Konfiguration des Linux Kernels
Optional: Firmware und/oder Microcode installieren
Firmware
Suggested: Linux Firmware
On many systems, non-FOSS firmware is required for certain hardware to function. The sys-kernel/linux-firmware package contains firmware for many, but not all, devices.
Most wireless cards and GPUs require firmware to function.
root #
emerge --ask sys-kernel/linux-firmware
Die Installation bestimmter Firmware-Pakete erfordert oft das Akzeptieren der zugehörigen Firmware-Lizenzen. Falls erforderlich, finden Sie im Lizenzhandhabungsabschnitt des Handbuchs Hilfe zum Akzeptieren von Lizenzen.
Firmware Loading
Firmware files are typically loaded when the associated kernel module is loaded. This means the firmware must be built into the kernel using CONFIG_EXTRA_FIRMWARE if the kernel module is set to Y instead of M. In most cases, building-in a module which required firmware can complicate or break loading.
SOF Firmware
Sound Open Firmware (SOF) is a new open source audio driver meant to replace the proprietary Smart Sound Technology (SST) audio driver from Intel. 10th gen+ and Apollo Lake (Atom E3900, Celeron N3350, and Pentium N4200) Intel CPUs require this firmware for certain features and certain AMD APUs also have support for this firmware. SOF's supported platforms matrix can be found here for more information.
root #
emerge --ask sys-firmware/sof-firmware
{{#switch: amd64 | amd64 | x86 =
Microcode
Neben Grafik- und Netzwerk-Hardware können auch CPUs Firmware-Updates benötigen. Dieser Typ von Firmware wird Microcode genannt. Manchmal sind aktuelle Versionen von Microcode erforderlich, um Stabilitätsprobleme, Sicherheitsprobleme oder andere Bugs in CPU-Hardware zu patchen.
Microcode Updates für AMD CPUs sind in dem bereits genannten Paket sys-kernel/linux-firmware enthalten. Microcode Updates für Intel CPUs sind in dem Paket sys-firmware/intel-microcode enthalten. Dieses muss zusätzlich installiert werden. Weitere Informationen finden Sie im Microcode Artikel, in dem auch beschrieben wird, wie Microcode Updates auf der CPU aktiviert werden.
sys-kernel/installkernel
Installkernel may be used to automate the kernel installation, initramfs generation, unified kernel image generation and/or bootloader configuration among other things. sys-kernel/installkernel implements two paths of achieving this: the traditional installkernel originating from Debian and systemd's kernel-install. Which one to choose depends, among other things, on the system's bootloader. By default, systemd's kernel-install is used on systemd profiles, while the traditional installkernel is the default for other profiles.
Bootloader
Now is the time to think about which bootloader the user wants for the system, if unsure, follow the 'Traditional layout' subsection below.
GRUB
Users of GRUB can use either systemd's kernel-install or the traditional Debian installkernel. The systemd USE flag switches between these implementations. To automatically run grub-mkconfig when installing the kernel, enable the grub USE flag.
/etc/portage/package.use/installkernel
sys-kernel/installkernel grub
root #
emerge --ask sys-kernel/installkernel
systemd-boot
When using systemd-boot (formerly gummiboot) as the bootloader, systemd's kernel-install must be used. Therefore ensure the systemd and the systemd-boot USE flags are enabled on sys-kernel/installkernel, and then install the relevant package for systemd-boot.
On OpenRC systems:
/etc/portage/package.use/systemd-boot
sys-apps/systemd-utils boot kernel-install
sys-kernel/installkernel systemd systemd-boot
root #
emerge --ask sys-apps/systemd-utils sys-kernel/installkernel
On systemd systems:
/etc/portage/package.use/systemd
sys-apps/systemd boot
sys-kernel/installkernel systemd-boot
root #
emerge --ask sys-apps/systemd sys-kernel/installkernel
The kernel command line to use for new kernels should be specified in /etc/kernel/cmdline, for example:
/etc/kernel/cmdline
quiet splash
EFI stub
UEFI-based computer systems technically do not need secondary bootloaders in order to boot kernels. Secondary bootloaders exist to extend the functionality of UEFI firmware during the boot process. That being said, using a secondary bootloader is typically easier and more robust because it offers a more flexible approach for quickly modifying kernel parameters at boot time. Note also that UEFI implentations strongly differ between vendors and between models and there is no guarantee that a given firmware follows the UEFI specification. Therefore, EFI Stub booting is not guaranteed to work on every UEFI-based system, and hence the USE flag is stable masked and testing keywords must be accepted for installkernel to use this feature.
/etc/portage/package.accept_keywords/installkernel
sys-kernel/installkernel
sys-boot/uefi-mkconfig
app-emulation/virt-firmware
/etc/portage/package.use/installkernel
sys-kernel/installkernel efistub
root #
emerge --ask sys-kernel/installkernel
root #
mkdir -p /efi/EFI/Gentoo
Traditional layout, other bootloaders (e.g. (e)lilo, syslinux, etc.)
The traditional /boot layout (for e.g. (e)LILO, syslinux, etc.) is used by default if the grub, systemd-boot, efistub and uki USE flags are not enabled. No further action is required.
Initramfs
An initial ram-based file system, or initramfs, may be required for a system to boot. A wide of variety of cases may necessitate one, but common cases include:
- Kernels where storage/filesystem drivers are modules.
- Layouts with /usr/ or /var/ on separate partitions.
- Encrypted root filesystems.
Distribution kernels are designed to be used with an initramfs, as many storage and filesystem drivers are built as modules.
In addition to mounting the root filesystem, an initramfs may also perform other tasks such as:
- Running file system consistency check fsck, a tool to check and repair consistency of a file system in such events of uncleanly shutdown a system.
- Providing a recovery environment in the event of late-boot failures.
Installkernel can automatically generate an initramfs when installing the kernel if the dracut or ugrd USE flag is enabled:
/etc/portage/package.use/installkernel
sys-kernel/installkernel dracut
root #
emerge --ask sys-kernel/installkernel
Optional: Unified Kernel Image
A Unified Kernel Image (UKI) combines, among other things, the kernel, the initramfs and the kernel command line into a single executable. Since the kernel command line is embedded into the unified kernel image, it should be specified before generating the unified kernel image (see below). Note that any kernel command line arguments supplied by the bootloader or firmware at boot are ignored when booting with secure boot enabled.
A unified kernel image requires a stub loader. Currently, the only one available is systemd-stub. To enable it:
For systemd systems:
/etc/portage/package.use/uki
sys-apps/systemd boot
root #
emerge --ask sys-apps/systemd
For OpenRC systems:
/etc/portage/package.use/uki
sys-apps/systemd-utils boot kernel-install
root #
emerge --ask sys-apps/systemd-utils
Installkernel can automatically generate a unified kernel image using either dracut or ukify by enabling the respective flag and the uki USE flag.
For dracut:
/etc/portage/package.use/uki
sys-kernel/installkernel dracut uki
/etc/dracut.conf.d/uki.conf
uefi="yes"
kernel_cmdline="some-kernel-command-line-arguments"
root #
emerge --ask sys-kernel/installkernel
For ukify:
/etc/portage/package.use/uki
sys-apps/systemd boot ukify # For systemd systems
sys-apps/systemd-utils kernel-install boot ukify # For OpenRC systems
sys-kernel/installkernel dracut ukify uki
/etc/kernel/cmdline
some-kernel-command-line-arguments
root #
emerge --ask sys-kernel/installkernel
Note that while dracut can generate both an initramfs and a unified kernel image, ukify can only generate the latter and therefore the initramfs must be generated separately with dracut.
In the above configuration examples (for both Dracut and ukify) it is important to specify at least an appropriate root= parameter for the kernel command line to ensure that the Unified Kernel Image can find the root partition. This is not required for systemd based systems following the Discoverable Partitions Specification (DPS), in that case the embedded initramfs will be able to dynamically find the root partition.
