement SECCOMP_FILTER_FLAG_TSYNC</a> by Kees Cook</li> 121 <li><a href="https://android.googlesource.com/kernel/common/+/9ac860041db 122 860a59bfd6ac82b31d6b6f76ebb52">9ac8600 123 seccomp: Replace BUG(!spin_is_locked()) with assert_spin_lock</a> by Guenter 124 Roeck</li> 125 <li><a href="https://android.googlesource.com/kernel/common/+/900e9fd0d5d15c596cacfb89ce007c933cea6e1c">900e9fd 126 seccomp: fix syscall numbers for x86 and x86_64</a> by Lee Campbell</li> 127 <li><a href="https://android.googlesource.com/kernel/common/+/a9ba4285aa5722a3b4d84888e78ba8adc0046b28">a9ba428 128 ARM: add seccomp syscall</a> by Kees Cook</li> 129 </ul> 130 131 <h3 id="backport-ARM-64">Backporting for Kernel 3.10 for ARM-64</h3> 132 <p>Ensure <code>CONFIG_SECCOMP_FILTER=y</code> is enabled in the Kconfig 133 (verified as of the Android 5.0 CTS), then cherry-pick the following changes 134 from the AOSP kernel/common:android-3.10 repository:</p> 135 <ul> 136 <li><a href="https://android.googlesource.com/kernel/common/+/cfc7e99e9e3900056028a7d90072e9ea0d886f8d">cfc7e99e9 137 arm64: Add __NR_* definitions for compat syscalls</a> by JP Abgrall</li> 138 <li><a href="https://android.googlesource.com/kernel/common/+/bf11863d45eb3dac0d0cf1f818ded11ade6e28d3">bf11863 139 arm64: Add audit support</a> by AKASHI Takahiro</li> 140 <li><a href="https://android.googlesource.com/kernel/common/+/3 141 e21c0bb663a23436e0eb3f61860d4fedc233bab">3e21c0b 142 arm64: audit: Add audit hook in syscall_trace_enter/exit()</a> by JP Abgrall</li> 143 <li><a href="https://android.googlesource.com/kernel 144 /common/+/9499cd23f9d05ba159fac6d55dc35a7f49f9ce76">9499cd2 145 syscall_get_arch: remove useless function arguments</a> by Eric Paris</li> 146 <li><a href="https://android.googlesource.com/kernel/common/+/2a30a4386e4a7e1283157c4cf4cfcc0306b22ac8">2a30a43 147 seccomp: create internal mode-setting function</a> by Kees Cook</li> 148 <li><a href="https://android.googlesource.com/kernel/common/+/b8a9cff6dbe9cfddbb4d17e2dea496e523544687">b8a9 149 cff seccomp: extract check/assign mode helpers</a> by Kees Cook</li> 150 <li><a href="https://android.googlesource.com/kernel/common/+/8908dde5a7fdca974374b0dbe6dfb10f69df7216">8908dde 151 seccomp: split mode setting routines</a> by Kees Cook</li> 152 <li><a href="https://android.googlesource.com/kernel/common/+/e985fd474debedb269fba27006eda50d0b6f07ef">e985fd4 153 seccomp: add "seccomp" syscall</a> by Kees Cook</li> 154 <li><a href="https://android.googlesource.com/kernel/common/+/9d0ff694bc22fb458acb763811a677696c60725b">9d0ff69 155 sched: move no_new_privs into new atomic flags</a> by Kees Cook</li> 156 <li><a href="https://android.googlesource.com/kernel/common/+/b6a12bf4dd762236c7f637b19cfe10a268304b9b">b6a12bf 157 seccomp: split filter prep from check and apply</a> by Kees Cook</li> 158 <li><a href="https://android.googlesource.com/kernel/common/+/61b6b882a0abfeb627d25a069cfa1d232b84c8eb">61b6b88 159 seccomp: introduce writer locking</a> by Kees Cook</li> 160 <li><a href="https://android.googlesource.com/kernel/common/+/c852ef778224ecf5fe995d74ad96087038778bca">c852ef7 161 seccomp: allow mode setting across threads</a> by Kees Cook</li> 162 <li><a href="https://android.googlesource.com/kernel/common/+/f14a5db2398afed8f416d244e6da6b23940997c6">f14a5db 163 seccomp: implement SECCOMP_FILTER_FLAG_TSYNC</a> by Kees Cook</li> 164 <li><a href="https://android.googlesource.com/kernel/common/+/9ac860041db860a59bfd6ac82b31d6b6f76ebb52">9ac8600 165 seccomp: Replace BUG(!spin_is_locked()) with assert_spin_lock</a> by Guenter 166 Roeck</li> 167 <li><a href="https://android.googlesource.com/kernel/common/+/900e9fd0d5d15c596cacfb89ce007c933cea6e1c">900e9fd 168 seccomp: fix syscall numbers for x86 and x86_64</a> by Lee Campbell</li> 169 <li><a href="https://android.googlesource.com/kernel/common/+/a9ba4285aa5722a3b4d84888e78ba8adc0046b28">a9ba428 170 ARM: add seccomp syscall</a> by Kees Cook</li> 171 <li><a href="https://android.googlesource.com/kernel/common/+/41900903483eb96602dd72e719a798c208118aad">4190090 172 ARM: 8087/1: ptrace: reload syscall number after secure_computing() check</a> by 173 Will Deacon</li> 174 <li><a href="https://android.googlesource.com/kernel/common/+/abbfed9ed1a78701ef3db74f5287958feb897035">abbfed9 175 arm64: ptrace: add PTRACE_SET_SYSCALL</a> by AKASHI Takahiro</li> 176 <li><a href="https://android.googlesource.com/kernel/common/+/feb28436457d33fef9f264635291432df4b74122">feb2843 177 arm64: ptrace: allow tracer to skip a system call</a> by AKASHI Takahiro</li> 178 <li><a href="https://android.googlesource.com/kernel/common/+/dab10731da65a0deba46402ca9fadf6974676cc8">dab1073 179 asm-generic: add generic seccomp.h for secure computing mode 1</a> by AKASHI 180 Takahiro</li> 181 <li><a href="https://android.googlesource.com/kernel/common/+/4f12b53f28a751406a27ef7501a22f9e32a9c30b">4f1 182 2b53 add seccomp syscall for compat task</a> by AKASHI Takahiro</li> 183 <li><a href="https://android.googlesource.com/kernel/common/+/77227239d20ac6381fb1aee7b7cc902f0d14cd85">7722723 184 arm64: add SIGSYS siginfo for compat task</a> by AKASHI Takahiro</li> 185 <li><a href="https://android.googlesource.com/kernel/common/+/210957c2bb3b4d111963bb296e2c42beb8721929">210957c 186 arm64: add seccomp support</a> by AKASHI Takahiro</li> 187 </ul> 188 189 </body> 190 </html> 191
