Doug / smarc-fsl-linux-kernel

Download as
Browse Code ยป

Commit 48ba2462ace6072741fd8d0058207d630ce93bf1

Authored by David Howells
Committed by Rusty Russell
1 parent 631cc66eb9
Exists in smarc-l5.0.0_1.0.0-ga and in 5 other branches imx_3.10.17_1.0.1_ga, imx_3.10.53_1.1.0_ga, imx_3.14.28_1.0.0_ga, smarc-imx_3.10.53_1.1.0_ga, smarc-imx_3.14.28_1.0.0_ga

MODSIGN: Implement module signature checking 

Check the signature on the module against the keys compiled into the kernel or
available in a hardware key store.

Currently, only RSA keys are supported - though that's easy enough to change,
and the signature is expected to contain raw components (so not a PGP or
PKCS#7 formatted blob).

The signature blob is expected to consist of the following pieces in order:

 (1) The binary identifier for the key.  This is expected to match the
     SubjectKeyIdentifier from an X.509 certificate.  Only X.509 type
     identifiers are currently supported.

 (2) The signature data, consisting of a series of MPIs in which each is in
     the format of a 2-byte BE word sizes followed by the content data.

 (3) A 12 byte information block of the form:

	struct module_signature {
		enum pkey_algo		algo : 8;
		enum pkey_hash_algo	hash : 8;
		enum pkey_id_type	id_type : 8;
		u8			__pad;
		__be32			id_length;
		__be32			sig_length;
	};

     The three enums are defined in crypto/public_key.h.

     'algo' contains the public-key algorithm identifier (0->DSA, 1->RSA).

     'hash' contains the digest algorithm identifier (0->MD4, 1->MD5, 2->SHA1,
      etc.).

     'id_type' contains the public-key identifier type (0->PGP, 1->X.509).

     '__pad' should be 0.

     'id_length' should contain in the binary identifier length in BE form.

     'sig_length' should contain in the signature data length in BE form.

     The lengths are in BE order rather than CPU order to make dealing with
     cross-compilation easier.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> (minor Kconfig fix)

