Kernel Configuration

{% include "_versions.html" %}

Use the following configuration settings as a base for an Android kernel configuration. Settings are organized into android-base, android-base-ARCH, and android-recommended .cfg files:

android-base. These options enable core Android features and should be configured as specified by all devices.
android-base-ARCH. These options enable core Android features and should be configured as specified by all devices of architecture ARCH. Not all architectures have a corresponding file of architecture-specific required options. If your architecture does not have a file, it does not have additional architecture-specific kernel configuration requirements for Android.
android-recommended. These options enable advanced Android features and are optional for devices.

These configuration files are located in the kernel/configs repo. Use the set of configuration files that corresponds to the version of the kernel you are using.

For details on controls already undertaken to strengthen the kernel on your devices, see System and Kernel Security. For details on required settings, see the Android Compatibility Definition Document (CDD).

Generating kernel config

For devices that have a minimalist defconfig, use the merge_config.sh script in the kernel tree to enable options:

ARCH=ARCH scripts/kconfig/merge_config.sh <...>/device_defconfig <...>/android-base.cfg <...>/android-base-ARCH.cfg <...>/android-recommended.cfg

This generates a .config file you can use to save a new defconfig or compile a new kernel with Android features enabled.

Additional kernel config requirements

In some cases, the platform maintainer can choose from multiple kernel features to satisfy an Android dependency. Such dependencies cannot be expressed in the kernel config fragment files (described above) because the format for those files does not support logical expressions. In Android {{ androidPVersionNumber }}, Compatibility Test Suite (CTS) and Vendor Test Suite (VTS) verify the following requirements are satisfied:

CONFIG_OF=y or CONFIG_ACPI=y
4.4 and 4.9 kernels have CONFIG_ANDROID_LOW_MEMORY_KILLER=y OR have both CONFIG_MEMCG=y and CONFIG_MEMCG_SWAP=y
CONFIG_DEBUG_RODATA=y or CONFIG_STRICT_KERNEL_RWX=y
CONFIG_DEBUG_SET_MODULE_RONX=y or CONFIG_STRICT_MODULE_RWX=y
For ARM64 only: CONFIG_ARM64_SW_TTBR0_PAN=y or CONFIG_ARM64_PAN=y

In addition, the CONFIG_INET_UDP_DIAG option must be set to y for 4.9 kernels in Android {{ androidPVersionNumber }}.

Enabling USB host mode options

For USB host mode audio, enable the following options:

CONFIG_SND_USB=y
CONFIG_SND_USB_AUDIO=y
# CONFIG_USB_AUDIO is for a peripheral mode (gadget) driver

For USB host mode MIDI, enable the following option:

CONFIG_SND_USB_MIDI=y

Seccomp-BPF with TSYNC

Seccomp-BPF is a kernel security technology that enables the creation of sandboxes to restrict the system calls a process is allowed to make. The TSYNC feature enables the use of Seccomp-BPF from multithreaded programs. This ability is limited to architectures that have seccomp support upstream (ARM, ARM64, x86, and x86_64).

Backporting for kernel 3.10 for ARM-32, X86, X86_64

Ensure CONFIG_SECCOMP_FILTER=y is enabled in the Kconfig (verified as of the Android 5.0 CTS), then cherry-pick the following changes from the AOSP kernel/common:android-3.10 repository:

a03 a242 arch: Introduce smp_load_acquire(), smp_store_release() by Peter Zijlstra
987a0f1 introduce for_each_thread() to replace the buggy while_each_thread() by Oleg Nesterov
2a30a43 seccomp: create internal mode-setting function by Kees Cook
b8a9cff seccomp: extract check/assign mode helpers by Kees Cook
8908dde seccomp: split mode setting routines by Kees Cook
e985fd4 seccomp: add "seccomp" syscall by Kees Cook
9d0ff69 sched: move no_new_privs into new atomic flags by Kees Cook
b6a12bf seccomp: split filter prep from check and apply by Kees Cook
61b6b88 seccomp: introduce writer locking by Kees Cook
c852ef7 seccomp: allow mode setting across threads by Kees Cook
f14a5db seccomp: implement SECCOMP_FILTER_FLAG_TSYNC by Kees Cook
9ac8600 seccomp: Replace BUG(!spin_is_locked()) with assert_spin_lock by Guenter Roeck
900e9fd seccomp: fix syscall numbers for x86 and x86_64 by Lee Campbell
a9ba428 ARM: add seccomp syscall by Kees Cook

Backporting for Kernel 3.10 for ARM-64

Ensure CONFIG_SECCOMP_FILTER=y is enabled in the Kconfig (verified as of the Android 5.0 CTS), then cherry-pick the following changes from the AOSP kernel/common:android-3.10 repository:

cfc7e99e9 arm64: Add __NR_* definitions for compat syscalls by JP Abgrall
bf11863 arm64: Add audit support by AKASHI Takahiro
3e21c0b arm64: audit: Add audit hook in syscall_trace_enter/exit() by JP Abgrall
9499cd2 syscall_get_arch: remove useless function arguments by Eric Paris
2a30a43 seccomp: create internal mode-setting function by Kees Cook
b8a9 cff seccomp: extract check/assign mode helpers by Kees Cook
8908dde seccomp: split mode setting routines by Kees Cook
e985fd4 seccomp: add "seccomp" syscall by Kees Cook
9d0ff69 sched: move no_new_privs into new atomic flags by Kees Cook
b6a12bf seccomp: split filter prep from check and apply by Kees Cook
61b6b88 seccomp: introduce writer locking by Kees Cook
c852ef7 seccomp: allow mode setting across threads by Kees Cook
f14a5db seccomp: implement SECCOMP_FILTER_FLAG_TSYNC by Kees Cook
9ac8600 seccomp: Replace BUG(!spin_is_locked()) with assert_spin_lock by Guenter Roeck
900e9fd seccomp: fix syscall numbers for x86 and x86_64 by Lee Campbell
a9ba428 ARM: add seccomp syscall by Kees Cook
4190090 ARM: 8087/1: ptrace: reload syscall number after secure_computing() check by Will Deacon
abbfed9 arm64: ptrace: add PTRACE_SET_SYSCALL by AKASHI Takahiro
feb2843 arm64: ptrace: allow tracer to skip a system call by AKASHI Takahiro
dab1073 asm-generic: add generic seccomp.h for secure computing mode 1 by AKASHI Takahiro
4f1 2b53 add seccomp syscall for compat task by AKASHI Takahiro
7722723 arm64: add SIGSYS siginfo for compat task by AKASHI Takahiro
210957c arm64: add seccomp support by AKASHI Takahiro