1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
|
<html devsite>
<head>
<title>Kernel Configuration</title>
<meta name="project_path" value="/_project.yaml" />
<meta name="book_path" value="/_book.yaml" />
</head>
<body>
{% include "_versions.html" %}
<!--
Copyright 2017 The Android Open Source Project
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<p>
Use the following configuration settings as a base for an Android kernel
configuration. Settings are organized into <code>android-base</code>,
<code>android-base-<var>ARCH</var></code>, and
<code>android-recommended</code> .cfg files:
</p>
<ul>
<li><code>android-base</code>. These options enable core Android features and
should be configured as specified by all devices.</li>
<li><code>android-base-<var>ARCH</var></code>. These options enable core
Android features and should be configured as specified by all devices of
architecture <var>ARCH</var>. Not all architectures have a corresponding file
of architecture-specific required options. If your architecture does not have
a file, it does not have additional architecture-specific kernel configuration
requirements for Android.</li>
<li><code>android-recommended</code>. These options enable advanced Android
features and are optional for devices.</li>
</ul>
<p>
These configuration files are located in the
<code><a href="https://android.googlesource.com/kernel/configs/" class="external">kernel/configs</a></code>
repo. Use the set of configuration files that corresponds to the version of
the kernel you are using.
</p>
<p>
For details on controls already undertaken to strengthen the kernel on your
devices, see <a href="/security/overview/kernel-security.html">System and
Kernel Security</a>. For details on required settings, see the
<a href="/compatibility/cdd.html">Android Compatibility Definition Document
(CDD)</a>.
</p>
<h2 id="generating">Generating kernel config</h2>
<p>
For devices that have a minimalist <code>defconfig</code>, use the
<code>merge_config.sh</code> script in the kernel tree to enable options:
</p>
<pre class="devsite-click-to-copy">
ARCH=<var>ARCH</var> scripts/kconfig/merge_config.sh <...>/device_defconfig <...>/android-base.cfg <...>/android-base-<var>ARCH</var>.cfg <...>/android-recommended.cfg
</pre>
<p>
This generates a <code>.config</code> file you can use to save a new
<code>defconfig</code> or compile a new kernel with Android features enabled.
</p>
<h2 id="additional-kernel-reqs">Additional kernel config requirements</h2>
<p>
In some cases, the platform maintainer can choose from multiple kernel
features to satisfy an Android dependency. Such dependencies cannot be
expressed in the kernel config fragment files (described above) because the
format for those files does not support logical expressions. In Android
{{ androidPVersionNumber }},
<a href="/compatibility/cts/">Compatibility Test Suite (CTS)</a> and
<a href="/compatibility/vts/">Vendor Test Suite (VTS)</a> verify the following
requirements are satisfied:
</p>
<ul>
<li><code>CONFIG_OF=y</code> or <code>CONFIG_ACPI=y</code></li>
<li>4.4 and 4.9 kernels have <code>CONFIG_ANDROID_LOW_MEMORY_KILLER=y</code>
OR have both <code>CONFIG_MEMCG=y</code> and <code>CONFIG_MEMCG_SWAP=y</code>
</li>
<li><code>CONFIG_DEBUG_RODATA=y</code> or
<code>CONFIG_STRICT_KERNEL_RWX=y</code></li>
<li><code>CONFIG_DEBUG_SET_MODULE_RONX=y</code> or
<code>CONFIG_STRICT_MODULE_RWX=y</code></li>
<li>For ARM64 only: <code>CONFIG_ARM64_SW_TTBR0_PAN=y</code> or
<code>CONFIG_ARM64_PAN=y</code></li>
</ul>
<p>
In addition, the <code>CONFIG_INET_UDP_DIAG</code> option must be set to
<code>y</code> for 4.9 kernels in Android {{ androidPVersionNumber }}.
</p>
<h2 id="usb">Enabling USB host mode options</h2>
<p>
For USB host mode audio, enable the following options:
</p>
<pre class="devsite-click-to-copy">
CONFIG_SND_USB=y
CONFIG_SND_USB_AUDIO=y
# CONFIG_USB_AUDIO is for a peripheral mode (gadget) driver
</pre>
<p>
For USB host mode MIDI, enable the following option:
</p>
<pre class="devsite-click-to-copy">CONFIG_SND_USB_MIDI=y</pre>
<h2 id="Seccomp-BPF-TSYNC">Seccomp-BPF with TSYNC</h2>
<p>
Seccomp-BPF is a kernel security technology that enables the creation of
sandboxes to restrict the system calls a process is allowed to make. The
TSYNC feature enables the use of Seccomp-BPF from multithreaded programs. This
ability is limited to architectures that have seccomp support upstream (ARM,
ARM64, x86, and x86_64).
</p>
<h3 id="backport-ARM-32">Backporting for kernel 3.10 for ARM-32, X86,
X86_64</h3>
<p>
Ensure <code>CONFIG_SECCOMP_FILTER=y</code> is enabled in the
<code>Kconfig</code> (verified as of the Android 5.0 CTS), then cherry-pick
the following changes from the
<a href="https://android.googlesource.com/kernel/common/+log/9499cd23f9d05ba159fac6d55dc35a7f49f9ce76..a9ba4285aa5722a3b4d84888e78ba8adc0046b28" class="external">AOSP
kernel/common:android-3.10 repository</a>:
</p>
<ul>
<li><a href="https://android.googlesource.com/kernel/common/+/a03a2426ea9f1d9dada33cf4a824f63e8f916c9d" class="external">a03
a242 arch: Introduce smp_load_acquire(), smp_store_release()</a> by Peter
Zijlstra</li>
<li><a href="https://android.googlesource.com/kernel/common/+/987a0f1102321853565c4bfecde6a5a58ac6db11" class="external">987a0f1
introduce for_each_thread() to replace the buggy while_each_thread()</a> by
Oleg Nesterov</li>
<li><a href="https://android.googlesource.com/kernel/common/+/2a30a4386e4a7e1283157c4cf4cfcc0306b22ac8" class="external">2a30a43
seccomp: create internal mode-setting function</a> by Kees Cook</li>
<li><a href="https://android.googlesource.com/kernel/common/+/b8a9cff6dbe9cfddbb4d17e2dea496e523544687" class="external">b8a9cff
seccomp: extract check/assign mode helpers</a> by Kees Cook</li>
<li><a href="https://android.googlesource.com/kernel/common/+/8908dde5a7fdca974374b0dbe6dfb10f69df7216" class="external">8908dde
seccomp: split mode setting routines</a> by Kees Cook</li>
<li><a href="https://android.googlesource.com/kernel/common/+/e985fd474debedb269fba27006eda50d0b6f07ef" class="external">e985fd4
seccomp: add "seccomp" syscall</a> by Kees Cook</li>
<li><a href="https://android.googlesource.com/kernel/common/+/9d0ff694bc22fb458acb763811a677696c60725b" class="external">9d0ff69
sched: move no_new_privs into new atomic flags</a> by Kees Cook</li>
<li><a href="https://android.googlesource.com/kernel/common/+/b6a12bf4dd762236c7f637b19cfe10a268304b9b" class="external">b6a12bf
seccomp: split filter prep from check and apply</a> by Kees Cook</li>
<li><a href="https://android.googlesource.com/kernel/common/+/61b6b882a0abfeb627d25a069cfa1d232b84c8eb" class="external">61b6b88
seccomp: introduce writer locking</a> by Kees Cook</li>
<li><a href="https://android.googlesource.com/kernel/common/+/c852ef778224ecf5fe995d74ad96087038778bca" class="external">c852ef7
seccomp: allow mode setting across threads</a> by Kees Cook</li>
<li><a href="https://android.googlesource.com/kernel/common/+/f14a5db2398afed8f416d244e6da6b23940997c6" class="external">f14a5db
seccomp: implement SECCOMP_FILTER_FLAG_TSYNC</a> by Kees Cook</li>
<li><a href="https://android.googlesource.com/kernel/common/+/9ac860041db860a59bfd6ac82b31d6b6f76ebb52" class="external">9ac8600
seccomp: Replace BUG(!spin_is_locked()) with assert_spin_lock</a> by Guenter
Roeck</li>
<li><a href="https://android.googlesource.com/kernel/common/+/900e9fd0d5d15c596cacfb89ce007c933cea6e1c" class="external">900e9fd
seccomp: fix syscall numbers for x86 and x86_64</a> by Lee Campbell</li>
<li><a href="https://android.googlesource.com/kernel/common/+/a9ba4285aa5722a3b4d84888e78ba8adc0046b28" class="external">a9ba428
ARM: add seccomp syscall</a> by Kees Cook</li>
</ul>
<h3 id="backport-ARM-64">Backporting for Kernel 3.10 for ARM-64</h3>
<p>
Ensure <code>CONFIG_SECCOMP_FILTER=y</code> is enabled in the
<code>Kconfig</code> (verified as of the Android 5.0 CTS), then cherry-pick
the following changes from the AOSP kernel/common:android-3.10 repository:
</p>
<ul>
<li><a href="https://android.googlesource.com/kernel/common/+/cfc7e99e9e3900056028a7d90072e9ea0d886f8d" class="external">cfc7e99e9
arm64: Add __NR_* definitions for compat syscalls</a> by JP Abgrall</li>
<li><a href="https://android.googlesource.com/kernel/common/+/bf11863d45eb3dac0d0cf1f818ded11ade6e28d3" class="external">bf11863
arm64: Add audit support</a> by AKASHI Takahiro</li>
<li><a href="https://android.googlesource.com/kernel/common/+/3e21c0bb663a23436e0eb3f61860d4fedc233bab" class="external">3e21c0b