Showing 2 changed files with 229 additions and 1 deletions Inline Diff

1 config ARCH 1 config ARCH
2 string 2 string
3 option env="ARCH" 3 option env="ARCH"
4 4
5 config KERNELVERSION 5 config KERNELVERSION
6 string 6 string
7 option env="KERNELVERSION" 7 option env="KERNELVERSION"
8 8
9 config DEFCONFIG_LIST 9 config DEFCONFIG_LIST
10 string 10 string
11 depends on !UML 11 depends on !UML
12 option defconfig_list 12 option defconfig_list
13 default "/lib/modules/$UNAME_RELEASE/.config" 13 default "/lib/modules/$UNAME_RELEASE/.config"
14 default "/etc/kernel-config" 14 default "/etc/kernel-config"
15 default "/boot/config-$UNAME_RELEASE" 15 default "/boot/config-$UNAME_RELEASE"
16 default "$ARCH_DEFCONFIG" 16 default "$ARCH_DEFCONFIG"
17 default "arch/$ARCH/defconfig" 17 default "arch/$ARCH/defconfig"
18 18
19 config CONSTRUCTORS 19 config CONSTRUCTORS
20 bool 20 bool
21 depends on !UML 21 depends on !UML
22 22
23 config HAVE_IRQ_WORK 23 config HAVE_IRQ_WORK
24 bool 24 bool
25 25
26 config IRQ_WORK 26 config IRQ_WORK
27 bool 27 bool
28 depends on HAVE_IRQ_WORK 28 depends on HAVE_IRQ_WORK
29 29
30 config BUILDTIME_EXTABLE_SORT 30 config BUILDTIME_EXTABLE_SORT
31 bool 31 bool
32 32
33 menu "General setup" 33 menu "General setup"
34 34
35 config EXPERIMENTAL 35 config EXPERIMENTAL
36 bool "Prompt for development and/or incomplete code/drivers" 36 bool "Prompt for development and/or incomplete code/drivers"
37 ---help--- 37 ---help---
38 Some of the various things that Linux supports (such as network 38 Some of the various things that Linux supports (such as network
39 drivers, file systems, network protocols, etc.) can be in a state 39 drivers, file systems, network protocols, etc.) can be in a state
40 of development where the functionality, stability, or the level of 40 of development where the functionality, stability, or the level of
41 testing is not yet high enough for general use. This is usually 41 testing is not yet high enough for general use. This is usually
42 known as the "alpha-test" phase among developers. If a feature is 42 known as the "alpha-test" phase among developers. If a feature is
43 currently in alpha-test, then the developers usually discourage 43 currently in alpha-test, then the developers usually discourage
44 uninformed widespread use of this feature by the general public to 44 uninformed widespread use of this feature by the general public to
45 avoid "Why doesn't this work?" type mail messages. However, active 45 avoid "Why doesn't this work?" type mail messages. However, active
46 testing and use of these systems is welcomed. Just be aware that it 46 testing and use of these systems is welcomed. Just be aware that it
47 may not meet the normal level of reliability or it may fail to work 47 may not meet the normal level of reliability or it may fail to work
48 in some special cases. Detailed bug reports from people familiar 48 in some special cases. Detailed bug reports from people familiar
49 with the kernel internals are usually welcomed by the developers 49 with the kernel internals are usually welcomed by the developers
50 (before submitting bug reports, please read the documents 50 (before submitting bug reports, please read the documents
51 <file:README>, <file:MAINTAINERS>, <file:REPORTING-BUGS>, 51 <file:README>, <file:MAINTAINERS>, <file:REPORTING-BUGS>,
52 <file:Documentation/BUG-HUNTING>, and 52 <file:Documentation/BUG-HUNTING>, and
53 <file:Documentation/oops-tracing.txt> in the kernel source). 53 <file:Documentation/oops-tracing.txt> in the kernel source).
54 54
55 This option will also make obsoleted drivers available. These are 55 This option will also make obsoleted drivers available. These are
56 drivers that have been replaced by something else, and/or are 56 drivers that have been replaced by something else, and/or are
57 scheduled to be removed in a future kernel release. 57 scheduled to be removed in a future kernel release.
58 58
59 Unless you intend to help test and develop a feature or driver that 59 Unless you intend to help test and develop a feature or driver that
60 falls into this category, or you have a situation that requires 60 falls into this category, or you have a situation that requires
61 using these features, you should probably say N here, which will 61 using these features, you should probably say N here, which will
62 cause the configurator to present you with fewer choices. If 62 cause the configurator to present you with fewer choices. If
63 you say Y here, you will be offered the choice of using features or 63 you say Y here, you will be offered the choice of using features or
64 drivers that are currently considered to be in the alpha-test phase. 64 drivers that are currently considered to be in the alpha-test phase.
65 65
66 config BROKEN 66 config BROKEN
67 bool 67 bool
68 68
69 config BROKEN_ON_SMP 69 config BROKEN_ON_SMP
70 bool 70 bool
71 depends on BROKEN || !SMP 71 depends on BROKEN || !SMP
72 default y 72 default y
73 73
74 config INIT_ENV_ARG_LIMIT 74 config INIT_ENV_ARG_LIMIT
75 int 75 int
76 default 32 if !UML 76 default 32 if !UML
77 default 128 if UML 77 default 128 if UML
78 help 78 help
79 Maximum of each of the number of arguments and environment 79 Maximum of each of the number of arguments and environment
80 variables passed to init from the kernel command line. 80 variables passed to init from the kernel command line.
81 81
82 82
83 config CROSS_COMPILE 83 config CROSS_COMPILE
84 string "Cross-compiler tool prefix" 84 string "Cross-compiler tool prefix"
85 help 85 help
86 Same as running 'make CROSS_COMPILE=prefix-' but stored for 86 Same as running 'make CROSS_COMPILE=prefix-' but stored for
87 default make runs in this kernel build directory. You don't 87 default make runs in this kernel build directory. You don't
88 need to set this unless you want the configured kernel build 88 need to set this unless you want the configured kernel build
89 directory to select the cross-compiler automatically. 89 directory to select the cross-compiler automatically.
90 90
91 config LOCALVERSION 91 config LOCALVERSION
92 string "Local version - append to kernel release" 92 string "Local version - append to kernel release"
93 help 93 help
94 Append an extra string to the end of your kernel version. 94 Append an extra string to the end of your kernel version.
95 This will show up when you type uname, for example. 95 This will show up when you type uname, for example.
96 The string you set here will be appended after the contents of 96 The string you set here will be appended after the contents of
97 any files with a filename matching localversion* in your 97 any files with a filename matching localversion* in your
98 object and source tree, in that order. Your total string can 98 object and source tree, in that order. Your total string can
99 be a maximum of 64 characters. 99 be a maximum of 64 characters.
100 100
101 config LOCALVERSION_AUTO 101 config LOCALVERSION_AUTO
102 bool "Automatically append version information to the version string" 102 bool "Automatically append version information to the version string"
103 default y 103 default y
104 help 104 help
105 This will try to automatically determine if the current tree is a 105 This will try to automatically determine if the current tree is a
106 release tree by looking for git tags that belong to the current 106 release tree by looking for git tags that belong to the current
107 top of tree revision. 107 top of tree revision.
108 108
109 A string of the format -gxxxxxxxx will be added to the localversion 109 A string of the format -gxxxxxxxx will be added to the localversion
110 if a git-based tree is found. The string generated by this will be 110 if a git-based tree is found. The string generated by this will be
111 appended after any matching localversion* files, and after the value 111 appended after any matching localversion* files, and after the value
112 set in CONFIG_LOCALVERSION. 112 set in CONFIG_LOCALVERSION.
113 113
114 (The actual string used here is the first eight characters produced 114 (The actual string used here is the first eight characters produced
115 by running the command: 115 by running the command:
116 116
117 $ git rev-parse --verify HEAD 117 $ git rev-parse --verify HEAD
118 118
119 which is done within the script "scripts/setlocalversion".) 119 which is done within the script "scripts/setlocalversion".)
120 120
121 config HAVE_KERNEL_GZIP 121 config HAVE_KERNEL_GZIP
122 bool 122 bool
123 123
124 config HAVE_KERNEL_BZIP2 124 config HAVE_KERNEL_BZIP2
125 bool 125 bool
126 126
127 config HAVE_KERNEL_LZMA 127 config HAVE_KERNEL_LZMA
128 bool 128 bool
129 129
130 config HAVE_KERNEL_XZ 130 config HAVE_KERNEL_XZ
131 bool 131 bool
132 132
133 config HAVE_KERNEL_LZO 133 config HAVE_KERNEL_LZO
134 bool 134 bool
135 135
136 choice 136 choice
137 prompt "Kernel compression mode" 137 prompt "Kernel compression mode"
138 default KERNEL_GZIP 138 default KERNEL_GZIP
139 depends on HAVE_KERNEL_GZIP || HAVE_KERNEL_BZIP2 || HAVE_KERNEL_LZMA || HAVE_KERNEL_XZ || HAVE_KERNEL_LZO 139 depends on HAVE_KERNEL_GZIP || HAVE_KERNEL_BZIP2 || HAVE_KERNEL_LZMA || HAVE_KERNEL_XZ || HAVE_KERNEL_LZO
140 help 140 help
141 The linux kernel is a kind of self-extracting executable. 141 The linux kernel is a kind of self-extracting executable.
142 Several compression algorithms are available, which differ 142 Several compression algorithms are available, which differ
143 in efficiency, compression and decompression speed. 143 in efficiency, compression and decompression speed.
144 Compression speed is only relevant when building a kernel. 144 Compression speed is only relevant when building a kernel.
145 Decompression speed is relevant at each boot. 145 Decompression speed is relevant at each boot.
146 146
147 If you have any problems with bzip2 or lzma compressed 147 If you have any problems with bzip2 or lzma compressed
148 kernels, mail me (Alain Knaff) <alain@knaff.lu>. (An older 148 kernels, mail me (Alain Knaff) <alain@knaff.lu>. (An older
149 version of this functionality (bzip2 only), for 2.4, was 149 version of this functionality (bzip2 only), for 2.4, was
150 supplied by Christian Ludwig) 150 supplied by Christian Ludwig)
151 151
152 High compression options are mostly useful for users, who 152 High compression options are mostly useful for users, who
153 are low on disk space (embedded systems), but for whom ram 153 are low on disk space (embedded systems), but for whom ram
154 size matters less. 154 size matters less.
155 155
156 If in doubt, select 'gzip' 156 If in doubt, select 'gzip'
157 157
158 config KERNEL_GZIP 158 config KERNEL_GZIP
159 bool "Gzip" 159 bool "Gzip"
160 depends on HAVE_KERNEL_GZIP 160 depends on HAVE_KERNEL_GZIP
161 help 161 help
162 The old and tried gzip compression. It provides a good balance 162 The old and tried gzip compression. It provides a good balance
163 between compression ratio and decompression speed. 163 between compression ratio and decompression speed.
164 164
165 config KERNEL_BZIP2 165 config KERNEL_BZIP2
166 bool "Bzip2" 166 bool "Bzip2"
167 depends on HAVE_KERNEL_BZIP2 167 depends on HAVE_KERNEL_BZIP2
168 help 168 help
169 Its compression ratio and speed is intermediate. 169 Its compression ratio and speed is intermediate.
170 Decompression speed is slowest among the choices. The kernel 170 Decompression speed is slowest among the choices. The kernel
171 size is about 10% smaller with bzip2, in comparison to gzip. 171 size is about 10% smaller with bzip2, in comparison to gzip.
172 Bzip2 uses a large amount of memory. For modern kernels you 172 Bzip2 uses a large amount of memory. For modern kernels you
173 will need at least 8MB RAM or more for booting. 173 will need at least 8MB RAM or more for booting.
174 174
175 config KERNEL_LZMA 175 config KERNEL_LZMA
176 bool "LZMA" 176 bool "LZMA"
177 depends on HAVE_KERNEL_LZMA 177 depends on HAVE_KERNEL_LZMA
178 help 178 help
179 This compression algorithm's ratio is best. Decompression speed 179 This compression algorithm's ratio is best. Decompression speed
180 is between gzip and bzip2. Compression is slowest. 180 is between gzip and bzip2. Compression is slowest.
181 The kernel size is about 33% smaller with LZMA in comparison to gzip. 181 The kernel size is about 33% smaller with LZMA in comparison to gzip.
182 182
183 config KERNEL_XZ 183 config KERNEL_XZ
184 bool "XZ" 184 bool "XZ"
185 depends on HAVE_KERNEL_XZ 185 depends on HAVE_KERNEL_XZ
186 help 186 help
187 XZ uses the LZMA2 algorithm and instruction set specific 187 XZ uses the LZMA2 algorithm and instruction set specific
188 BCJ filters which can improve compression ratio of executable 188 BCJ filters which can improve compression ratio of executable
189 code. The size of the kernel is about 30% smaller with XZ in 189 code. The size of the kernel is about 30% smaller with XZ in
190 comparison to gzip. On architectures for which there is a BCJ 190 comparison to gzip. On architectures for which there is a BCJ
191 filter (i386, x86_64, ARM, IA-64, PowerPC, and SPARC), XZ 191 filter (i386, x86_64, ARM, IA-64, PowerPC, and SPARC), XZ
192 will create a few percent smaller kernel than plain LZMA. 192 will create a few percent smaller kernel than plain LZMA.
193 193
194 The speed is about the same as with LZMA: The decompression 194 The speed is about the same as with LZMA: The decompression
195 speed of XZ is better than that of bzip2 but worse than gzip 195 speed of XZ is better than that of bzip2 but worse than gzip
196 and LZO. Compression is slow. 196 and LZO. Compression is slow.
197 197
198 config KERNEL_LZO 198 config KERNEL_LZO
199 bool "LZO" 199 bool "LZO"
200 depends on HAVE_KERNEL_LZO 200 depends on HAVE_KERNEL_LZO
201 help 201 help
202 Its compression ratio is the poorest among the choices. The kernel 202 Its compression ratio is the poorest among the choices. The kernel
203 size is about 10% bigger than gzip; however its speed 203 size is about 10% bigger than gzip; however its speed
204 (both compression and decompression) is the fastest. 204 (both compression and decompression) is the fastest.
205 205
206 endchoice 206 endchoice
207 207
208 config DEFAULT_HOSTNAME 208 config DEFAULT_HOSTNAME
209 string "Default hostname" 209 string "Default hostname"
210 default "(none)" 210 default "(none)"
211 help 211 help
212 This option determines the default system hostname before userspace 212 This option determines the default system hostname before userspace
213 calls sethostname(2). The kernel traditionally uses "(none)" here, 213 calls sethostname(2). The kernel traditionally uses "(none)" here,
214 but you may wish to use a different default here to make a minimal 214 but you may wish to use a different default here to make a minimal
215 system more usable with less configuration. 215 system more usable with less configuration.
216 216
217 config SWAP 217 config SWAP
218 bool "Support for paging of anonymous memory (swap)" 218 bool "Support for paging of anonymous memory (swap)"
219 depends on MMU && BLOCK 219 depends on MMU && BLOCK
220 default y 220 default y
221 help 221 help
222 This option allows you to choose whether you want to have support 222 This option allows you to choose whether you want to have support
223 for so called swap devices or swap files in your kernel that are 223 for so called swap devices or swap files in your kernel that are
224 used to provide more virtual memory than the actual RAM present 224 used to provide more virtual memory than the actual RAM present
225 in your computer. If unsure say Y. 225 in your computer. If unsure say Y.
226 226
227 config SYSVIPC 227 config SYSVIPC
228 bool "System V IPC" 228 bool "System V IPC"
229 ---help--- 229 ---help---
230 Inter Process Communication is a suite of library functions and 230 Inter Process Communication is a suite of library functions and
231 system calls which let processes (running programs) synchronize and 231 system calls which let processes (running programs) synchronize and
232 exchange information. It is generally considered to be a good thing, 232 exchange information. It is generally considered to be a good thing,
233 and some programs won't run unless you say Y here. In particular, if 233 and some programs won't run unless you say Y here. In particular, if
234 you want to run the DOS emulator dosemu under Linux (read the 234 you want to run the DOS emulator dosemu under Linux (read the
235 DOSEMU-HOWTO, available from <http://www.tldp.org/docs.html#howto>), 235 DOSEMU-HOWTO, available from <http://www.tldp.org/docs.html#howto>),
236 you'll need to say Y here. 236 you'll need to say Y here.
237 237
238 You can find documentation about IPC with "info ipc" and also in 238 You can find documentation about IPC with "info ipc" and also in
239 section 6.4 of the Linux Programmer's Guide, available from 239 section 6.4 of the Linux Programmer's Guide, available from
240 <http://www.tldp.org/guides.html>. 240 <http://www.tldp.org/guides.html>.
241 241
242 config SYSVIPC_SYSCTL 242 config SYSVIPC_SYSCTL
243 bool 243 bool
244 depends on SYSVIPC 244 depends on SYSVIPC
245 depends on SYSCTL 245 depends on SYSCTL
246 default y 246 default y
247 247
248 config POSIX_MQUEUE 248 config POSIX_MQUEUE
249 bool "POSIX Message Queues" 249 bool "POSIX Message Queues"
250 depends on NET && EXPERIMENTAL 250 depends on NET && EXPERIMENTAL
251 ---help--- 251 ---help---
252 POSIX variant of message queues is a part of IPC. In POSIX message 252 POSIX variant of message queues is a part of IPC. In POSIX message
253 queues every message has a priority which decides about succession 253 queues every message has a priority which decides about succession
254 of receiving it by a process. If you want to compile and run 254 of receiving it by a process. If you want to compile and run
