Use the following configuration settings as a base for an Android kernel
configuration. Settings are organized into android-base
,
android-base-ARCH
, and
android-recommended
.cfg files:
android-base
. These options enable core Android features and
should be configured as specified by all devices.android-base-ARCH
. These options enable core
Android features and should be configured as specified by all devices of
architecture ARCH. Not all architectures have a corresponding file
of architecture-specific required options. If your architecture does not have
a file, it does not have additional architecture-specific kernel configuration
requirements for Android.android-recommended
. These options enable advanced Android
features and are optional for devices.
These configuration files are located in the
kernel/configs
repo. Use the set of configuration files that corresponds to the version of
the kernel you are using.
For details on controls already undertaken to strengthen the kernel on your devices, see System and Kernel Security. For details on required settings, see the Android Compatibility Definition Document (CDD).
For devices that have a minimalist defconfig
, use the
merge_config.sh
script in the kernel tree to enable options:
ARCH=ARCH scripts/kconfig/merge_config.sh <...>/device_defconfig <...>/android-base.cfg <...>/android-base-ARCH.cfg <...>/android-recommended.cfg
This generates a .config
file you can use to save a new
defconfig
or compile a new kernel with Android features enabled.
In some cases, the platform maintainer can choose from multiple kernel features to satisfy an Android dependency. Such dependencies cannot be expressed in the kernel config fragment files (described above) because the format for those files does not support logical expressions. In Android {{ androidPVersionNumber }}, Compatibility Test Suite (CTS) and Vendor Test Suite (VTS) verify the following requirements are satisfied:
CONFIG_OF=y
or CONFIG_ACPI=y
CONFIG_ANDROID_LOW_MEMORY_KILLER=y
OR have both CONFIG_MEMCG=y
and CONFIG_MEMCG_SWAP=y
CONFIG_DEBUG_RODATA=y
or
CONFIG_STRICT_KERNEL_RWX=y
CONFIG_DEBUG_SET_MODULE_RONX=y
or
CONFIG_STRICT_MODULE_RWX=y
CONFIG_ARM64_SW_TTBR0_PAN=y
or
CONFIG_ARM64_PAN=y
In addition, the CONFIG_INET_UDP_DIAG
option must be set to
y
for 4.9 kernels in Android {{ androidPVersionNumber }}.
For USB host mode audio, enable the following options:
CONFIG_SND_USB=y CONFIG_SND_USB_AUDIO=y # CONFIG_USB_AUDIO is for a peripheral mode (gadget) driver
For USB host mode MIDI, enable the following option:
CONFIG_SND_USB_MIDI=y
Seccomp-BPF is a kernel security technology that enables the creation of sandboxes to restrict the system calls a process is allowed to make. The TSYNC feature enables the use of Seccomp-BPF from multithreaded programs. This ability is limited to architectures that have seccomp support upstream (ARM, ARM64, x86, and x86_64).
Ensure CONFIG_SECCOMP_FILTER=y
is enabled in the
Kconfig
(verified as of the Android 5.0 CTS), then cherry-pick
the following changes from the
AOSP
kernel/common:android-3.10 repository:
Ensure CONFIG_SECCOMP_FILTER=y
is enabled in the
Kconfig
(verified as of the Android 5.0 CTS), then cherry-pick
the following changes from the AOSP kernel/common:android-3.10 repository: