mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-11-22 21:01:05 +01:00
87bf0aaba8
FIRECRACKER is not a legacy config, so remove the really old FreeBSD versions from it. MINIMAL has a similar history, and limited target audience which has little to no overlap with really old binaries. Either of these is really easy to get additional binary compat with the include directive, so balance things better. Leave GENERIC alone. PR: 231768 Signed-off-by: Henrich Hartzer <henrichhartzer@tuta.io> Reviewed by: imp (MINIMAL), cperciva (FIRECRACKER) Pull Request: https://github.com/freebsd/freebsd-src/pull/1228
197 lines
8.1 KiB
Plaintext
197 lines
8.1 KiB
Plaintext
#
|
|
# FIRECRACKER -- kernel configuration file for Firecracker VM
|
|
#
|
|
# This is largely a stripped-down version of the GENERIC kernel configuration
|
|
# file, without drivers for hardware which will never appear inside the
|
|
# Firecracker VM environment. It adds support for the Virtio MMIO bus,
|
|
# which Firecracker uses for exposing devices, and legacy mptable, which
|
|
# Firecracker uses for exposing information about CPUs (since it doesn't
|
|
# support ACPI).
|
|
#
|
|
# Since Firecracker loads the kernel directly via the PVH boot protocol,
|
|
# it bypasses the boot loader; some environment variables are hard-coded
|
|
# here which would normally be provided via device hints or loader.conf.
|
|
#
|
|
# For more information about the Firecracker VM, see:
|
|
#
|
|
# https://firecracker-microvm.github.io/
|
|
|
|
cpu HAMMER
|
|
ident FIRECRACKER
|
|
|
|
makeoptions DEBUG=-g # Build kernel with gdb(1) debug symbols
|
|
makeoptions WITH_CTF=1 # Run ctfconvert(1) for DTrace support
|
|
|
|
options SCHED_ULE # ULE scheduler
|
|
options NUMA # Non-Uniform Memory Architecture support
|
|
options PREEMPTION # Enable kernel thread preemption
|
|
options VIMAGE # Subsystem virtualization, e.g. VNET
|
|
options INET # InterNETworking
|
|
options INET6 # IPv6 communications protocols
|
|
options IPSEC_SUPPORT # Allow kldload of ipsec and tcpmd5
|
|
options ROUTE_MPATH # Multipath routing support
|
|
options FIB_ALGO # Modular fib lookups
|
|
options TCP_OFFLOAD # TCP offload
|
|
options TCP_BLACKBOX # Enhanced TCP event logging
|
|
options TCP_HHOOK # hhook(9) framework for TCP
|
|
options TCP_RFC7413 # TCP Fast Open
|
|
options SCTP_SUPPORT # Allow kldload of SCTP
|
|
options KERN_TLS # TLS transmit & receive offload
|
|
options FFS # Berkeley Fast Filesystem
|
|
options SOFTUPDATES # Enable FFS soft updates support
|
|
options UFS_ACL # Support for access control lists
|
|
options UFS_DIRHASH # Improve performance on big directories
|
|
options UFS_GJOURNAL # Enable gjournal-based UFS journaling
|
|
options QUOTA # Enable disk quotas for UFS
|
|
options MD_ROOT # MD is a potential root device
|
|
options NFSCL # Network Filesystem Client
|
|
options NFSD # Network Filesystem Server
|
|
options NFSLOCKD # Network Lock Manager
|
|
options NFS_ROOT # NFS usable as /, requires NFSCL
|
|
options MSDOSFS # MSDOS Filesystem
|
|
options CD9660 # ISO 9660 Filesystem
|
|
options PROCFS # Process filesystem (requires PSEUDOFS)
|
|
options PSEUDOFS # Pseudo-filesystem framework
|
|
options TMPFS # Efficient memory filesystem
|
|
options GEOM_RAID # Soft RAID functionality.
|
|
options GEOM_LABEL # Provides labelization
|
|
options EFIRT # EFI Runtime Services support
|
|
options COMPAT_FREEBSD32 # Compatible with i386 binaries
|
|
options COMPAT_FREEBSD10 # Compatible with FreeBSD10
|
|
options COMPAT_FREEBSD11 # Compatible with FreeBSD11
|
|
options COMPAT_FREEBSD12 # Compatible with FreeBSD12
|
|
options COMPAT_FREEBSD13 # Compatible with FreeBSD13
|
|
options COMPAT_FREEBSD14 # Compatible with FreeBSD14
|
|
options SCSI_DELAY=5000 # Delay (in ms) before probing SCSI
|
|
options KTRACE # ktrace(1) support
|
|
options STACK # stack(9) support
|
|
options SYSVSHM # SYSV-style shared memory
|
|
options SYSVMSG # SYSV-style message queues
|
|
options SYSVSEM # SYSV-style semaphores
|
|
options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
|
|
options PRINTF_BUFR_SIZE=128 # Prevent printf output being interspersed.
|
|
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
|
|
options HWPMC_HOOKS # Necessary kernel hooks for hwpmc(4)
|
|
options AUDIT # Security event auditing
|
|
options CAPABILITY_MODE # Capsicum capability mode
|
|
options CAPABILITIES # Capsicum capabilities
|
|
options MAC # TrustedBSD MAC Framework
|
|
options KDTRACE_FRAME # Ensure frames are compiled in
|
|
options KDTRACE_HOOKS # Kernel DTrace hooks
|
|
options DDB_CTF # Kernel ELF linker loads CTF data
|
|
options INCLUDE_CONFIG_FILE # Include this file in kernel
|
|
options RACCT # Resource accounting framework
|
|
options RACCT_DEFAULT_TO_DISABLED # Set kern.racct.enable=0 by default
|
|
options RCTL # Resource limits
|
|
|
|
# Debugging support. Always need this:
|
|
options KDB # Enable kernel debugger support.