255 programs written e.g. for Solaris with use of its POSIX message 255 programs written e.g. for Solaris with use of its POSIX message
256 queues (functions mq_*) say Y here. 256 queues (functions mq_*) say Y here.
257 257
258 POSIX message queues are visible as a filesystem called 'mqueue' 258 POSIX message queues are visible as a filesystem called 'mqueue'
259 and can be mounted somewhere if you want to do filesystem 259 and can be mounted somewhere if you want to do filesystem
260 operations on message queues. 260 operations on message queues.
261 261
262 If unsure, say Y. 262 If unsure, say Y.
263 263
264 config POSIX_MQUEUE_SYSCTL 264 config POSIX_MQUEUE_SYSCTL
265 bool 265 bool
266 depends on POSIX_MQUEUE 266 depends on POSIX_MQUEUE
267 depends on SYSCTL 267 depends on SYSCTL
268 default y 268 default y
269 269
270 config BSD_PROCESS_ACCT 270 config BSD_PROCESS_ACCT
271 bool "BSD Process Accounting" 271 bool "BSD Process Accounting"
272 help 272 help
273 If you say Y here, a user level program will be able to instruct the 273 If you say Y here, a user level program will be able to instruct the
274 kernel (via a special system call) to write process accounting 274 kernel (via a special system call) to write process accounting
275 information to a file: whenever a process exits, information about 275 information to a file: whenever a process exits, information about
276 that process will be appended to the file by the kernel. The 276 that process will be appended to the file by the kernel. The
277 information includes things such as creation time, owning user, 277 information includes things such as creation time, owning user,
278 command name, memory usage, controlling terminal etc. (the complete 278 command name, memory usage, controlling terminal etc. (the complete
279 list is in the struct acct in <file:include/linux/acct.h>). It is 279 list is in the struct acct in <file:include/linux/acct.h>). It is
280 up to the user level program to do useful things with this 280 up to the user level program to do useful things with this
281 information. This is generally a good idea, so say Y. 281 information. This is generally a good idea, so say Y.
282 282
283 config BSD_PROCESS_ACCT_V3 283 config BSD_PROCESS_ACCT_V3
284 bool "BSD Process Accounting version 3 file format" 284 bool "BSD Process Accounting version 3 file format"
285 depends on BSD_PROCESS_ACCT 285 depends on BSD_PROCESS_ACCT
286 default n 286 default n
287 help 287 help
288 If you say Y here, the process accounting information is written 288 If you say Y here, the process accounting information is written
289 in a new file format that also logs the process IDs of each 289 in a new file format that also logs the process IDs of each
290 process and it's parent. Note that this file format is incompatible 290 process and it's parent. Note that this file format is incompatible
291 with previous v0/v1/v2 file formats, so you will need updated tools 291 with previous v0/v1/v2 file formats, so you will need updated tools
292 for processing it. A preliminary version of these tools is available 292 for processing it. A preliminary version of these tools is available
293 at <http://www.gnu.org/software/acct/>. 293 at <http://www.gnu.org/software/acct/>.
294 294
295 config FHANDLE 295 config FHANDLE
296 bool "open by fhandle syscalls" 296 bool "open by fhandle syscalls"
297 select EXPORTFS 297 select EXPORTFS
298 help 298 help
299 If you say Y here, a user level program will be able to map 299 If you say Y here, a user level program will be able to map
300 file names to handle and then later use the handle for 300 file names to handle and then later use the handle for
301 different file system operations. This is useful in implementing 301 different file system operations. This is useful in implementing
302 userspace file servers, which now track files using handles instead 302 userspace file servers, which now track files using handles instead
303 of names. The handle would remain the same even if file names 303 of names. The handle would remain the same even if file names
304 get renamed. Enables open_by_handle_at(2) and name_to_handle_at(2) 304 get renamed. Enables open_by_handle_at(2) and name_to_handle_at(2)
305 syscalls. 305 syscalls.
306 306
307 config TASKSTATS 307 config TASKSTATS
308 bool "Export task/process statistics through netlink (EXPERIMENTAL)" 308 bool "Export task/process statistics through netlink (EXPERIMENTAL)"
309 depends on NET 309 depends on NET
310 default n 310 default n
311 help 311 help
312 Export selected statistics for tasks/processes through the 312 Export selected statistics for tasks/processes through the
313 generic netlink interface. Unlike BSD process accounting, the 313 generic netlink interface. Unlike BSD process accounting, the
314 statistics are available during the lifetime of tasks/processes as 314 statistics are available during the lifetime of tasks/processes as
315 responses to commands. Like BSD accounting, they are sent to user 315 responses to commands. Like BSD accounting, they are sent to user
316 space on task exit. 316 space on task exit.
317 317
318 Say N if unsure. 318 Say N if unsure.
319 319
320 config TASK_DELAY_ACCT 320 config TASK_DELAY_ACCT
321 bool "Enable per-task delay accounting (EXPERIMENTAL)" 321 bool "Enable per-task delay accounting (EXPERIMENTAL)"
322 depends on TASKSTATS 322 depends on TASKSTATS
323 help 323 help
324 Collect information on time spent by a task waiting for system 324 Collect information on time spent by a task waiting for system
325 resources like cpu, synchronous block I/O completion and swapping 325 resources like cpu, synchronous block I/O completion and swapping
326 in pages. Such statistics can help in setting a task's priorities 326 in pages. Such statistics can help in setting a task's priorities
327 relative to other tasks for cpu, io, rss limits etc. 327 relative to other tasks for cpu, io, rss limits etc.
328 328
329 Say N if unsure. 329 Say N if unsure.
330 330
331 config TASK_XACCT 331 config TASK_XACCT
332 bool "Enable extended accounting over taskstats (EXPERIMENTAL)" 332 bool "Enable extended accounting over taskstats (EXPERIMENTAL)"
333 depends on TASKSTATS 333 depends on TASKSTATS
334 help 334 help
335 Collect extended task accounting data and send the data 335 Collect extended task accounting data and send the data
336 to userland for processing over the taskstats interface. 336 to userland for processing over the taskstats interface.
337 337
338 Say N if unsure. 338 Say N if unsure.
339 339
340 config TASK_IO_ACCOUNTING 340 config TASK_IO_ACCOUNTING
341 bool "Enable per-task storage I/O accounting (EXPERIMENTAL)" 341 bool "Enable per-task storage I/O accounting (EXPERIMENTAL)"
342 depends on TASK_XACCT 342 depends on TASK_XACCT
343 help 343 help
344 Collect information on the number of bytes of storage I/O which this 344 Collect information on the number of bytes of storage I/O which this
345 task has caused. 345 task has caused.
346 346
347 Say N if unsure. 347 Say N if unsure.
348 348
349 config AUDIT 349 config AUDIT
350 bool "Auditing support" 350 bool "Auditing support"
351 depends on NET 351 depends on NET
352 help 352 help
353 Enable auditing infrastructure that can be used with another 353 Enable auditing infrastructure that can be used with another
354 kernel subsystem, such as SELinux (which requires this for 354 kernel subsystem, such as SELinux (which requires this for
355 logging of avc messages output). Does not do system-call 355 logging of avc messages output). Does not do system-call
356 auditing without CONFIG_AUDITSYSCALL. 356 auditing without CONFIG_AUDITSYSCALL.
357 357
358 config AUDITSYSCALL 358 config AUDITSYSCALL
359 bool "Enable system-call auditing support" 359 bool "Enable system-call auditing support"
360 depends on AUDIT && (X86 || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT)) 360 depends on AUDIT && (X86 || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT))
361 default y if SECURITY_SELINUX 361 default y if SECURITY_SELINUX
362 help 362 help
363 Enable low-overhead system-call auditing infrastructure that 363 Enable low-overhead system-call auditing infrastructure that
364 can be used independently or with another kernel subsystem, 364 can be used independently or with another kernel subsystem,
365 such as SELinux. 365 such as SELinux.
366 366
367 config AUDIT_WATCH 367 config AUDIT_WATCH
368 def_bool y 368 def_bool y
369 depends on AUDITSYSCALL 369 depends on AUDITSYSCALL
370 select FSNOTIFY 370 select FSNOTIFY
371 371
372 config AUDIT_TREE 372 config AUDIT_TREE
373 def_bool y 373 def_bool y
374 depends on AUDITSYSCALL 374 depends on AUDITSYSCALL
375 select FSNOTIFY 375 select FSNOTIFY
376 376
377 config AUDIT_LOGINUID_IMMUTABLE 377 config AUDIT_LOGINUID_IMMUTABLE
378 bool "Make audit loginuid immutable" 378 bool "Make audit loginuid immutable"
379 depends on AUDIT 379 depends on AUDIT
380 help 380 help
381 The config option toggles if a task setting its loginuid requires 381 The config option toggles if a task setting its loginuid requires
382 CAP_SYS_AUDITCONTROL or if that task should require no special permissions 382 CAP_SYS_AUDITCONTROL or if that task should require no special permissions
383 but should instead only allow setting its loginuid if it was never 383 but should instead only allow setting its loginuid if it was never
384 previously set. On systems which use systemd or a similar central 384 previously set. On systems which use systemd or a similar central
385 process to restart login services this should be set to true. On older 385 process to restart login services this should be set to true. On older
386 systems in which an admin would typically have to directly stop and 386 systems in which an admin would typically have to directly stop and
387 start processes this should be set to false. Setting this to true allows 387 start processes this should be set to false. Setting this to true allows
388 one to drop potentially dangerous capabilites from the login tasks, 388 one to drop potentially dangerous capabilites from the login tasks,
389 but may not be backwards compatible with older init systems. 389 but may not be backwards compatible with older init systems.
390 390
391 source "kernel/irq/Kconfig" 391 source "kernel/irq/Kconfig"
392 source "kernel/time/Kconfig" 392 source "kernel/time/Kconfig"
393 393
394 menu "RCU Subsystem" 394 menu "RCU Subsystem"
395 395
396 choice 396 choice
397 prompt "RCU Implementation" 397 prompt "RCU Implementation"
398 default TREE_RCU 398 default TREE_RCU
399 399
400 config TREE_RCU 400 config TREE_RCU
401 bool "Tree-based hierarchical RCU" 401 bool "Tree-based hierarchical RCU"
402 depends on !PREEMPT && SMP 402 depends on !PREEMPT && SMP
403 help 403 help
404 This option selects the RCU implementation that is 404 This option selects the RCU implementation that is
405 designed for very large SMP system with hundreds or 405 designed for very large SMP system with hundreds or
406 thousands of CPUs. It also scales down nicely to 406 thousands of CPUs. It also scales down nicely to
407 smaller systems. 407 smaller systems.
408 408
409 config TREE_PREEMPT_RCU 409 config TREE_PREEMPT_RCU
410 bool "Preemptible tree-based hierarchical RCU" 410 bool "Preemptible tree-based hierarchical RCU"
411 depends on PREEMPT && SMP 411 depends on PREEMPT && SMP
412 help 412 help
413 This option selects the RCU implementation that is 413 This option selects the RCU implementation that is
414 designed for very large SMP systems with hundreds or 414 designed for very large SMP systems with hundreds or
415 thousands of CPUs, but for which real-time response 415 thousands of CPUs, but for which real-time response
416 is also required. It also scales down nicely to 416 is also required. It also scales down nicely to
417 smaller systems. 417 smaller systems.
418 418
419 config TINY_RCU 419 config TINY_RCU
420 bool "UP-only small-memory-footprint RCU" 420 bool "UP-only small-memory-footprint RCU"
421 depends on !PREEMPT && !SMP 421 depends on !PREEMPT && !SMP
422 help 422 help
423 This option selects the RCU implementation that is 423 This option selects the RCU implementation that is
424 designed for UP systems from which real-time response 424 designed for UP systems from which real-time response
425 is not required. This option greatly reduces the 425 is not required. This option greatly reduces the
426 memory footprint of RCU. 426 memory footprint of RCU.
427 427
428 config TINY_PREEMPT_RCU 428 config TINY_PREEMPT_RCU
429 bool "Preemptible UP-only small-memory-footprint RCU" 429 bool "Preemptible UP-only small-memory-footprint RCU"
430 depends on PREEMPT && !SMP 430 depends on PREEMPT && !SMP
431 help 431 help
432 This option selects the RCU implementation that is designed 432 This option selects the RCU implementation that is designed
433 for real-time UP systems. This option greatly reduces the 433 for real-time UP systems. This option greatly reduces the
434 memory footprint of RCU. 434 memory footprint of RCU.
435 435
436 endchoice 436 endchoice
437 437
438 config PREEMPT_RCU 438 config PREEMPT_RCU
439 def_bool ( TREE_PREEMPT_RCU || TINY_PREEMPT_RCU ) 439 def_bool ( TREE_PREEMPT_RCU || TINY_PREEMPT_RCU )
440 help 440 help
441 This option enables preemptible-RCU code that is common between 441 This option enables preemptible-RCU code that is common between
442 the TREE_PREEMPT_RCU and TINY_PREEMPT_RCU implementations. 442 the TREE_PREEMPT_RCU and TINY_PREEMPT_RCU implementations.
443 443
444 config RCU_FANOUT 444 config RCU_FANOUT
445 int "Tree-based hierarchical RCU fanout value" 445 int "Tree-based hierarchical RCU fanout value"
446 range 2 64 if 64BIT 446 range 2 64 if 64BIT
447 range 2 32 if !64BIT 447 range 2 32 if !64BIT
448 depends on TREE_RCU || TREE_PREEMPT_RCU 448 depends on TREE_RCU || TREE_PREEMPT_RCU
449 default 64 if 64BIT 449 default 64 if 64BIT
450 default 32 if !64BIT 450 default 32 if !64BIT
451 help 451 help
452 This option controls the fanout of hierarchical implementations 452 This option controls the fanout of hierarchical implementations
453 of RCU, allowing RCU to work efficiently on machines with 453 of RCU, allowing RCU to work efficiently on machines with
454 large numbers of CPUs. This value must be at least the fourth 454 large numbers of CPUs. This value must be at least the fourth
455 root of NR_CPUS, which allows NR_CPUS to be insanely large. 455 root of NR_CPUS, which allows NR_CPUS to be insanely large.
456 The default value of RCU_FANOUT should be used for production 456 The default value of RCU_FANOUT should be used for production
457 systems, but if you are stress-testing the RCU implementation 457 systems, but if you are stress-testing the RCU implementation
458 itself, small RCU_FANOUT values allow you to test large-system 458 itself, small RCU_FANOUT values allow you to test large-system
459 code paths on small(er) systems. 459 code paths on small(er) systems.
460 460
461 Select a specific number if testing RCU itself. 461 Select a specific number if testing RCU itself.
462 Take the default if unsure. 462 Take the default if unsure.
463 463
464 config RCU_FANOUT_LEAF 464 config RCU_FANOUT_LEAF
465 int "Tree-based hierarchical RCU leaf-level fanout value" 465 int "Tree-based hierarchical RCU leaf-level fanout value"
466 range 2 RCU_FANOUT if 64BIT 466 range 2 RCU_FANOUT if 64BIT
467 range 2 RCU_FANOUT if !64BIT 467 range 2 RCU_FANOUT if !64BIT
468 depends on TREE_RCU || TREE_PREEMPT_RCU 468 depends on TREE_RCU || TREE_PREEMPT_RCU
469 default 16 469 default 16
470 help 470 help
471 This option controls the leaf-level fanout of hierarchical 471 This option controls the leaf-level fanout of hierarchical
472 implementations of RCU, and allows trading off cache misses 472 implementations of RCU, and allows trading off cache misses
473 against lock contention. Systems that synchronize their 473 against lock contention. Systems that synchronize their
474 scheduling-clock interrupts for energy-efficiency reasons will 474 scheduling-clock interrupts for energy-efficiency reasons will
475 want the default because the smaller leaf-level fanout keeps 475 want the default because the smaller leaf-level fanout keeps
476 lock contention levels acceptably low. Very large systems 476 lock contention levels acceptably low. Very large systems
477 (hundreds or thousands of CPUs) will instead want to set this 477 (hundreds or thousands of CPUs) will instead want to set this
478 value to the maximum value possible in order to reduce the 478 value to the maximum value possible in order to reduce the
479 number of cache misses incurred during RCU's grace-period 479 number of cache misses incurred during RCU's grace-period
480 initialization. These systems tend to run CPU-bound, and thus 480 initialization. These systems tend to run CPU-bound, and thus
481 are not helped by synchronized interrupts, and thus tend to 481 are not helped by synchronized interrupts, and thus tend to
482 skew them, which reduces lock contention enough that large 482 skew them, which reduces lock contention enough that large
483 leaf-level fanouts work well. 483 leaf-level fanouts work well.
484 484
485 Select a specific number if testing RCU itself. 485 Select a specific number if testing RCU itself.
486 486
487 Select the maximum permissible value for large systems. 487 Select the maximum permissible value for large systems.
488 488
489 Take the default if unsure. 489 Take the default if unsure.
490 490
491 config RCU_FANOUT_EXACT 491 config RCU_FANOUT_EXACT
492 bool "Disable tree-based hierarchical RCU auto-balancing" 492 bool "Disable tree-based hierarchical RCU auto-balancing"
493 depends on TREE_RCU || TREE_PREEMPT_RCU 493 depends on TREE_RCU || TREE_PREEMPT_RCU