arm64: audit: Add audit hook in syscall_trace_enter/exit()</a> by JP Abgrall</li>
<li><a href="https://android.googlesource.com/kernel/common/+/9499cd23f9d05ba159fac6d55dc35a7f49f9ce76" class="external">9499cd2
syscall_get_arch: remove useless function arguments</a> by Eric Paris</li>
<li><a href="https://android.googlesource.com/kernel/common/+/2a30a4386e4a7e1283157c4cf4cfcc0306b22ac8" class="external">2a30a43
seccomp: create internal mode-setting function</a> by Kees Cook</li>
<li><a href="https://android.googlesource.com/kernel/common/+/b8a9cff6dbe9cfddbb4d17e2dea496e523544687" class="external">b8a9
cff seccomp: extract check/assign mode helpers</a> by Kees Cook</li>
<li><a href="https://android.googlesource.com/kernel/common/+/8908dde5a7fdca974374b0dbe6dfb10f69df7216" class="external">8908dde
seccomp: split mode setting routines</a> by Kees Cook</li>
<li><a href="https://android.googlesource.com/kernel/common/+/e985fd474debedb269fba27006eda50d0b6f07ef" class="external">e985fd4
seccomp: add "seccomp" syscall</a> by Kees Cook</li>
<li><a href="https://android.googlesource.com/kernel/common/+/9d0ff694bc22fb458acb763811a677696c60725b" class="external">9d0ff69
sched: move no_new_privs into new atomic flags</a> by Kees Cook</li>
<li><a href="https://android.googlesource.com/kernel/common/+/b6a12bf4dd762236c7f637b19cfe10a268304b9b" class="external">b6a12bf
seccomp: split filter prep from check and apply</a> by Kees Cook</li>
<li><a href="https://android.googlesource.com/kernel/common/+/61b6b882a0abfeb627d25a069cfa1d232b84c8eb" class="external">61b6b88
seccomp: introduce writer locking</a> by Kees Cook</li>
<li><a href="https://android.googlesource.com/kernel/common/+/c852ef778224ecf5fe995d74ad96087038778bca" class="external">c852ef7
seccomp: allow mode setting across threads</a> by Kees Cook</li>
<li><a href="https://android.googlesource.com/kernel/common/+/f14a5db2398afed8f416d244e6da6b23940997c6" class="external">f14a5db
seccomp: implement SECCOMP_FILTER_FLAG_TSYNC</a> by Kees Cook</li>
<li><a href="https://android.googlesource.com/kernel/common/+/9ac860041db860a59bfd6ac82b31d6b6f76ebb52" class="external">9ac8600
seccomp: Replace BUG(!spin_is_locked()) with assert_spin_lock</a> by Guenter
Roeck</li>
<li><a href="https://android.googlesource.com/kernel/common/+/900e9fd0d5d15c596cacfb89ce007c933cea6e1c" class="external">900e9fd
seccomp: fix syscall numbers for x86 and x86_64</a> by Lee Campbell</li>
<li><a href="https://android.googlesource.com/kernel/common/+/a9ba4285aa5722a3b4d84888e78ba8adc0046b28" class="external">a9ba428
ARM: add seccomp syscall</a> by Kees Cook</li>
<li><a href="https://android.googlesource.com/kernel/common/+/41900903483eb96602dd72e719a798c208118aad" class="external">4190090
ARM: 8087/1: ptrace: reload syscall number after secure_computing() check</a> by
Will Deacon</li>
<li><a href="https://android.googlesource.com/kernel/common/+/abbfed9ed1a78701ef3db74f5287958feb897035" class="external">abbfed9
arm64: ptrace: add PTRACE_SET_SYSCALL</a> by AKASHI Takahiro</li>
<li><a href="https://android.googlesource.com/kernel/common/+/feb28436457d33fef9f264635291432df4b74122" class="external">feb2843
arm64: ptrace: allow tracer to skip a system call</a> by AKASHI Takahiro</li>
<li><a href="https://android.googlesource.com/kernel/common/+/dab10731da65a0deba46402ca9fadf6974676cc8" class="external">dab1073
asm-generic: add generic seccomp.h for secure computing mode 1</a> by AKASHI
Takahiro</li>
<li><a href="https://android.googlesource.com/kernel/common/+/4f12b53f28a751406a27ef7501a22f9e32a9c30b" class="external">4f1
2b53 add seccomp syscall for compat task</a> by AKASHI Takahiro</li>
<li><a href="https://android.googlesource.com/kernel/common/+/77227239d20ac6381fb1aee7b7cc902f0d14cd85" class="external">7722723
arm64: add SIGSYS siginfo for compat task</a> by AKASHI Takahiro</li>
<li><a href="https://android.googlesource.com/kernel/common/+/210957c2bb3b4d111963bb296e2c42beb8721929" class="external">210957c
arm64: add seccomp support</a> by AKASHI Takahiro</li>
</ul>
</body>
</html>
|