|
|
options KDB_TRACE # Print a stack trace for a panic.
|
|
# For full debugger support use (turn off in stable branch):
|
|
options BUF_TRACKING # Track buffer history
|
|
options DDB # Support DDB.
|
|
options FULL_BUF_TRACKING # Track more buffer history
|
|
options GDB # Support remote GDB.
|
|
options DEADLKRES # Enable the deadlock resolver
|
|
options INVARIANTS # Enable calls of extra sanity checking
|
|
options INVARIANT_SUPPORT # Extra sanity checks of internal structures, required by INVARIANTS
|
|
options QUEUE_MACRO_DEBUG_TRASH # Trash queue(2) internal pointers on invalidation
|
|
options WITNESS # Enable checks to detect deadlocks and cycles
|
|
options WITNESS_SKIPSPIN # Don't run witness on spinlocks for speed
|
|
options MALLOC_DEBUG_MAXZONES=8 # Separate malloc(9) zones
|
|
options VERBOSE_SYSINIT=0 # Support debug.verbose_sysinit, off by default
|
|
|
|
# Kernel dump features.
|
|
options EKCD # Support for encrypted kernel dumps
|
|
options GZIO # gzip-compressed kernel and user dumps
|
|
options ZSTDIO # zstd-compressed kernel and user dumps
|
|
options DEBUGNET # debugnet networking
|
|
options NETDUMP # netdump(4) client support
|
|
options NETGDB # netgdb(4) client support
|
|
|
|
# Make an SMP-capable kernel by default
|
|
options SMP # Symmetric MultiProcessor Kernel
|
|
|
|
# Pseudo devices.
|
|
device crypto # core crypto support
|
|
device aesni # AES-NI OpenCrypto module
|
|
device loop # Network loopback
|
|
device rdrand_rng # Intel Bull Mountain RNG
|
|
device ether # Ethernet support
|
|
device vlan # 802.1Q VLAN support
|
|
device tuntap # Packet tunnel.
|
|
device md # Memory "disks"
|
|
device gif # IPv6 and IPv4 tunneling
|
|
device firmware # firmware assist module
|
|
device xz # lzma decompression
|
|
device bpf # Berkeley packet filter
|
|
|
|
# Serial (COM) ports
|
|
device uart # Generic UART driver
|
|
|
|
# VirtIO support
|
|
device virtio # Generic VirtIO bus (required)
|
|
device virtio_mmio # VirtIO MMIO bus
|
|
device vtnet # VirtIO Ethernet device
|
|
device virtio_blk # VirtIO Block device
|
|
|
|
# Linux KVM paravirtualization support
|
|
device kvm_clock # KVM paravirtual clock driver
|
|
|
|
# Netmap provides direct access to TX/RX rings on supported NICs
|
|
device netmap # netmap(4) support
|
|
|
|
# Firecracker exposes information via the legacy MP Table mechanism
|
|
# rather than via ACPI (which it does not implement).
|
|
device mptable
|
|
|
|
# Firecracker launches the FreeBSD kernel directly, via the PVH boot
|
|
# protocol, rather than via the boot loader; as such, we need to bake
|
|
# device hints into the kernel configuration rather than relying on
|
|
# device.hints being loaded, and likewise have no loader.conf to place
|
|
# other settings into.
|
|
envvar hint.uart.0.at="isa"
|
|
envvar hint.uart.0.port="0x3F8"
|
|
envvar hint.uart.0.flags="0x10"
|
|
envvar hint.uart.0.irq="0x4"
|
|
envvar hint.acpi.0.disabled="1"
|
|
|
|
# Inside a VM, "power off" doesn't really yank the AC power, so there's
|
|
# no need to worry about disks flushing caches before losing power.
|
|
envvar kern.shutdown.poweroff_delay="0"
|
|
|
|
# Firecracker seems to have a bug in its UART emulation. This works
|
|
# around the problem.
|
|
envvar hw.broken_txfifo="1"
|
|
|
|
# We don't have an early timecounter to calibrate the TSC against, so
|
|
# skip that; later in the boot process we have other timecounters.
|
|
envvar machdep.disable_tsc_calibration="1"
|
|
|
|
# Provide bug-for-bug compatibility with Linux in MP Table searching
|
|
# and parsing. Firecracker relies on these bugs.
|
|
options MPTABLE_LINUX_BUG_COMPAT
|
|
|
|
# Disable the automatic registration of a PCI bridge; we do in fact
|
|
# not have one.
|
|
options NO_LEGACY_PCIB
|
|
|
|
# Bus support.
|
|
# Note that Firecracker provides neither ACPI nor PCI; but removing these
|
|
# devices currently (2022-07-09) prevents the kernel from building.
|
|
device acpi
|
|
device pci
|
|
|
|
# Xen HVM Guest Optimizations
|
|
# NOTE: XENHVM depends on xenpci and xentimer.
|
|
# They must be added or removed together.
|
|
# NOTE: These are present in FIRECRACKER because the PVH boot method
|
|
# originates from Xen; once that code is untangled these can be removed.
|
|
options XENHVM # Xen HVM kernel infrastructure
|
|
device xenpci # Xen HVM Hypervisor services driver
|
|
device xentimer # Xen x86 PV timer device
|
|
|
|
# EFI devices
|
|
device efidev # EFI pseudo-device
|
|
device efirtc # EFI RTC
|