494 default n 494 default n
495 help 495 help
496 This option forces use of the exact RCU_FANOUT value specified, 496 This option forces use of the exact RCU_FANOUT value specified,
497 regardless of imbalances in the hierarchy. This is useful for 497 regardless of imbalances in the hierarchy. This is useful for
498 testing RCU itself, and might one day be useful on systems with 498 testing RCU itself, and might one day be useful on systems with
499 strong NUMA behavior. 499 strong NUMA behavior.
500 500
501 Without RCU_FANOUT_EXACT, the code will balance the hierarchy. 501 Without RCU_FANOUT_EXACT, the code will balance the hierarchy.
502 502
503 Say N if unsure. 503 Say N if unsure.
504 504
505 config RCU_FAST_NO_HZ 505 config RCU_FAST_NO_HZ
506 bool "Accelerate last non-dyntick-idle CPU's grace periods" 506 bool "Accelerate last non-dyntick-idle CPU's grace periods"
507 depends on NO_HZ && SMP 507 depends on NO_HZ && SMP
508 default n 508 default n
509 help 509 help
510 This option causes RCU to attempt to accelerate grace periods 510 This option causes RCU to attempt to accelerate grace periods
511 in order to allow CPUs to enter dynticks-idle state more 511 in order to allow CPUs to enter dynticks-idle state more
512 quickly. On the other hand, this option increases the overhead 512 quickly. On the other hand, this option increases the overhead
513 of the dynticks-idle checking, particularly on systems with 513 of the dynticks-idle checking, particularly on systems with
514 large numbers of CPUs. 514 large numbers of CPUs.
515 515
516 Say Y if energy efficiency is critically important, particularly 516 Say Y if energy efficiency is critically important, particularly
517 if you have relatively few CPUs. 517 if you have relatively few CPUs.
518 518
519 Say N if you are unsure. 519 Say N if you are unsure.
520 520
521 config TREE_RCU_TRACE 521 config TREE_RCU_TRACE
522 def_bool RCU_TRACE && ( TREE_RCU || TREE_PREEMPT_RCU ) 522 def_bool RCU_TRACE && ( TREE_RCU || TREE_PREEMPT_RCU )
523 select DEBUG_FS 523 select DEBUG_FS
524 help 524 help
525 This option provides tracing for the TREE_RCU and 525 This option provides tracing for the TREE_RCU and
526 TREE_PREEMPT_RCU implementations, permitting Makefile to 526 TREE_PREEMPT_RCU implementations, permitting Makefile to
527 trivially select kernel/rcutree_trace.c. 527 trivially select kernel/rcutree_trace.c.
528 528
529 config RCU_BOOST 529 config RCU_BOOST
530 bool "Enable RCU priority boosting" 530 bool "Enable RCU priority boosting"
531 depends on RT_MUTEXES && PREEMPT_RCU 531 depends on RT_MUTEXES && PREEMPT_RCU
532 default n 532 default n
533 help 533 help
534 This option boosts the priority of preempted RCU readers that 534 This option boosts the priority of preempted RCU readers that
535 block the current preemptible RCU grace period for too long. 535 block the current preemptible RCU grace period for too long.
536 This option also prevents heavy loads from blocking RCU 536 This option also prevents heavy loads from blocking RCU
537 callback invocation for all flavors of RCU. 537 callback invocation for all flavors of RCU.
538 538
539 Say Y here if you are working with real-time apps or heavy loads 539 Say Y here if you are working with real-time apps or heavy loads
540 Say N here if you are unsure. 540 Say N here if you are unsure.
541 541
542 config RCU_BOOST_PRIO 542 config RCU_BOOST_PRIO
543 int "Real-time priority to boost RCU readers to" 543 int "Real-time priority to boost RCU readers to"
544 range 1 99 544 range 1 99
545 depends on RCU_BOOST 545 depends on RCU_BOOST
546 default 1 546 default 1
547 help 547 help
548 This option specifies the real-time priority to which long-term 548 This option specifies the real-time priority to which long-term
549 preempted RCU readers are to be boosted. If you are working 549 preempted RCU readers are to be boosted. If you are working
550 with a real-time application that has one or more CPU-bound 550 with a real-time application that has one or more CPU-bound
551 threads running at a real-time priority level, you should set 551 threads running at a real-time priority level, you should set
552 RCU_BOOST_PRIO to a priority higher then the highest-priority 552 RCU_BOOST_PRIO to a priority higher then the highest-priority
553 real-time CPU-bound thread. The default RCU_BOOST_PRIO value 553 real-time CPU-bound thread. The default RCU_BOOST_PRIO value
554 of 1 is appropriate in the common case, which is real-time 554 of 1 is appropriate in the common case, which is real-time
555 applications that do not have any CPU-bound threads. 555 applications that do not have any CPU-bound threads.
556 556
557 Some real-time applications might not have a single real-time 557 Some real-time applications might not have a single real-time
558 thread that saturates a given CPU, but instead might have 558 thread that saturates a given CPU, but instead might have
559 multiple real-time threads that, taken together, fully utilize 559 multiple real-time threads that, taken together, fully utilize
560 that CPU. In this case, you should set RCU_BOOST_PRIO to 560 that CPU. In this case, you should set RCU_BOOST_PRIO to
561 a priority higher than the lowest-priority thread that is 561 a priority higher than the lowest-priority thread that is
562 conspiring to prevent the CPU from running any non-real-time 562 conspiring to prevent the CPU from running any non-real-time
563 tasks. For example, if one thread at priority 10 and another 563 tasks. For example, if one thread at priority 10 and another
564 thread at priority 5 are between themselves fully consuming 564 thread at priority 5 are between themselves fully consuming
565 the CPU time on a given CPU, then RCU_BOOST_PRIO should be 565 the CPU time on a given CPU, then RCU_BOOST_PRIO should be
566 set to priority 6 or higher. 566 set to priority 6 or higher.
567 567
568 Specify the real-time priority, or take the default if unsure. 568 Specify the real-time priority, or take the default if unsure.
569 569
570 config RCU_BOOST_DELAY 570 config RCU_BOOST_DELAY
571 int "Milliseconds to delay boosting after RCU grace-period start" 571 int "Milliseconds to delay boosting after RCU grace-period start"
572 range 0 3000 572 range 0 3000
573 depends on RCU_BOOST 573 depends on RCU_BOOST
574 default 500 574 default 500
575 help 575 help
576 This option specifies the time to wait after the beginning of 576 This option specifies the time to wait after the beginning of
577 a given grace period before priority-boosting preempted RCU 577 a given grace period before priority-boosting preempted RCU
578 readers blocking that grace period. Note that any RCU reader 578 readers blocking that grace period. Note that any RCU reader
579 blocking an expedited RCU grace period is boosted immediately. 579 blocking an expedited RCU grace period is boosted immediately.
580 580
581 Accept the default if unsure. 581 Accept the default if unsure.
582 582
583 endmenu # "RCU Subsystem" 583 endmenu # "RCU Subsystem"
584 584
585 config IKCONFIG 585 config IKCONFIG
586 tristate "Kernel .config support" 586 tristate "Kernel .config support"
587 ---help--- 587 ---help---
588 This option enables the complete Linux kernel ".config" file 588 This option enables the complete Linux kernel ".config" file
589 contents to be saved in the kernel. It provides documentation 589 contents to be saved in the kernel. It provides documentation
590 of which kernel options are used in a running kernel or in an 590 of which kernel options are used in a running kernel or in an
591 on-disk kernel. This information can be extracted from the kernel 591 on-disk kernel. This information can be extracted from the kernel
592 image file with the script scripts/extract-ikconfig and used as 592 image file with the script scripts/extract-ikconfig and used as
593 input to rebuild the current kernel or to build another kernel. 593 input to rebuild the current kernel or to build another kernel.
594 It can also be extracted from a running kernel by reading 594 It can also be extracted from a running kernel by reading
595 /proc/config.gz if enabled (below). 595 /proc/config.gz if enabled (below).
596 596
597 config IKCONFIG_PROC 597 config IKCONFIG_PROC
598 bool "Enable access to .config through /proc/config.gz" 598 bool "Enable access to .config through /proc/config.gz"
599 depends on IKCONFIG && PROC_FS 599 depends on IKCONFIG && PROC_FS
600 ---help--- 600 ---help---
601 This option enables access to the kernel configuration file 601 This option enables access to the kernel configuration file
602 through /proc/config.gz. 602 through /proc/config.gz.
603 603
604 config LOG_BUF_SHIFT 604 config LOG_BUF_SHIFT
605 int "Kernel log buffer size (16 => 64KB, 17 => 128KB)" 605 int "Kernel log buffer size (16 => 64KB, 17 => 128KB)"
606 range 12 21 606 range 12 21
607 default 17 607 default 17
608 help 608 help
609 Select kernel log buffer size as a power of 2. 609 Select kernel log buffer size as a power of 2.
610 Examples: 610 Examples:
611 17 => 128 KB 611 17 => 128 KB
612 16 => 64 KB 612 16 => 64 KB
613 15 => 32 KB 613 15 => 32 KB
614 14 => 16 KB 614 14 => 16 KB
615 13 => 8 KB 615 13 => 8 KB
616 12 => 4 KB 616 12 => 4 KB
617 617
618 # 618 #
619 # Architectures with an unreliable sched_clock() should select this: 619 # Architectures with an unreliable sched_clock() should select this:
620 # 620 #
621 config HAVE_UNSTABLE_SCHED_CLOCK 621 config HAVE_UNSTABLE_SCHED_CLOCK
622 bool 622 bool
623 623
624 menuconfig CGROUPS 624 menuconfig CGROUPS
625 boolean "Control Group support" 625 boolean "Control Group support"
626 depends on EVENTFD 626 depends on EVENTFD
627 help 627 help
628 This option adds support for grouping sets of processes together, for 628 This option adds support for grouping sets of processes together, for
629 use with process control subsystems such as Cpusets, CFS, memory 629 use with process control subsystems such as Cpusets, CFS, memory
630 controls or device isolation. 630 controls or device isolation.
631 See 631 See
632 - Documentation/scheduler/sched-design-CFS.txt (CFS) 632 - Documentation/scheduler/sched-design-CFS.txt (CFS)
633 - Documentation/cgroups/ (features for grouping, isolation 633 - Documentation/cgroups/ (features for grouping, isolation
634 and resource control) 634 and resource control)
635 635
636 Say N if unsure. 636 Say N if unsure.
637 637
638 if CGROUPS 638 if CGROUPS
639 639
640 config CGROUP_DEBUG 640 config CGROUP_DEBUG
641 bool "Example debug cgroup subsystem" 641 bool "Example debug cgroup subsystem"
642 default n 642 default n
643 help 643 help
644 This option enables a simple cgroup subsystem that 644 This option enables a simple cgroup subsystem that
645 exports useful debugging information about the cgroups 645 exports useful debugging information about the cgroups
646 framework. 646 framework.
647 647
648 Say N if unsure. 648 Say N if unsure.
649 649
650 config CGROUP_FREEZER 650 config CGROUP_FREEZER
651 bool "Freezer cgroup subsystem" 651 bool "Freezer cgroup subsystem"
652 help 652 help
653 Provides a way to freeze and unfreeze all tasks in a 653 Provides a way to freeze and unfreeze all tasks in a
654 cgroup. 654 cgroup.
655 655
656 config CGROUP_DEVICE 656 config CGROUP_DEVICE
657 bool "Device controller for cgroups" 657 bool "Device controller for cgroups"
658 help 658 help
659 Provides a cgroup implementing whitelists for devices which 659 Provides a cgroup implementing whitelists for devices which
660 a process in the cgroup can mknod or open. 660 a process in the cgroup can mknod or open.
661 661
662 config CPUSETS 662 config CPUSETS
663 bool "Cpuset support" 663 bool "Cpuset support"
664 help 664 help
665 This option will let you create and manage CPUSETs which 665 This option will let you create and manage CPUSETs which
666 allow dynamically partitioning a system into sets of CPUs and 666 allow dynamically partitioning a system into sets of CPUs and
667 Memory Nodes and assigning tasks to run only within those sets. 667 Memory Nodes and assigning tasks to run only within those sets.
668 This is primarily useful on large SMP or NUMA systems. 668 This is primarily useful on large SMP or NUMA systems.
669 669
670 Say N if unsure. 670 Say N if unsure.
671 671
672 config PROC_PID_CPUSET 672 config PROC_PID_CPUSET
673 bool "Include legacy /proc/<pid>/cpuset file" 673 bool "Include legacy /proc/<pid>/cpuset file"
674 depends on CPUSETS 674 depends on CPUSETS
675 default y 675 default y
676 676
677 config CGROUP_CPUACCT 677 config CGROUP_CPUACCT
678 bool "Simple CPU accounting cgroup subsystem" 678 bool "Simple CPU accounting cgroup subsystem"
679 help 679 help
680 Provides a simple Resource Controller for monitoring the 680 Provides a simple Resource Controller for monitoring the
681 total CPU consumed by the tasks in a cgroup. 681 total CPU consumed by the tasks in a cgroup.
682 682
683 config RESOURCE_COUNTERS 683 config RESOURCE_COUNTERS
684 bool "Resource counters" 684 bool "Resource counters"
685 help 685 help
686 This option enables controller independent resource accounting 686 This option enables controller independent resource accounting
687 infrastructure that works with cgroups. 687 infrastructure that works with cgroups.
688 688
689 config MEMCG 689 config MEMCG
690 bool "Memory Resource Controller for Control Groups" 690 bool "Memory Resource Controller for Control Groups"
691 depends on RESOURCE_COUNTERS 691 depends on RESOURCE_COUNTERS
692 select MM_OWNER 692 select MM_OWNER
693 help 693 help
694 Provides a memory resource controller that manages both anonymous 694 Provides a memory resource controller that manages both anonymous
695 memory and page cache. (See Documentation/cgroups/memory.txt) 695 memory and page cache. (See Documentation/cgroups/memory.txt)
696 696
697 Note that setting this option increases fixed memory overhead 697 Note that setting this option increases fixed memory overhead
698 associated with each page of memory in the system. By this, 698 associated with each page of memory in the system. By this,
699 20(40)bytes/PAGE_SIZE on 32(64)bit system will be occupied by memory 699 20(40)bytes/PAGE_SIZE on 32(64)bit system will be occupied by memory
700 usage tracking struct at boot. Total amount of this is printed out 700 usage tracking struct at boot. Total amount of this is printed out
701 at boot. 701 at boot.
702 702
703 Only enable when you're ok with these trade offs and really 703 Only enable when you're ok with these trade offs and really
704 sure you need the memory resource controller. Even when you enable 704 sure you need the memory resource controller. Even when you enable
705 this, you can set "cgroup_disable=memory" at your boot option to 705 this, you can set "cgroup_disable=memory" at your boot option to
706 disable memory resource controller and you can avoid overheads. 706 disable memory resource controller and you can avoid overheads.
707 (and lose benefits of memory resource controller) 707 (and lose benefits of memory resource controller)
708 708
709 This config option also selects MM_OWNER config option, which 709 This config option also selects MM_OWNER config option, which
710 could in turn add some fork/exit overhead. 710 could in turn add some fork/exit overhead.
711 711
712 config MEMCG_SWAP 712 config MEMCG_SWAP
713 bool "Memory Resource Controller Swap Extension" 713 bool "Memory Resource Controller Swap Extension"
714 depends on MEMCG && SWAP 714 depends on MEMCG && SWAP
715 help 715 help
716 Add swap management feature to memory resource controller. When you 716 Add swap management feature to memory resource controller. When you
717 enable this, you can limit mem+swap usage per cgroup. In other words, 717 enable this, you can limit mem+swap usage per cgroup. In other words,
718 when you disable this, memory resource controller has no cares to 718 when you disable this, memory resource controller has no cares to
719 usage of swap...a process can exhaust all of the swap. This extension 719 usage of swap...a process can exhaust all of the swap. This extension
720 is useful when you want to avoid exhaustion swap but this itself 720 is useful when you want to avoid exhaustion swap but this itself
721 adds more overheads and consumes memory for remembering information. 721 adds more overheads and consumes memory for remembering information.
722 Especially if you use 32bit system or small memory system, please 722 Especially if you use 32bit system or small memory system, please
723 be careful about enabling this. When memory resource controller 723 be careful about enabling this. When memory resource controller
724 is disabled by boot option, this will be automatically disabled and 724 is disabled by boot option, this will be automatically disabled and
725 there will be no overhead from this. Even when you set this config=y, 725 there will be no overhead from this. Even when you set this config=y,
726 if boot option "swapaccount=0" is set, swap will not be accounted. 726 if boot option "swapaccount=0" is set, swap will not be accounted.
727 Now, memory usage of swap_cgroup is 2 bytes per entry. If swap page 727 Now, memory usage of swap_cgroup is 2 bytes per entry. If swap page
728 size is 4096bytes, 512k per 1Gbytes of swap. 728 size is 4096bytes, 512k per 1Gbytes of swap.
729 config MEMCG_SWAP_ENABLED 729 config MEMCG_SWAP_ENABLED
730 bool "Memory Resource Controller Swap Extension enabled by default" 730 bool "Memory Resource Controller Swap Extension enabled by default"
731 depends on MEMCG_SWAP 731 depends on MEMCG_SWAP
732 default y 732 default y
733 help 733 help
734 Memory Resource Controller Swap Extension comes with its price in 734 Memory Resource Controller Swap Extension comes with its price in
735 a bigger memory consumption. General purpose distribution kernels 735 a bigger memory consumption. General purpose distribution kernels
736 which want to enable the feature but keep it disabled by default 736 which want to enable the feature but keep it disabled by default
737 and let the user enable it by swapaccount boot command line 737 and let the user enable it by swapaccount boot command line
738 parameter should have this option unselected. 738 parameter should have this option unselected.
739 For those who want to have the feature enabled by default should 739 For those who want to have the feature enabled by default should
740 select this option (if, for some reason, they need to disable it 740 select this option (if, for some reason, they need to disable it
741 then swapaccount=0 does the trick). 741 then swapaccount=0 does the trick).
742 config MEMCG_KMEM 742 config MEMCG_KMEM
743 bool "Memory Resource Controller Kernel Memory accounting (EXPERIMENTAL)" 743 bool "Memory Resource Controller Kernel Memory accounting (EXPERIMENTAL)"
744 depends on MEMCG && EXPERIMENTAL 744 depends on MEMCG && EXPERIMENTAL
745 default n 745 default n
746 help 746 help
747 The Kernel Memory extension for Memory Resource Controller can limit 747 The Kernel Memory extension for Memory Resource Controller can limit
748 the amount of memory used by kernel objects in the system. Those are 748 the amount of memory used by kernel objects in the system. Those are
749 fundamentally different from the entities handled by the standard 749 fundamentally different from the entities handled by the standard
750 Memory Controller, which are page-based, and can be swapped. Users of 750 Memory Controller, which are page-based, and can be swapped. Users of
751 the kmem extension can use it to guarantee that no group of processes 751 the kmem extension can use it to guarantee that no group of processes
752 will ever exhaust kernel resources alone. 752 will ever exhaust kernel resources alone.
753 753
754 config CGROUP_HUGETLB 754 config CGROUP_HUGETLB
755 bool "HugeTLB Resource Controller for Control Groups" 755 bool "HugeTLB Resource Controller for Control Groups"
756 depends on RESOURCE_COUNTERS && HUGETLB_PAGE && EXPERIMENTAL 756 depends on RESOURCE_COUNTERS && HUGETLB_PAGE && EXPERIMENTAL
757 default n 757 default n
758 help 758 help
759 Provides a cgroup Resource Controller for HugeTLB pages. 759 Provides a cgroup Resource Controller for HugeTLB pages.
760 When you enable this, you can put a per cgroup limit on HugeTLB usage. 760 When you enable this, you can put a per cgroup limit on HugeTLB usage.
761 The limit is enforced during page fault. Since HugeTLB doesn't 761 The limit is enforced during page fault. Since HugeTLB doesn't
762 support page reclaim, enforcing the limit at page fault time implies 762 support page reclaim, enforcing the limit at page fault time implies
763 that, the application will get SIGBUS signal if it tries to access 763 that, the application will get SIGBUS signal if it tries to access
764 HugeTLB pages beyond its limit. This requires the application to know 764 HugeTLB pages beyond its limit. This requires the application to know
765 beforehand how much HugeTLB pages it would require for its use. The 765 beforehand how much HugeTLB pages it would require for its use. The
766 control group is tracked in the third page lru pointer. This means 766 control group is tracked in the third page lru pointer. This means
767 that we cannot use the controller with huge page less than 3 pages. 767 that we cannot use the controller with huge page less than 3 pages.
768 768
769 config CGROUP_PERF 769 config CGROUP_PERF
770 bool "Enable perf_event per-cpu per-container group (cgroup) monitoring" 770 bool "Enable perf_event per-cpu per-container group (cgroup) monitoring"
771 depends on PERF_EVENTS && CGROUPS 771 depends on PERF_EVENTS && CGROUPS
772 help 772 help
773 This option extends the per-cpu mode to restrict monitoring to 773 This option extends the per-cpu mode to restrict monitoring to
774 threads which belong to the cgroup specified and run on the 774 threads which belong to the cgroup specified and run on the
775 designated cpu. 775 designated cpu.
776 776
777 Say N if unsure. 777 Say N if unsure.
778 778
779 menuconfig CGROUP_SCHED 779 menuconfig CGROUP_SCHED
780 bool "Group CPU scheduler" 780 bool "Group CPU scheduler"
781 default n 781 default n
782 help 782 help
783 This feature lets CPU scheduler recognize task groups and control CPU 783 This feature lets CPU scheduler recognize task groups and control CPU
784 bandwidth allocation to such task groups. It uses cgroups to group 784 bandwidth allocation to such task groups. It uses cgroups to group
785 tasks. 785 tasks.
786 786
787 if CGROUP_SCHED 787 if CGROUP_SCHED
788 config FAIR_GROUP_SCHED 788 config FAIR_GROUP_SCHED
789 bool "Group scheduling for SCHED_OTHER" 789 bool "Group scheduling for SCHED_OTHER"
790 depends on CGROUP_SCHED 790 depends on CGROUP_SCHED
791 default CGROUP_SCHED 791 default CGROUP_SCHED
792 792
793 config CFS_BANDWIDTH 793 config CFS_BANDWIDTH
794 bool "CPU bandwidth provisioning for FAIR_GROUP_SCHED" 794 bool "CPU bandwidth provisioning for FAIR_GROUP_SCHED"
795 depends on EXPERIMENTAL 795 depends on EXPERIMENTAL
796 depends on FAIR_GROUP_SCHED 796 depends on FAIR_GROUP_SCHED
797 default n 797 default n
798 help 798 help
799 This option allows users to define CPU bandwidth rates (limits) for 799 This option allows users to define CPU bandwidth rates (limits) for
800 tasks running within the fair group scheduler. Groups with no limit 800 tasks running within the fair group scheduler. Groups with no limit
801 set are considered to be unconstrained and will run with no 801 set are considered to be unconstrained and will run with no
802 restriction. 802 restriction.
803 See tip/Documentation/scheduler/sched-bwc.txt for more information. 803 See tip/Documentation/scheduler/sched-bwc.txt for more information.
804 804
805 config RT_GROUP_SCHED 805 config RT_GROUP_SCHED
806 bool "Group scheduling for SCHED_RR/FIFO" 806 bool "Group scheduling for SCHED_RR/FIFO"
807 depends on EXPERIMENTAL 807 depends on EXPERIMENTAL
808 depends on CGROUP_SCHED 808 depends on CGROUP_SCHED
809 default n 809 default n
810 help 810 help
811 This feature lets you explicitly allocate real CPU bandwidth 811 This feature lets you explicitly allocate real CPU bandwidth
812 to task groups. If enabled, it will also make it impossible to 812 to task groups. If enabled, it will also make it impossible to
813 schedule realtime tasks for non-root users until you allocate 813 schedule realtime tasks for non-root users until you allocate
814 realtime bandwidth for them. 814 realtime bandwidth for them.
815 See Documentation/scheduler/sched-rt-group.txt for more information. 815 See Documentation/scheduler/sched-rt-group.txt for more information.
816 816
817 endif #CGROUP_SCHED 817 endif #CGROUP_SCHED
818 818
819 config BLK_CGROUP 819 config BLK_CGROUP
820 bool "Block IO controller" 820 bool "Block IO controller"
821 depends on BLOCK 821 depends on BLOCK
822 default n 822 default n
823 ---help--- 823 ---help---
824 Generic block IO controller cgroup interface. This is the common 824 Generic block IO controller cgroup interface. This is the common
825 cgroup interface which should be used by various IO controlling 825 cgroup interface which should be used by various IO controlling
826 policies. 826 policies.
827 827
828 Currently, CFQ IO scheduler uses it to recognize task groups and 828 Currently, CFQ IO scheduler uses it to recognize task groups and
829 control disk bandwidth allocation (proportional time slice allocation) 829 control disk bandwidth allocation (proportional time slice allocation)
830 to such task groups. It is also used by bio throttling logic in 830 to such task groups. It is also used by bio throttling logic in
831 block layer to implement upper limit in IO rates on a device. 831 block layer to implement upper limit in IO rates on a device.
832 832
833 This option only enables generic Block IO controller infrastructure. 833 This option only enables generic Block IO controller infrastructure.
834 One needs to also enable actual IO controlling logic/policy. For 834 One needs to also enable actual IO controlling logic/policy. For
835 enabling proportional weight division of disk bandwidth in CFQ, set 835 enabling proportional weight division of disk bandwidth in CFQ, set
836 CONFIG_CFQ_GROUP_IOSCHED=y; for enabling throttling policy, set 836 CONFIG_CFQ_GROUP_IOSCHED=y; for enabling throttling policy, set
837 CONFIG_BLK_DEV_THROTTLING=y. 837 CONFIG_BLK_DEV_THROTTLING=y.
838 838
839 See Documentation/cgroups/blkio-controller.txt for more information. 839 See Documentation/cgroups/blkio-controller.txt for more information.
840 840
841 config DEBUG_BLK_CGROUP 841 config DEBUG_BLK_CGROUP
842 bool "Enable Block IO controller debugging" 842 bool "Enable Block IO controller debugging"
843 depends on BLK_CGROUP 843 depends on BLK_CGROUP
844 default n 844 default n
845 ---help--- 845 ---help---
846 Enable some debugging help. Currently it exports additional stat 846 Enable some debugging help. Currently it exports additional stat
847 files in a cgroup which can be useful for debugging. 847 files in a cgroup which can be useful for debugging.
848 848
849 endif # CGROUPS 849 endif # CGROUPS
850 850
851 config CHECKPOINT_RESTORE 851 config CHECKPOINT_RESTORE
852 bool "Checkpoint/restore support" if EXPERT 852 bool "Checkpoint/restore support" if EXPERT
853 default n 853 default n
854 help 854 help
855 Enables additional kernel features in a sake of checkpoint/restore. 855 Enables additional kernel features in a sake of checkpoint/restore.
856 In particular it adds auxiliary prctl codes to setup process text, 856 In particular it adds auxiliary prctl codes to setup process text,
857 data and heap segment sizes, and a few additional /proc filesystem 857 data and heap segment sizes, and a few additional /proc filesystem
858 entries. 858 entries.
859 859
860 If unsure, say N here. 860 If unsure, say N here.
861 861
862 menuconfig NAMESPACES 862 menuconfig NAMESPACES
863 bool "Namespaces support" if EXPERT 863 bool "Namespaces support" if EXPERT
864 default !EXPERT 864 default !EXPERT
865 help 865 help
866 Provides the way to make tasks work with different objects using 866 Provides the way to make tasks work with different objects using
867 the same id. For example same IPC id may refer to different objects 867 the same id. For example same IPC id may refer to different objects
868 or same user id or pid may refer to different tasks when used in 868 or same user id or pid may refer to different tasks when used in
869 different namespaces. 869 different namespaces.
870 870
871 if NAMESPACES 871 if NAMESPACES
872 872
873 config UTS_NS 873 config UTS_NS
874 bool "UTS namespace" 874 bool "UTS namespace"
875 default y 875 default y
876 help 876 help
877 In this namespace tasks see different info provided with the 877 In this namespace tasks see different info provided with the
878 uname() system call 878 uname() system call
879 879
880 config IPC_NS 880 config IPC_NS
881 bool "IPC namespace" 881 bool "IPC namespace"
882 depends on (SYSVIPC || POSIX_MQUEUE) 882 depends on (SYSVIPC || POSIX_MQUEUE)
883 default y 883 default y
884 help 884 help
885 In this namespace tasks work with IPC ids which correspond to 885 In this namespace tasks work with IPC ids which correspond to
886 different IPC objects in different namespaces. 886 different IPC objects in different namespaces.
887 887
888 config USER_NS 888 config USER_NS
889 bool "User namespace (EXPERIMENTAL)" 889 bool "User namespace (EXPERIMENTAL)"
890 depends on EXPERIMENTAL 890 depends on EXPERIMENTAL
891 depends on UIDGID_CONVERTED 891 depends on UIDGID_CONVERTED
892 select UIDGID_STRICT_TYPE_CHECKS 892 select UIDGID_STRICT_TYPE_CHECKS
893 893
894 default n 894 default n
895 help 895 help
896 This allows containers, i.e. vservers, to use user namespaces 896 This allows containers, i.e. vservers, to use user namespaces
897 to provide different user info for different servers. 897 to provide different user info for different servers.
898 If unsure, say N. 898 If unsure, say N.
899 899
900 config PID_NS 900 config PID_NS
901 bool "PID Namespaces" 901 bool "PID Namespaces"
902 default y 902 default y
903 help 903 help
904 Support process id namespaces. This allows having multiple 904 Support process id namespaces. This allows having multiple
905 processes with the same pid as long as they are in different 905 processes with the same pid as long as they are in different
906 pid namespaces. This is a building block of containers. 906 pid namespaces. This is a building block of containers.
907 907
908 config NET_NS 908 config NET_NS
909 bool "Network namespace" 909 bool "Network namespace"
910 depends on NET 910 depends on NET
911 default y 911 default y
912 help 912 help
913 Allow user space to create what appear to be multiple instances 913 Allow user space to create what appear to be multiple instances
914 of the network stack. 914 of the network stack.
915 915
916 endif # NAMESPACES 916 endif # NAMESPACES
917 917
918 config UIDGID_CONVERTED 918 config UIDGID_CONVERTED
919 # True if all of the selected software conmponents are known 919 # True if all of the selected software conmponents are known
920 # to have uid_t and gid_t converted to kuid_t and kgid_t 920 # to have uid_t and gid_t converted to kuid_t and kgid_t
921 # where appropriate and are otherwise safe to use with 921 # where appropriate and are otherwise safe to use with
922 # the user namespace. 922 # the user namespace.
923 bool 923 bool
924 default y 924 default y
925 925
926 # List of kernel pieces that need user namespace work 926 # List of kernel pieces that need user namespace work
927 # Features 927 # Features
928 depends on SYSVIPC = n 928 depends on SYSVIPC = n
929 depends on IMA = n 929 depends on IMA = n
930 depends on EVM = n 930 depends on EVM = n
931 depends on KEYS = n 931 depends on KEYS = n
932 depends on AUDIT = n 932 depends on AUDIT = n
933 depends on AUDITSYSCALL = n 933 depends on AUDITSYSCALL = n
934 depends on TASKSTATS = n 934 depends on TASKSTATS = n
935 depends on TRACING = n 935 depends on TRACING = n
936 depends on FS_POSIX_ACL = n 936 depends on FS_POSIX_ACL = n
937 depends on QUOTA = n 937 depends on QUOTA = n
938 depends on QUOTACTL = n 938 depends on QUOTACTL = n
939 depends on DEBUG_CREDENTIALS = n 939 depends on DEBUG_CREDENTIALS = n
940 depends on BSD_PROCESS_ACCT = n 940 depends on BSD_PROCESS_ACCT = n
941 depends on DRM = n 941 depends on DRM = n
942 depends on PROC_EVENTS = n 942 depends on PROC_EVENTS = n
943 943
944 # Networking 944 # Networking
945 depends on NET = n 945 depends on NET = n
946 depends on NET_9P = n 946 depends on NET_9P = n
947 depends on IPX = n 947 depends on IPX = n
948 depends on PHONET = n 948 depends on PHONET = n
949 depends on NET_CLS_FLOW = n 949 depends on NET_CLS_FLOW = n
950 depends on NETFILTER_XT_MATCH_OWNER = n 950 depends on NETFILTER_XT_MATCH_OWNER = n
951 depends on NETFILTER_XT_MATCH_RECENT = n 951 depends on NETFILTER_XT_MATCH_RECENT = n
952 depends on NETFILTER_XT_TARGET_LOG = n 952 depends on NETFILTER_XT_TARGET_LOG = n
953 depends on NETFILTER_NETLINK_LOG = n 953 depends on NETFILTER_NETLINK_LOG = n
954 depends on INET = n 954 depends on INET = n
955 depends on IPV6 = n 955 depends on IPV6 = n
956 depends on IP_SCTP = n 956 depends on IP_SCTP = n
957 depends on AF_RXRPC = n 957 depends on AF_RXRPC = n
958 depends on LLC2 = n 958 depends on LLC2 = n
959 depends on NET_KEY = n 959 depends on NET_KEY = n
960 depends on INET_DIAG = n 960 depends on INET_DIAG = n
961 depends on DNS_RESOLVER = n 961 depends on DNS_RESOLVER = n
962 depends on AX25 = n 962 depends on AX25 = n
963 depends on ATALK = n 963 depends on ATALK = n
964 964
965 # Filesystems 965 # Filesystems
966 depends on USB_DEVICEFS = n 966 depends on USB_DEVICEFS = n
967 depends on USB_GADGETFS = n 967 depends on USB_GADGETFS = n
968 depends on USB_FUNCTIONFS = n 968 depends on USB_FUNCTIONFS = n
969 depends on DEVTMPFS = n 969 depends on DEVTMPFS = n
970 depends on XENFS = n 970 depends on XENFS = n
971 971
972 depends on 9P_FS = n 972 depends on 9P_FS = n
973 depends on ADFS_FS = n 973 depends on ADFS_FS = n
974 depends on AFFS_FS = n 974 depends on AFFS_FS = n
975 depends on AFS_FS = n 975 depends on AFS_FS = n
976 depends on AUTOFS4_FS = n 976 depends on AUTOFS4_FS = n
977 depends on BEFS_FS = n 977 depends on BEFS_FS = n
978 depends on BFS_FS = n 978 depends on BFS_FS = n
979 depends on BTRFS_FS = n 979 depends on BTRFS_FS = n
980 depends on CEPH_FS = n 980 depends on CEPH_FS = n
981 depends on CIFS = n 981 depends on CIFS = n
982 depends on CODA_FS = n 982 depends on CODA_FS = n
983 depends on CONFIGFS_FS = n 983 depends on CONFIGFS_FS = n
984 depends on CRAMFS = n 984 depends on CRAMFS = n
985 depends on DEBUG_FS = n 985 depends on DEBUG_FS = n
986 depends on ECRYPT_FS = n 986 depends on ECRYPT_FS = n
987 depends on EFS_FS = n 987 depends on EFS_FS = n
988 depends on EXOFS_FS = n 988 depends on EXOFS_FS = n
989 depends on FAT_FS = n 989 depends on FAT_FS = n
990 depends on FUSE_FS = n 990 depends on FUSE_FS = n
991 depends on GFS2_FS = n 991 depends on GFS2_FS = n
992 depends on HFS_FS = n 992 depends on HFS_FS = n
993 depends on HFSPLUS_FS = n 993 depends on HFSPLUS_FS = n
994 depends on HPFS_FS = n 994 depends on HPFS_FS = n
995 depends on HUGETLBFS = n 995 depends on HUGETLBFS = n
996 depends on ISO9660_FS = n 996 depends on ISO9660_FS = n
997 depends on JFFS2_FS = n 997 depends on JFFS2_FS = n
998 depends on JFS_FS = n 998 depends on JFS_FS = n
999 depends on LOGFS = n 999 depends on LOGFS = n
1000 depends on MINIX_FS = n 1000 depends on MINIX_FS = n
1001 depends on NCP_FS = n 1001 depends on NCP_FS = n
1002 depends on NFSD = n 1002 depends on NFSD = n
1003 depends on NFS_FS = n 1003 depends on NFS_FS = n
1004 depends on NILFS2_FS = n 1004 depends on NILFS2_FS = n
1005 depends on NTFS_FS = n 1005 depends on NTFS_FS = n
1006 depends on OCFS2_FS = n 1006 depends on OCFS2_FS = n
1007 depends on OMFS_FS = n 1007 depends on OMFS_FS = n
1008 depends on QNX4FS_FS = n 1008 depends on QNX4FS_FS = n
1009 depends on QNX6FS_FS = n 1009 depends on QNX6FS_FS = n
1010 depends on REISERFS_FS = n 1010 depends on REISERFS_FS = n
1011 depends on SQUASHFS = n 1011 depends on SQUASHFS = n
1012 depends on SYSV_FS = n 1012 depends on SYSV_FS = n
1013 depends on UBIFS_FS = n 1013 depends on UBIFS_FS = n
1014 depends on UDF_FS = n 1014 depends on UDF_FS = n
1015 depends on UFS_FS = n 1015 depends on UFS_FS = n
1016 depends on VXFS_FS = n 1016 depends on VXFS_FS = n
1017 depends on XFS_FS = n 1017 depends on XFS_FS = n
1018 1018
1019 depends on !UML || HOSTFS = n 1019 depends on !UML || HOSTFS = n
1020 1020
1021 # The rare drivers that won't build 1021 # The rare drivers that won't build
1022 depends on AIRO = n 1022 depends on AIRO = n
1023 depends on AIRO_CS = n 1023 depends on AIRO_CS = n
1024 depends on TUN = n 1024 depends on TUN = n
1025 depends on INFINIBAND_QIB = n 1025 depends on INFINIBAND_QIB = n
1026 depends on BLK_DEV_LOOP = n 1026 depends on BLK_DEV_LOOP = n
1027 depends on ANDROID_BINDER_IPC = n 1027 depends on ANDROID_BINDER_IPC = n
1028 1028
1029 # Security modules 1029 # Security modules
1030 depends on SECURITY_TOMOYO = n 1030 depends on SECURITY_TOMOYO = n
1031 depends on SECURITY_APPARMOR = n 1031 depends on SECURITY_APPARMOR = n
1032 1032
1033 config UIDGID_STRICT_TYPE_CHECKS 1033 config UIDGID_STRICT_TYPE_CHECKS
1034 bool "Require conversions between uid/gids and their internal representation" 1034 bool "Require conversions between uid/gids and their internal representation"
1035 depends on UIDGID_CONVERTED 1035 depends on UIDGID_CONVERTED
1036 default n 1036 default n
1037 help 1037 help
1038 While the nececessary conversions are being added to all subsystems this option allows 1038 While the nececessary conversions are being added to all subsystems this option allows
1039 the code to continue to build for unconverted subsystems. 1039 the code to continue to build for unconverted subsystems.
1040 1040
1041 Say Y here if you want the strict type checking enabled 1041 Say Y here if you want the strict type checking enabled
1042 1042
1043 config SCHED_AUTOGROUP 1043 config SCHED_AUTOGROUP
1044 bool "Automatic process group scheduling" 1044 bool "Automatic process group scheduling"
1045 select EVENTFD 1045 select EVENTFD
1046 select CGROUPS 1046 select CGROUPS
1047 select CGROUP_SCHED 1047 select CGROUP_SCHED
1048 select FAIR_GROUP_SCHED 1048 select FAIR_GROUP_SCHED
1049 help 1049 help
1050 This option optimizes the scheduler for common desktop workloads by 1050 This option optimizes the scheduler for common desktop workloads by
1051 automatically creating and populating task groups. This separation 1051 automatically creating and populating task groups. This separation
1052 of workloads isolates aggressive CPU burners (like build jobs) from 1052 of workloads isolates aggressive CPU burners (like build jobs) from
1053 desktop applications. Task group autogeneration is currently based 1053 desktop applications. Task group autogeneration is currently based
1054 upon task session. 1054 upon task session.
1055 1055
1056 config MM_OWNER 1056 config MM_OWNER
1057 bool 1057 bool
1058 1058
1059 config SYSFS_DEPRECATED 1059 config SYSFS_DEPRECATED
1060 bool "Enable deprecated sysfs features to support old userspace tools" 1060 bool "Enable deprecated sysfs features to support old userspace tools"
1061 depends on SYSFS 1061 depends on SYSFS
1062 default n 1062 default n
1063 help 1063 help
1064 This option adds code that switches the layout of the "block" class 1064 This option adds code that switches the layout of the "block" class
1065 devices, to not show up in /sys/class/block/, but only in 1065 devices, to not show up in /sys/class/block/, but only in
1066 /sys/block/. 1066 /sys/block/.
1067 1067
1068 This switch is only active when the sysfs.deprecated=1 boot option is 1068 This switch is only active when the sysfs.deprecated=1 boot option is
1069 passed or the SYSFS_DEPRECATED_V2 option is set. 1069 passed or the SYSFS_DEPRECATED_V2 option is set.
1070 1070
1071 This option allows new kernels to run on old distributions and tools, 1071 This option allows new kernels to run on old distributions and tools,
1072 which might get confused by /sys/class/block/. Since 2007/2008 all 1072 which might get confused by /sys/class/block/. Since 2007/2008 all
1073 major distributions and tools handle this just fine. 1073 major distributions and tools handle this just fine.
1074 1074
1075 Recent distributions and userspace tools after 2009/2010 depend on 1075 Recent distributions and userspace tools after 2009/2010 depend on
1076 the existence of /sys/class/block/, and will not work with this 1076 the existence of /sys/class/block/, and will not work with this
1077 option enabled. 1077 option enabled.
1078 1078
1079 Only if you are using a new kernel on an old distribution, you might 1079 Only if you are using a new kernel on an old distribution, you might
1080 need to say Y here. 1080 need to say Y here.
1081 1081
1082 config SYSFS_DEPRECATED_V2 1082 config SYSFS_DEPRECATED_V2
1083 bool "Enable deprecated sysfs features by default" 1083 bool "Enable deprecated sysfs features by default"
1084 default n 1084 default n
1085 depends on SYSFS 1085 depends on SYSFS
1086 depends on SYSFS_DEPRECATED 1086 depends on SYSFS_DEPRECATED
1087 help 1087 help
1088 Enable deprecated sysfs by default. 1088 Enable deprecated sysfs by default.
1089 1089
1090 See the CONFIG_SYSFS_DEPRECATED option for more details about this 1090 See the CONFIG_SYSFS_DEPRECATED option for more details about this
1091 option. 1091 option.
1092 1092
1093 Only if you are using a new kernel on an old distribution, you might 1093 Only if you are using a new kernel on an old distribution, you might
1094 need to say Y here. Even then, odds are you would not need it 1094 need to say Y here. Even then, odds are you would not need it
1095 enabled, you can always pass the boot option if absolutely necessary. 1095 enabled, you can always pass the boot option if absolutely necessary.
1096 1096
1097 config RELAY 1097 config RELAY
1098 bool "Kernel->user space relay support (formerly relayfs)" 1098 bool "Kernel->user space relay support (formerly relayfs)"
1099 help 1099 help
1100 This option enables support for relay interface support in 1100 This option enables support for relay interface support in
1101 certain file systems (such as debugfs). 1101 certain file systems (such as debugfs).
1102 It is designed to provide an efficient mechanism for tools and 1102 It is designed to provide an efficient mechanism for tools and
1103 facilities to relay large amounts of data from kernel space to 1103 facilities to relay large amounts of data from kernel space to
1104 user space. 1104 user space.
1105 1105
1106 If unsure, say N. 1106 If unsure, say N.
1107 1107
1108 config BLK_DEV_INITRD 1108 config BLK_DEV_INITRD
1109 bool "Initial RAM filesystem and RAM disk (initramfs/initrd) support" 1109 bool "Initial RAM filesystem and RAM disk (initramfs/initrd) support"
1110 depends on BROKEN || !FRV 1110 depends on BROKEN || !FRV
1111 help 1111 help
1112 The initial RAM filesystem is a ramfs which is loaded by the 1112 The initial RAM filesystem is a ramfs which is loaded by the
1113 boot loader (loadlin or lilo) and that is mounted as root 1113 boot loader (loadlin or lilo) and that is mounted as root
1114 before the normal boot procedure. It is typically used to 1114 before the normal boot procedure. It is typically used to
1115 load modules needed to mount the "real" root file system, 1115 load modules needed to mount the "real" root file system,
1116 etc. See <file:Documentation/initrd.txt> for details. 1116 etc. See <file:Documentation/initrd.txt> for details.
1117 1117
1118 If RAM disk support (BLK_DEV_RAM) is also included, this 1118 If RAM disk support (BLK_DEV_RAM) is also included, this
1119 also enables initial RAM disk (initrd) support and adds 1119 also enables initial RAM disk (initrd) support and adds
1120 15 Kbytes (more on some other architectures) to the kernel size. 1120 15 Kbytes (more on some other architectures) to the kernel size.
1121 1121
1122 If unsure say Y. 1122 If unsure say Y.
1123 1123
1124 if BLK_DEV_INITRD 1124 if BLK_DEV_INITRD
1125 1125
1126 source "usr/Kconfig" 1126 source "usr/Kconfig"
1127 1127
1128 endif 1128 endif
1129 1129
1130 config CC_OPTIMIZE_FOR_SIZE 1130 config CC_OPTIMIZE_FOR_SIZE
1131 bool "Optimize for size" 1131 bool "Optimize for size"
1132 help 1132 help
1133 Enabling this option will pass "-Os" instead of "-O2" to gcc 1133 Enabling this option will pass "-Os" instead of "-O2" to gcc
1134 resulting in a smaller kernel. 1134 resulting in a smaller kernel.
1135 1135
1136 If unsure, say Y. 1136 If unsure, say Y.
1137 1137
1138 config SYSCTL 1138 config SYSCTL
1139 bool 1139 bool
1140 1140
1141 config ANON_INODES 1141 config ANON_INODES
1142 bool 1142 bool
1143 1143
1144 menuconfig EXPERT 1144 menuconfig EXPERT
1145 bool "Configure standard kernel features (expert users)" 1145 bool "Configure standard kernel features (expert users)"
1146 # Unhide debug options, to make the on-by-default options visible 1146 # Unhide debug options, to make the on-by-default options visible
1147 select DEBUG_KERNEL 1147 select DEBUG_KERNEL
1148 help 1148 help
1149 This option allows certain base kernel options and settings 1149 This option allows certain base kernel options and settings
1150 to be disabled or tweaked. This is for specialized 1150 to be disabled or tweaked. This is for specialized
1151 environments which can tolerate a "non-standard" kernel. 1151 environments which can tolerate a "non-standard" kernel.
1152 Only use this if you really know what you are doing. 1152 Only use this if you really know what you are doing.
1153 1153
1154 config UID16 1154 config UID16
1155 bool "Enable 16-bit UID system calls" if EXPERT 1155 bool "Enable 16-bit UID system calls" if EXPERT
1156 depends on ARM || BLACKFIN || CRIS || FRV || H8300 || X86_32 || M68K || (S390 && !64BIT) || SUPERH || SPARC32 || (SPARC64 && COMPAT) || UML || (X86_64 && IA32_EMULATION) 1156 depends on ARM || BLACKFIN || CRIS || FRV || H8300 || X86_32 || M68K || (S390 && !64BIT) || SUPERH || SPARC32 || (SPARC64 && COMPAT) || UML || (X86_64 && IA32_EMULATION)
1157 default y 1157 default y
1158 help 1158 help
1159 This enables the legacy 16-bit UID syscall wrappers. 1159 This enables the legacy 16-bit UID syscall wrappers.
1160 1160
1161 config SYSCTL_SYSCALL 1161 config SYSCTL_SYSCALL
1162 bool "Sysctl syscall support" if EXPERT 1162 bool "Sysctl syscall support" if EXPERT
1163 depends on PROC_SYSCTL 1163 depends on PROC_SYSCTL
1164 default n 1164 default n
1165 select SYSCTL 1165 select SYSCTL
1166 ---help--- 1166 ---help---
1167 sys_sysctl uses binary paths that have been found challenging 1167 sys_sysctl uses binary paths that have been found challenging
1168 to properly maintain and use. The interface in /proc/sys 1168 to properly maintain and use. The interface in /proc/sys
1169 using paths with ascii names is now the primary path to this 1169 using paths with ascii names is now the primary path to this
1170 information. 1170 information.
1171 1171
1172 Almost nothing using the binary sysctl interface so if you are 1172 Almost nothing using the binary sysctl interface so if you are
1173 trying to save some space it is probably safe to disable this, 1173 trying to save some space it is probably safe to disable this,
1174 making your kernel marginally smaller. 1174 making your kernel marginally smaller.
1175 1175
1176 If unsure say N here. 1176 If unsure say N here.
1177 1177
1178 config KALLSYMS 1178 config KALLSYMS
1179 bool "Load all symbols for debugging/ksymoops" if EXPERT 1179 bool "Load all symbols for debugging/ksymoops" if EXPERT
1180 default y 1180 default y
1181 help 1181 help
1182 Say Y here to let the kernel print out symbolic crash information and 1182 Say Y here to let the kernel print out symbolic crash information and
1183 symbolic stack backtraces. This increases the size of the kernel 1183 symbolic stack backtraces. This increases the size of the kernel
1184 somewhat, as all symbols have to be loaded into the kernel image. 1184 somewhat, as all symbols have to be loaded into the kernel image.
1185 1185
1186 config KALLSYMS_ALL 1186 config KALLSYMS_ALL
1187 bool "Include all symbols in kallsyms" 1187 bool "Include all symbols in kallsyms"
1188 depends on DEBUG_KERNEL && KALLSYMS 1188 depends on DEBUG_KERNEL && KALLSYMS
1189 help 1189 help
1190 Normally kallsyms only contains the symbols of functions for nicer 1190 Normally kallsyms only contains the symbols of functions for nicer
1191 OOPS messages and backtraces (i.e., symbols from the text and inittext 1191 OOPS messages and backtraces (i.e., symbols from the text and inittext
1192 sections). This is sufficient for most cases. And only in very rare 1192 sections). This is sufficient for most cases. And only in very rare
1193 cases (e.g., when a debugger is used) all symbols are required (e.g., 1193 cases (e.g., when a debugger is used) all symbols are required (e.g.,
1194 names of variables from the data sections, etc). 1194 names of variables from the data sections, etc).
1195 1195
1196 This option makes sure that all symbols are loaded into the kernel 1196 This option makes sure that all symbols are loaded into the kernel
1197 image (i.e., symbols from all sections) in cost of increased kernel 1197 image (i.e., symbols from all sections) in cost of increased kernel
1198 size (depending on the kernel configuration, it may be 300KiB or 1198 size (depending on the kernel configuration, it may be 300KiB or
1199 something like this). 1199 something like this).
1200 1200
1201 Say N unless you really need all symbols. 1201 Say N unless you really need all symbols.
1202 1202
1203 config HOTPLUG 1203 config HOTPLUG
1204 bool "Support for hot-pluggable devices" if EXPERT 1204 bool "Support for hot-pluggable devices" if EXPERT
1205 default y 1205 default y
1206 help 1206 help
1207 This option is provided for the case where no hotplug or uevent 1207 This option is provided for the case where no hotplug or uevent
1208 capabilities is wanted by the kernel. You should only consider 1208 capabilities is wanted by the kernel. You should only consider
1209 disabling this option for embedded systems that do not use modules, a 1209 disabling this option for embedded systems that do not use modules, a
1210 dynamic /dev tree, or dynamic device discovery. Just say Y. 1210 dynamic /dev tree, or dynamic device discovery. Just say Y.
1211 1211
1212 config PRINTK 1212 config PRINTK
1213 default y 1213 default y
1214 bool "Enable support for printk" if EXPERT 1214 bool "Enable support for printk" if EXPERT
1215 help 1215 help
1216 This option enables normal printk support. Removing it 1216 This option enables normal printk support. Removing it
1217 eliminates most of the message strings from the kernel image 1217 eliminates most of the message strings from the kernel image
1218 and makes the kernel more or less silent. As this makes it 1218 and makes the kernel more or less silent. As this makes it
1219 very difficult to diagnose system problems, saying N here is 1219 very difficult to diagnose system problems, saying N here is
1220 strongly discouraged. 1220 strongly discouraged.
1221 1221
1222 config BUG 1222 config BUG
1223 bool "BUG() support" if EXPERT 1223 bool "BUG() support" if EXPERT
1224 default y 1224 default y
1225 help 1225 help
1226 Disabling this option eliminates support for BUG and WARN, reducing 1226 Disabling this option eliminates support for BUG and WARN, reducing
1227 the size of your kernel image and potentially quietly ignoring 1227 the size of your kernel image and potentially quietly ignoring
1228 numerous fatal conditions. You should only consider disabling this 1228 numerous fatal conditions. You should only consider disabling this
1229 option for embedded systems with no facilities for reporting errors. 1229 option for embedded systems with no facilities for reporting errors.
1230 Just say Y. 1230 Just say Y.
1231 1231
1232 config ELF_CORE 1232 config ELF_CORE
1233 default y 1233 default y
1234 bool "Enable ELF core dumps" if EXPERT 1234 bool "Enable ELF core dumps" if EXPERT
1235 help 1235 help
1236 Enable support for generating core dumps. Disabling saves about 4k. 1236 Enable support for generating core dumps. Disabling saves about 4k.
1237 1237
1238 1238
1239 config PCSPKR_PLATFORM 1239 config PCSPKR_PLATFORM
1240 bool "Enable PC-Speaker support" if EXPERT 1240 bool "Enable PC-Speaker support" if EXPERT
1241 depends on HAVE_PCSPKR_PLATFORM 1241 depends on HAVE_PCSPKR_PLATFORM
1242 select I8253_LOCK 1242 select I8253_LOCK
1243 default y 1243 default y
1244 help 1244 help
1245 This option allows to disable the internal PC-Speaker 1245 This option allows to disable the internal PC-Speaker
1246 support, saving some memory. 1246 support, saving some memory.
1247 1247
1248 config HAVE_PCSPKR_PLATFORM 1248 config HAVE_PCSPKR_PLATFORM
1249 bool 1249 bool
1250 1250
1251 config BASE_FULL 1251 config BASE_FULL
1252 default y 1252 default y
1253 bool "Enable full-sized data structures for core" if EXPERT 1253 bool "Enable full-sized data structures for core" if EXPERT
1254 help 1254 help
1255 Disabling this option reduces the size of miscellaneous core 1255 Disabling this option reduces the size of miscellaneous core
1256 kernel data structures. This saves memory on small machines, 1256 kernel data structures. This saves memory on small machines,
1257 but may reduce performance. 1257 but may reduce performance.
1258 1258
1259 config FUTEX 1259 config FUTEX
1260 bool "Enable futex support" if EXPERT 1260 bool "Enable futex support" if EXPERT
1261 default y 1261 default y
1262 select RT_MUTEXES 1262 select RT_MUTEXES
1263 help 1263 help
1264 Disabling this option will cause the kernel to be built without 1264 Disabling this option will cause the kernel to be built without
1265 support for "fast userspace mutexes". The resulting kernel may not 1265 support for "fast userspace mutexes". The resulting kernel may not
1266 run glibc-based applications correctly. 1266 run glibc-based applications correctly.
1267 1267
1268 config EPOLL 1268 config EPOLL
1269 bool "Enable eventpoll support" if EXPERT 1269 bool "Enable eventpoll support" if EXPERT
1270 default y 1270 default y
1271 select ANON_INODES 1271 select ANON_INODES
1272 help 1272 help
1273 Disabling this option will cause the kernel to be built without 1273 Disabling this option will cause the kernel to be built without
1274 support for epoll family of system calls. 1274 support for epoll family of system calls.
1275 1275
1276 config SIGNALFD 1276 config SIGNALFD
1277 bool "Enable signalfd() system call" if EXPERT 1277 bool "Enable signalfd() system call" if EXPERT
1278 select ANON_INODES 1278 select ANON_INODES
1279 default y 1279 default y
1280 help 1280 help
1281 Enable the signalfd() system call that allows to receive signals 1281 Enable the signalfd() system call that allows to receive signals
1282 on a file descriptor. 1282 on a file descriptor.
1283 1283
1284 If unsure, say Y. 1284 If unsure, say Y.
1285 1285
1286 config TIMERFD 1286 config TIMERFD
1287 bool "Enable timerfd() system call" if EXPERT 1287 bool "Enable timerfd() system call" if EXPERT
1288 select ANON_INODES 1288 select ANON_INODES
1289 default y 1289 default y
1290 help 1290 help
1291 Enable the timerfd() system call that allows to receive timer 1291 Enable the timerfd() system call that allows to receive timer
1292 events on a file descriptor. 1292 events on a file descriptor.
1293 1293
1294 If unsure, say Y. 1294 If unsure, say Y.
1295 1295
1296 config EVENTFD 1296 config EVENTFD
1297 bool "Enable eventfd() system call" if EXPERT 1297 bool "Enable eventfd() system call" if EXPERT
1298 select ANON_INODES 1298 select ANON_INODES
1299 default y 1299 default y
1300 help 1300 help
1301 Enable the eventfd() system call that allows to receive both 1301 Enable the eventfd() system call that allows to receive both
1302 kernel notification (ie. KAIO) or userspace notifications. 1302 kernel notification (ie. KAIO) or userspace notifications.
1303 1303
1304 If unsure, say Y. 1304 If unsure, say Y.
1305 1305
1306 config SHMEM 1306 config SHMEM
1307 bool "Use full shmem filesystem" if EXPERT 1307 bool "Use full shmem filesystem" if EXPERT
1308 default y 1308 default y
1309 depends on MMU 1309 depends on MMU
1310 help 1310 help
1311 The shmem is an internal filesystem used to manage shared memory. 1311 The shmem is an internal filesystem used to manage shared memory.
1312 It is backed by swap and manages resource limits. It is also exported 1312 It is backed by swap and manages resource limits. It is also exported
1313 to userspace as tmpfs if TMPFS is enabled. Disabling this 1313 to userspace as tmpfs if TMPFS is enabled. Disabling this
1314 option replaces shmem and tmpfs with the much simpler ramfs code, 1314 option replaces shmem and tmpfs with the much simpler ramfs code,
1315 which may be appropriate on small systems without swap. 1315 which may be appropriate on small systems without swap.
1316 1316
1317 config AIO 1317 config AIO
1318 bool "Enable AIO support" if EXPERT 1318 bool "Enable AIO support" if EXPERT
1319 default y 1319 default y
1320 help 1320 help
1321 This option enables POSIX asynchronous I/O which may by used 1321 This option enables POSIX asynchronous I/O which may by used
1322 by some high performance threaded applications. Disabling 1322 by some high performance threaded applications. Disabling
1323 this option saves about 7k. 1323 this option saves about 7k.
1324 1324
1325 config EMBEDDED 1325 config EMBEDDED
1326 bool "Embedded system" 1326 bool "Embedded system"
1327 select EXPERT 1327 select EXPERT
1328 help 1328 help
1329 This option should be enabled if compiling the kernel for 1329 This option should be enabled if compiling the kernel for
1330 an embedded system so certain expert options are available 1330 an embedded system so certain expert options are available
1331 for configuration. 1331 for configuration.
1332 1332
1333 config HAVE_PERF_EVENTS 1333 config HAVE_PERF_EVENTS
1334 bool 1334 bool
1335 help 1335 help
1336 See tools/perf/design.txt for details. 1336 See tools/perf/design.txt for details.
1337 1337
1338 config PERF_USE_VMALLOC 1338 config PERF_USE_VMALLOC
1339 bool 1339 bool
1340 help 1340 help
1341 See tools/perf/design.txt for details 1341 See tools/perf/design.txt for details
1342 1342
1343 menu "Kernel Performance Events And Counters" 1343 menu "Kernel Performance Events And Counters"
1344 1344
1345 config PERF_EVENTS 1345 config PERF_EVENTS
1346 bool "Kernel performance events and counters" 1346 bool "Kernel performance events and counters"
1347 default y if PROFILING 1347 default y if PROFILING
1348 depends on HAVE_PERF_EVENTS 1348 depends on HAVE_PERF_EVENTS
1349 select ANON_INODES 1349 select ANON_INODES
1350 select IRQ_WORK 1350 select IRQ_WORK
1351 help 1351 help
1352 Enable kernel support for various performance events provided 1352 Enable kernel support for various performance events provided
1353 by software and hardware. 1353 by software and hardware.
1354 1354
1355 Software events are supported either built-in or via the 1355 Software events are supported either built-in or via the
1356 use of generic tracepoints. 1356 use of generic tracepoints.
1357 1357
1358 Most modern CPUs support performance events via performance 1358 Most modern CPUs support performance events via performance
1359 counter registers. These registers count the number of certain 1359 counter registers. These registers count the number of certain
1360 types of hw events: such as instructions executed, cachemisses 1360 types of hw events: such as instructions executed, cachemisses
1361 suffered, or branches mis-predicted - without slowing down the 1361 suffered, or branches mis-predicted - without slowing down the
1362 kernel or applications. These registers can also trigger interrupts 1362 kernel or applications. These registers can also trigger interrupts
1363 when a threshold number of events have passed - and can thus be 1363 when a threshold number of events have passed - and can thus be
1364 used to profile the code that runs on that CPU. 1364 used to profile the code that runs on that CPU.
1365 1365
1366 The Linux Performance Event subsystem provides an abstraction of 1366 The Linux Performance Event subsystem provides an abstraction of
1367 these software and hardware event capabilities, available via a 1367 these software and hardware event capabilities, available via a
1368 system call and used by the "perf" utility in tools/perf/. It 1368 system call and used by the "perf" utility in tools/perf/. It
1369 provides per task and per CPU counters, and it provides event 1369 provides per task and per CPU counters, and it provides event
1370 capabilities on top of those. 1370 capabilities on top of those.
1371 1371
1372 Say Y if unsure. 1372 Say Y if unsure.
1373 1373
1374 config DEBUG_PERF_USE_VMALLOC 1374 config DEBUG_PERF_USE_VMALLOC
1375 default n 1375 default n
1376 bool "Debug: use vmalloc to back perf mmap() buffers" 1376 bool "Debug: use vmalloc to back perf mmap() buffers"
1377 depends on PERF_EVENTS && DEBUG_KERNEL 1377 depends on PERF_EVENTS && DEBUG_KERNEL
1378 select PERF_USE_VMALLOC 1378 select PERF_USE_VMALLOC
1379 help 1379 help
1380 Use vmalloc memory to back perf mmap() buffers. 1380 Use vmalloc memory to back perf mmap() buffers.
1381 1381
1382 Mostly useful for debugging the vmalloc code on platforms 1382 Mostly useful for debugging the vmalloc code on platforms
1383 that don't require it. 1383 that don't require it.
1384 1384
1385 Say N if unsure. 1385 Say N if unsure.
1386 1386
1387 endmenu 1387 endmenu
1388 1388
1389 config VM_EVENT_COUNTERS 1389 config VM_EVENT_COUNTERS
1390 default y 1390 default y
1391 bool "Enable VM event counters for /proc/vmstat" if EXPERT 1391 bool "Enable VM event counters for /proc/vmstat" if EXPERT
1392 help 1392 help
1393 VM event counters are needed for event counts to be shown. 1393 VM event counters are needed for event counts to be shown.
1394 This option allows the disabling of the VM event counters 1394 This option allows the disabling of the VM event counters
1395 on EXPERT systems. /proc/vmstat will only show page counts 1395 on EXPERT systems. /proc/vmstat will only show page counts
1396 if VM event counters are disabled. 1396 if VM event counters are disabled.
1397 1397
1398 config PCI_QUIRKS 1398 config PCI_QUIRKS
1399 default y 1399 default y
1400 bool "Enable PCI quirk workarounds" if EXPERT 1400 bool "Enable PCI quirk workarounds" if EXPERT
1401 depends on PCI 1401 depends on PCI
1402 help 1402 help
1403 This enables workarounds for various PCI chipset 1403 This enables workarounds for various PCI chipset
1404 bugs/quirks. Disable this only if your target machine is 1404 bugs/quirks. Disable this only if your target machine is
1405 unaffected by PCI quirks. 1405 unaffected by PCI quirks.
1406 1406
1407 config SLUB_DEBUG 1407 config SLUB_DEBUG
1408 default y 1408 default y
1409 bool "Enable SLUB debugging support" if EXPERT 1409 bool "Enable SLUB debugging support" if EXPERT
1410 depends on SLUB && SYSFS 1410 depends on SLUB && SYSFS
1411 help 1411 help
1412 SLUB has extensive debug support features. Disabling these can 1412 SLUB has extensive debug support features. Disabling these can
1413 result in significant savings in code size. This also disables 1413 result in significant savings in code size. This also disables
1414 SLUB sysfs support. /sys/slab will not exist and there will be 1414 SLUB sysfs support. /sys/slab will not exist and there will be
1415 no support for cache validation etc. 1415 no support for cache validation etc.
1416 1416
1417 config COMPAT_BRK 1417 config COMPAT_BRK
1418 bool "Disable heap randomization" 1418 bool "Disable heap randomization"
1419 default y 1419 default y
1420 help 1420 help
1421 Randomizing heap placement makes heap exploits harder, but it 1421 Randomizing heap placement makes heap exploits harder, but it
1422 also breaks ancient binaries (including anything libc5 based). 1422 also breaks ancient binaries (including anything libc5 based).
1423 This option changes the bootup default to heap randomization 1423 This option changes the bootup default to heap randomization
1424 disabled, and can be overridden at runtime by setting 1424 disabled, and can be overridden at runtime by setting
1425 /proc/sys/kernel/randomize_va_space to 2. 1425 /proc/sys/kernel/randomize_va_space to 2.
1426 1426
1427 On non-ancient distros (post-2000 ones) N is usually a safe choice. 1427 On non-ancient distros (post-2000 ones) N is usually a safe choice.
1428 1428
1429 choice 1429 choice
1430 prompt "Choose SLAB allocator" 1430 prompt "Choose SLAB allocator"
1431 default SLUB 1431 default SLUB
1432 help 1432 help
1433 This option allows to select a slab allocator. 1433 This option allows to select a slab allocator.
1434 1434
1435 config SLAB 1435 config SLAB
1436 bool "SLAB" 1436 bool "SLAB"
1437 help 1437 help
1438 The regular slab allocator that is established and known to work 1438 The regular slab allocator that is established and known to work
1439 well in all environments. It organizes cache hot objects in 1439 well in all environments. It organizes cache hot objects in
1440 per cpu and per node queues. 1440 per cpu and per node queues.
1441 1441
1442 config SLUB 1442 config SLUB
1443 bool "SLUB (Unqueued Allocator)" 1443 bool "SLUB (Unqueued Allocator)"
1444 help 1444 help
1445 SLUB is a slab allocator that minimizes cache line usage 1445 SLUB is a slab allocator that minimizes cache line usage
1446 instead of managing queues of cached objects (SLAB approach). 1446 instead of managing queues of cached objects (SLAB approach).
1447 Per cpu caching is realized using slabs of objects instead 1447 Per cpu caching is realized using slabs of objects instead
1448 of queues of objects. SLUB can use memory efficiently 1448 of queues of objects. SLUB can use memory efficiently
1449 and has enhanced diagnostics. SLUB is the default choice for 1449 and has enhanced diagnostics. SLUB is the default choice for
1450 a slab allocator. 1450 a slab allocator.
1451 1451
1452 config SLOB 1452 config SLOB
1453 depends on EXPERT 1453 depends on EXPERT
1454 bool "SLOB (Simple Allocator)" 1454 bool "SLOB (Simple Allocator)"
1455 help 1455 help
1456 SLOB replaces the stock allocator with a drastically simpler 1456 SLOB replaces the stock allocator with a drastically simpler
1457 allocator. SLOB is generally more space efficient but 1457 allocator. SLOB is generally more space efficient but
1458 does not perform as well on large systems. 1458 does not perform as well on large systems.
1459 1459
1460 endchoice 1460 endchoice
1461 1461
1462 config MMAP_ALLOW_UNINITIALIZED 1462 config MMAP_ALLOW_UNINITIALIZED
1463 bool "Allow mmapped anonymous memory to be uninitialized" 1463 bool "Allow mmapped anonymous memory to be uninitialized"
1464 depends on EXPERT && !MMU 1464 depends on EXPERT && !MMU
1465 default n 1465 default n
1466 help 1466 help
1467 Normally, and according to the Linux spec, anonymous memory obtained 1467 Normally, and according to the Linux spec, anonymous memory obtained
1468 from mmap() has it's contents cleared before it is passed to 1468 from mmap() has it's contents cleared before it is passed to
1469 userspace. Enabling this config option allows you to request that 1469 userspace. Enabling this config option allows you to request that
1470 mmap() skip that if it is given an MAP_UNINITIALIZED flag, thus 1470 mmap() skip that if it is given an MAP_UNINITIALIZED flag, thus
1471 providing a huge performance boost. If this option is not enabled, 1471 providing a huge performance boost. If this option is not enabled,
1472 then the flag will be ignored. 1472 then the flag will be ignored.
1473 1473
1474 This is taken advantage of by uClibc's malloc(), and also by 1474 This is taken advantage of by uClibc's malloc(), and also by
1475 ELF-FDPIC binfmt's brk and stack allocator. 1475 ELF-FDPIC binfmt's brk and stack allocator.
1476 1476
1477 Because of the obvious security issues, this option should only be 1477 Because of the obvious security issues, this option should only be
1478 enabled on embedded devices where you control what is run in 1478 enabled on embedded devices where you control what is run in
1479 userspace. Since that isn't generally a problem on no-MMU systems, 1479 userspace. Since that isn't generally a problem on no-MMU systems,
1480 it is normally safe to say Y here. 1480 it is normally safe to say Y here.
1481 1481
1482 See Documentation/nommu-mmap.txt for more information. 1482 See Documentation/nommu-mmap.txt for more information.
1483 1483
1484 config PROFILING 1484 config PROFILING
1485 bool "Profiling support" 1485 bool "Profiling support"
1486 help 1486 help
1487 Say Y here to enable the extended profiling support mechanisms used 1487 Say Y here to enable the extended profiling support mechanisms used
1488 by profilers such as OProfile. 1488 by profilers such as OProfile.
1489 1489
1490 # 1490 #
1491 # Place an empty function call at each tracepoint site. Can be 1491 # Place an empty function call at each tracepoint site. Can be
1492 # dynamically changed for a probe function. 1492 # dynamically changed for a probe function.
1493 # 1493 #
1494 config TRACEPOINTS 1494 config TRACEPOINTS
1495 bool 1495 bool
1496 1496
1497 source "arch/Kconfig" 1497 source "arch/Kconfig"
1498 1498
1499 endmenu # General setup 1499 endmenu # General setup
1500 1500
1501 config HAVE_GENERIC_DMA_COHERENT 1501 config HAVE_GENERIC_DMA_COHERENT
1502 bool 1502 bool
1503 default n 1503 default n
1504 1504
1505 config SLABINFO 1505 config SLABINFO
1506 bool 1506 bool
1507 depends on PROC_FS 1507 depends on PROC_FS
1508 depends on SLAB || SLUB_DEBUG 1508 depends on SLAB || SLUB_DEBUG
1509 default y 1509 default y
1510 1510
1511 config RT_MUTEXES 1511 config RT_MUTEXES
1512 boolean 1512 boolean
1513 1513
1514 config BASE_SMALL 1514 config BASE_SMALL
1515 int 1515 int
1516 default 0 if BASE_FULL 1516 default 0 if BASE_FULL
1517 default 1 if !BASE_FULL 1517 default 1 if !BASE_FULL
1518 1518
1519 menuconfig MODULES 1519 menuconfig MODULES
1520 bool "Enable loadable module support" 1520 bool "Enable loadable module support"
1521 help 1521 help
1522 Kernel modules are small pieces of compiled code which can 1522 Kernel modules are small pieces of compiled code which can
1523 be inserted in the running kernel, rather than being 1523 be inserted in the running kernel, rather than being
1524 permanently built into the kernel. You use the "modprobe" 1524 permanently built into the kernel. You use the "modprobe"
1525 tool to add (and sometimes remove) them. If you say Y here, 1525 tool to add (and sometimes remove) them. If you say Y here,
1526 many parts of the kernel can be built as modules (by 1526 many parts of the kernel can be built as modules (by
1527 answering M instead of Y where indicated): this is most 1527 answering M instead of Y where indicated): this is most
1528 useful for infrequently used options which are not required 1528 useful for infrequently used options which are not required
1529 for booting. For more information, see the man pages for 1529 for booting. For more information, see the man pages for
1530 modprobe, lsmod, modinfo, insmod and rmmod. 1530 modprobe, lsmod, modinfo, insmod and rmmod.
1531 1531
1532 If you say Y here, you will need to run "make 1532 If you say Y here, you will need to run "make
1533 modules_install" to put the modules under /lib/modules/ 1533 modules_install" to put the modules under /lib/modules/
1534 where modprobe can find them (you may need to be root to do 1534 where modprobe can find them (you may need to be root to do
1535 this). 1535 this).
1536 1536
1537 If unsure, say Y. 1537 If unsure, say Y.
1538 1538
1539 if MODULES 1539 if MODULES
1540 1540
1541 config MODULE_FORCE_LOAD 1541 config MODULE_FORCE_LOAD
1542 bool "Forced module loading" 1542 bool "Forced module loading"
1543 default n 1543 default n
1544 help 1544 help
1545 Allow loading of modules without version information (ie. modprobe 1545 Allow loading of modules without version information (ie. modprobe
1546 --force). Forced module loading sets the 'F' (forced) taint flag and 1546 --force). Forced module loading sets the 'F' (forced) taint flag and
1547 is usually a really bad idea. 1547 is usually a really bad idea.
1548 1548
1549 config MODULE_UNLOAD 1549 config MODULE_UNLOAD
1550 bool "Module unloading" 1550 bool "Module unloading"
1551 help 1551 help
1552 Without this option you will not be able to unload any 1552 Without this option you will not be able to unload any
1553 modules (note that some modules may not be unloadable 1553 modules (note that some modules may not be unloadable
1554 anyway), which makes your kernel smaller, faster 1554 anyway), which makes your kernel smaller, faster
1555 and simpler. If unsure, say Y. 1555 and simpler. If unsure, say Y.
1556 1556
1557 config MODULE_FORCE_UNLOAD 1557 config MODULE_FORCE_UNLOAD
1558 bool "Forced module unloading" 1558 bool "Forced module unloading"
1559 depends on MODULE_UNLOAD && EXPERIMENTAL 1559 depends on MODULE_UNLOAD && EXPERIMENTAL
1560 help 1560 help
1561 This option allows you to force a module to unload, even if the 1561 This option allows you to force a module to unload, even if the
1562 kernel believes it is unsafe: the kernel will remove the module 1562 kernel believes it is unsafe: the kernel will remove the module
1563 without waiting for anyone to stop using it (using the -f option to 1563 without waiting for anyone to stop using it (using the -f option to
1564 rmmod). This is mainly for kernel developers and desperate users. 1564 rmmod). This is mainly for kernel developers and desperate users.
1565 If unsure, say N. 1565 If unsure, say N.
1566 1566
1567 config MODVERSIONS 1567 config MODVERSIONS
1568 bool "Module versioning support" 1568 bool "Module versioning support"
1569 help 1569 help
1570 Usually, you have to use modules compiled with your kernel. 1570 Usually, you have to use modules compiled with your kernel.
1571 Saying Y here makes it sometimes possible to use modules 1571 Saying Y here makes it sometimes possible to use modules
1572 compiled for different kernels, by adding enough information 1572 compiled for different kernels, by adding enough information
1573 to the modules to (hopefully) spot any changes which would 1573 to the modules to (hopefully) spot any changes which would
1574 make them incompatible with the kernel you are running. If 1574 make them incompatible with the kernel you are running. If
1575 unsure, say N. 1575 unsure, say N.
1576 1576
1577 config MODULE_SRCVERSION_ALL 1577 config MODULE_SRCVERSION_ALL
1578 bool "Source checksum for all modules" 1578 bool "Source checksum for all modules"
1579 help 1579 help
1580 Modules which contain a MODULE_VERSION get an extra "srcversion" 1580 Modules which contain a MODULE_VERSION get an extra "srcversion"
1581 field inserted into their modinfo section, which contains a 1581 field inserted into their modinfo section, which contains a
1582 sum of the source files which made it. This helps maintainers 1582 sum of the source files which made it. This helps maintainers
1583 see exactly which source was used to build a module (since 1583 see exactly which source was used to build a module (since
1584 others sometimes change the module source without updating 1584 others sometimes change the module source without updating
1585 the version). With this option, such a "srcversion" field 1585 the version). With this option, such a "srcversion" field
1586 will be created for all modules. If unsure, say N. 1586 will be created for all modules. If unsure, say N.
1587 1587
1588 config MODULE_SIG 1588 config MODULE_SIG
1589 bool "Module signature verification" 1589 bool "Module signature verification"
1590 depends on MODULES 1590 depends on MODULES
1591 select KEYS
1592 select CRYPTO
1593 select ASYMMETRIC_KEY_TYPE
1594 select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
1595 select PUBLIC_KEY_ALGO_RSA
1596 select ASN1
1597 select OID_REGISTRY
1598 select X509_CERTIFICATE_PARSER
1591 help 1599 help
1592 Check modules for valid signatures upon load: the signature 1600 Check modules for valid signatures upon load: the signature
1593 is simply appended to the module. For more information see 1601 is simply appended to the module. For more information see
1594 Documentation/module-signing.txt. 1602 Documentation/module-signing.txt.
1595 1603
1596 !!!WARNING!!! If you enable this option, you MUST make sure that the 1604 !!!WARNING!!! If you enable this option, you MUST make sure that the
1597 module DOES NOT get stripped after being signed. This includes the 1605 module DOES NOT get stripped after being signed. This includes the
1598 debuginfo strip done by some packagers (such as rpmbuild) and 1606 debuginfo strip done by some packagers (such as rpmbuild) and
1599 inclusion into an initramfs that wants the module size reduced. 1607 inclusion into an initramfs that wants the module size reduced.
1600 1608
1601 config MODULE_SIG_FORCE 1609 config MODULE_SIG_FORCE
1602 bool "Require modules to be validly signed" 1610 bool "Require modules to be validly signed"
1603 depends on MODULE_SIG 1611 depends on MODULE_SIG
1604 help 1612 help
1605 Reject unsigned modules or signed modules for which we don't have a 1613 Reject unsigned modules or signed modules for which we don't have a
1606 key. Without this, such modules will simply taint the kernel. 1614 key. Without this, such modules will simply taint the kernel.
1607 1615
1608 choice 1616 choice
1609 prompt "Which hash algorithm should modules be signed with?" 1617 prompt "Which hash algorithm should modules be signed with?"
1610 depends on MODULE_SIG 1618 depends on MODULE_SIG
1611 help 1619 help
1612 This determines which sort of hashing algorithm will be used during 1620 This determines which sort of hashing algorithm will be used during
1613 signature generation. This algorithm _must_ be built into the kernel 1621 signature generation. This algorithm _must_ be built into the kernel
1614 directly so that signature verification can take place. It is not 1622 directly so that signature verification can take place. It is not
1615 possible to load a signed module containing the algorithm to check 1623 possible to load a signed module containing the algorithm to check
1616 the signature on that module. 1624 the signature on that module.
1617 1625
1618 config MODULE_SIG_SHA1 1626 config MODULE_SIG_SHA1
1619 bool "Sign modules with SHA-1" 1627 bool "Sign modules with SHA-1"
1620 select CRYPTO_SHA1 1628 select CRYPTO_SHA1
1621 1629
1622 config MODULE_SIG_SHA224 1630 config MODULE_SIG_SHA224
1623 bool "Sign modules with SHA-224" 1631 bool "Sign modules with SHA-224"
1624 select CRYPTO_SHA256 1632 select CRYPTO_SHA256
1625 1633
1626 config MODULE_SIG_SHA256 1634 config MODULE_SIG_SHA256
1627 bool "Sign modules with SHA-256" 1635 bool "Sign modules with SHA-256"
1628 select CRYPTO_SHA256 1636 select CRYPTO_SHA256
1629 1637
1630 config MODULE_SIG_SHA384 1638 config MODULE_SIG_SHA384
1631 bool "Sign modules with SHA-384" 1639 bool "Sign modules with SHA-384"
1632 select CRYPTO_SHA512 1640 select CRYPTO_SHA512
1633 1641
1634 config MODULE_SIG_SHA512 1642 config MODULE_SIG_SHA512
1635 bool "Sign modules with SHA-512" 1643 bool "Sign modules with SHA-512"
1636 select CRYPTO_SHA512 1644 select CRYPTO_SHA512
1637 1645
1638 endchoice 1646 endchoice
1639 1647
1640 endif # MODULES 1648 endif # MODULES
1641 1649
1642 config INIT_ALL_POSSIBLE 1650 config INIT_ALL_POSSIBLE
1643 bool 1651 bool
1644 help 1652 help
1645 Back when each arch used to define their own cpu_online_mask and 1653 Back when each arch used to define their own cpu_online_mask and
1646 cpu_possible_mask, some of them chose to initialize cpu_possible_mask 1654 cpu_possible_mask, some of them chose to initialize cpu_possible_mask
1647 with all 1s, and others with all 0s. When they were centralised, 1655 with all 1s, and others with all 0s. When they were centralised,
1648 it was better to provide this option than to break all the archs 1656 it was better to provide this option than to break all the archs
1649 and have several arch maintainers pursuing me down dark alleys. 1657 and have several arch maintainers pursuing me down dark alleys.
1650 1658
1651 config STOP_MACHINE 1659 config STOP_MACHINE
1652 bool 1660 bool
1653 default y 1661 default y
1654 depends on (SMP && MODULE_UNLOAD) || HOTPLUG_CPU 1662 depends on (SMP && MODULE_UNLOAD) || HOTPLUG_CPU
1655 help 1663 help
1656 Need stop_machine() primitive. 1664 Need stop_machine() primitive.
1657 1665
1658 source "block/Kconfig" 1666 source "block/Kconfig"
1659 1667
1660 config PREEMPT_NOTIFIERS 1668 config PREEMPT_NOTIFIERS
1661 bool 1669 bool
1662 1670
1663 config PADATA 1671 config PADATA
1664 depends on SMP 1672 depends on SMP
1665 bool 1673 bool
1666 1674
1667 config ASN1 1675 config ASN1
1668 tristate 1676 tristate
1669 help 1677 help
1670 Build a simple ASN.1 grammar compiler that produces a bytecode output 1678 Build a simple ASN.1 grammar compiler that produces a bytecode output
1671 that can be interpreted by the ASN.1 stream decoder and used to 1679 that can be interpreted by the ASN.1 stream decoder and used to
1672 inform it as to what tags are to be expected in a stream and what 1680 inform it as to what tags are to be expected in a stream and what
1673 functions to call on what tags. 1681 functions to call on what tags.
1674 1682
1675 source "kernel/Kconfig.locks" 1683 source "kernel/Kconfig.locks"
1676 1684
kernel/module_signing.c
Diff comments   View file @ 48ba246
1 /* Module signature checker 1 /* Module signature checker
2 * 2 *
3 * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. 3 * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com) 4 * Written by David Howells (dhowells@redhat.com)
5 * 5 *
6 * This program is free software; you can redistribute it and/or 6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public Licence 7 * modify it under the terms of the GNU General Public Licence
8 * as published by the Free Software Foundation; either version 8 * as published by the Free Software Foundation; either version
9 * 2 of the Licence, or (at your option) any later version. 9 * 2 of the Licence, or (at your option) any later version.
10 */ 10 */
11 11
12 #include <linux/kernel.h> 12 #include <linux/kernel.h>
13 #include <linux/err.h> 13 #include <linux/err.h>
14 #include <crypto/public_key.h>
15 #include <crypto/hash.h>
16 #include <keys/asymmetric-type.h>
14 #include "module-internal.h" 17 #include "module-internal.h"
15 18
16 /* 19 /*
20 * Module signature information block.
21 *
22 * The constituents of the signature section are, in order:
23 *
24 * - Signer's name
25 * - Key identifier
26 * - Signature data
27 * - Information block
28 */
29 struct module_signature {
30 enum pkey_algo algo : 8; /* Public-key crypto algorithm */
31 enum pkey_hash_algo hash : 8; /* Digest algorithm */
32 enum pkey_id_type id_type : 8; /* Key identifier type */
33 u8 signer_len; /* Length of signer's name */
34 u8 key_id_len; /* Length of key identifier */
35 u8 __pad[3];
36 __be32 sig_len; /* Length of signature data */
37 };
38
39 /*
40 * Digest the module contents.
41 */
42 static struct public_key_signature *mod_make_digest(enum pkey_hash_algo hash,
43 const void *mod,
44 unsigned long modlen)
45 {
46 struct public_key_signature *pks;
47 struct crypto_shash *tfm;
48 struct shash_desc *desc;
49 size_t digest_size, desc_size;
50 int ret;
51
52 pr_devel("==>%s()\n", __func__);
53
54 /* Allocate the hashing algorithm we're going to need and find out how
55 * big the hash operational data will be.
56 */
57 tfm = crypto_alloc_shash(pkey_hash_algo[hash], 0, 0);
58 if (IS_ERR(tfm))
59 return (PTR_ERR(tfm) == -ENOENT) ? ERR_PTR(-ENOPKG) : ERR_CAST(tfm);
60
61 desc_size = crypto_shash_descsize(tfm) + sizeof(*desc);
62 digest_size = crypto_shash_digestsize(tfm);
63
64 /* We allocate the hash operational data storage on the end of our
65 * context data and the digest output buffer on the end of that.
66 */
67 ret = -ENOMEM;
68 pks = kzalloc(digest_size + sizeof(*pks) + desc_size, GFP_KERNEL);
69 if (!pks)
70 goto error_no_pks;
71
72 pks->pkey_hash_algo = hash;
73 pks->digest = (u8 *)pks + sizeof(*pks) + desc_size;
74 pks->digest_size = digest_size;
75
76 desc = (void *)pks + sizeof(*pks);
77 desc->tfm = tfm;
78 desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP;
79
80 ret = crypto_shash_init(desc);
81 if (ret < 0)
82 goto error;
83
84 ret = crypto_shash_finup(desc, mod, modlen, pks->digest);
85 if (ret < 0)
86 goto error;
87
88 crypto_free_shash(tfm);
89 pr_devel("<==%s() = ok\n", __func__);
90 return pks;
91
92 error:
93 kfree(pks);
94 error_no_pks:
95 crypto_free_shash(tfm);
96 pr_devel("<==%s() = %d\n", __func__, ret);
97 return ERR_PTR(ret);
98 }
99
100 /*
101 * Extract an MPI array from the signature data. This represents the actual
102 * signature. Each raw MPI is prefaced by a BE 2-byte value indicating the
103 * size of the MPI in bytes.
104 *
105 * RSA signatures only have one MPI, so currently we only read one.
106 */
107 static int mod_extract_mpi_array(struct public_key_signature *pks,
108 const void *data, size_t len)
109 {
110 size_t nbytes;
111 MPI mpi;
112
113 if (len < 3)
114 return -EBADMSG;
115 nbytes = ((const u8 *)data)[0] << 8 | ((const u8 *)data)[1];
116 data += 2;
117 len -= 2;
118 if (len != nbytes)
119 return -EBADMSG;
120
121 mpi = mpi_read_raw_data(data, nbytes);
122 if (!mpi)
123 return -ENOMEM;
124 pks->mpi[0] = mpi;
125 pks->nr_mpi = 1;
126 return 0;
127 }
128
129 /*
130 * Request an asymmetric key.
131 */
132 static struct key *request_asymmetric_key(const char *signer, size_t signer_len,
133 const u8 *key_id, size_t key_id_len)
134 {
135 key_ref_t key;
136 size_t i;
137 char *id, *q;
138
139 pr_devel("==>%s(,%zu,,%zu)\n", __func__, signer_len, key_id_len);
140
141 /* Construct an identifier. */
142 id = kmalloc(signer_len + 2 + key_id_len * 2 + 1, GFP_KERNEL);
143 if (!id)
144 return ERR_PTR(-ENOKEY);
145
146 memcpy(id, signer, signer_len);
147
148 q = id + signer_len;
149 *q++ = ':';
150 *q++ = ' ';
151 for (i = 0; i < key_id_len; i++) {
152 *q++ = hex_asc[*key_id >> 4];
153 *q++ = hex_asc[*key_id++ & 0x0f];
154 }
155
156 *q = 0;
157
158 pr_debug("Look up: \"%s\"\n", id);
159
160 key = keyring_search(make_key_ref(modsign_keyring, 1),
161 &key_type_asymmetric, id);
162 if (IS_ERR(key))
163 pr_warn("Request for unknown module key '%s' err %ld\n",
164 id, PTR_ERR(key));
165 kfree(id);
166
167 if (IS_ERR(key)) {
168 switch (PTR_ERR(key)) {
169 /* Hide some search errors */
170 case -EACCES:
171 case -ENOTDIR:
172 case -EAGAIN:
173 return ERR_PTR(-ENOKEY);
174 default:
175 return ERR_CAST(key);
176 }
177 }
178
179 pr_devel("<==%s() = 0 [%x]\n", __func__, key_serial(key_ref_to_ptr(key)));
180 return key_ref_to_ptr(key);
181 }
182
183 /*
17 * Verify the signature on a module. 184 * Verify the signature on a module.
18 */ 185 */
19 int mod_verify_sig(const void *mod, unsigned long modlen, 186 int mod_verify_sig(const void *mod, unsigned long modlen,
20 const void *sig, unsigned long siglen) 187 const void *sig, unsigned long siglen)
21 { 188 {
22 return -ENOKEY; 189 struct public_key_signature *pks;
190 struct module_signature ms;
191 struct key *key;
192 size_t sig_len;
193 int ret;
194
195 pr_devel("==>%s(,%lu,,%lu,)\n", __func__, modlen, siglen);
196
197 if (siglen <= sizeof(ms))
198 return -EBADMSG;
199
200 memcpy(&ms, sig + (siglen - sizeof(ms)), sizeof(ms));
201 siglen -= sizeof(ms);
202
203 sig_len = be32_to_cpu(ms.sig_len);
204 if (sig_len >= siglen ||
205 siglen - sig_len != (size_t)ms.signer_len + ms.key_id_len)
206 return -EBADMSG;
207
208 /* For the moment, only support RSA and X.509 identifiers */
209 if (ms.algo != PKEY_ALGO_RSA ||
210 ms.id_type != PKEY_ID_X509)
211 return -ENOPKG;
212
213 if (ms.hash >= PKEY_HASH__LAST ||
214 !pkey_hash_algo[ms.hash])
215 return -ENOPKG;
216
217 key = request_asymmetric_key(sig, ms.signer_len,
218 sig + ms.signer_len, ms.key_id_len);
219 if (IS_ERR(key))
220 return PTR_ERR(key);
221
222 pks = mod_make_digest(ms.hash, mod, modlen);
223 if (IS_ERR(pks)) {
224 ret = PTR_ERR(pks);
225 goto error_put_key;
226 }
227
228 ret = mod_extract_mpi_array(pks, sig + ms.signer_len + ms.key_id_len,
229 sig_len);
230 if (ret < 0)
231 goto error_free_pks;
232
233 ret = verify_signature(key, pks);
234 pr_devel("verify_signature() = %d\n", ret);
235
236 error_free_pks:
237 mpi_free(pks->rsa.s);
238 kfree(pks);
239 error_put_key:
240 key_put(key);
241 pr_devel("<==%s() = %d\n", __func__, ret);
242 return ret;
23 } 243 }
24 244