Generic Unified Kernel Image (systemd only)
The prebuilt sys-kernel/gentoo-kernel-bin can optionally install a prebuilt generic unified kernel image containing a generic initramfs that is able to boot most systemd based systems. It can be installed by enabling the generic-uki USE flag, and configuring installkernel to not generate a custom initramfs or unified kernel image:
/etc/portage/package.use/uki
sys-kernel/gentoo-kernel-bin generic-uki
sys-kernel/installkernel -dracut -ukify -ugrd uki
Secure Boot
If following this section and manually compiling your own kernel, then make sure to follow the steps outlined in Signing the kernel
The generic Unified Kernel Image optionally distributed by sys-kernel/gentoo-kernel-bin is already pre-signed. How to sign a locally generated unified kernel image depends on whether dracut or ukify is used. Note that the location of the key and certificate should be the same as the SECUREBOOT_SIGN_KEY and SECUREBOOT_SIGN_CERT as specified in /etc/portage/make.conf.
For dracut:
/etc/dracut.conf.d/uki.conf
uefi="yes"
kernel_cmdline="some-kernel-command-line-arguments"
uefi_secureboot_key="/path/to/kernel_key.pem"
uefi_secureboot_cert="/path/to/kernel_key.pem"
For ukify:
/etc/kernel/uki.conf
[UKI]
SecureBootPrivateKey=/path/to/kernel_key.pem
SecureBootCertificate=/path/to/kernel_key.pem
Kernel konfigurieren und Kompilieren
It can be a wise move to use the dist-kernel on the first boot as it provides a very simple method to rule out system issues and kernel config issues. Always having a known working kernel to fallback on can speed up debugging and alleviate anxiety when updating that your system will no longer boot.
Nun ist es an der Zeit, die Kernel-Quellen zu konfigurieren und zu kompilieren. Für die Zwecke der Installation werden drei Ansätze für die Kernelverwaltung vorgestellt, jedoch kann zu jedem Zeitpunk nach der Installation ein neuer Ansatz gewählt werden.
During the installation phase of Gentoo, only one kernel type should be installed i.e. either the sys-kernel/gentoo-kernel-bin or sys-kernel/gentoo-sources.
In der Reihenfolge vom geringsten bis zum größten Aufwand:
- Full automation approach: Distribution kernels
- A Distribution Kernel is used to configure, automatically build, and install the Linux kernel, its associated modules, and (optionally, but enabled by default) an initramfs file. Future kernel updates are fully automated since they are handled through the package manager, just like any other system package. It is possible provide a custom kernel configuration file if customization is necessary. This is the least involved process and is perfect for new Gentoo users due to it working out-of-the-box and offering minimal involvement from the system administrator.
- Hybrid approach: Genkernel
- New kernel sources are installed via the system package manager. System administrators use Gentoo's genkernel tool to generically configure, automatically build and install the Linux kernel, its associated modules, and (optionally, but not enabled by default) an initramfs file. It is possible provide a custom kernel configuration file if customization is necessary. Future kernel configuration, compilation, and installation require the system administrator's involvement in the form of running eselect kernel, genkernel, and potentially other commands for each update.
- Full manual approach
- New kernel sources are installed via the system package manager. The kernel is manually configured, built, and installed using the eselect kernel and a slew of make commands. Future kernel updates repeat the manual process of configuring, building, and installing the kernel files. This is the most involved process, but offers maximum control over the kernel update process.
- Vollständiger Automatisierungsansatz: Distributionskernel
- Ein Distributionskernel wird verwendet, um den Linux-Kernel, seine dazugehörigen Module und (optional, aber standardmäßig aktiviert) eine initramfs-Datei zu konfigurieren, automatisch zu bauen und zu installieren. Zukünftige Kernel-Aktualisierungen sind vollständig automatisiert, da sie über den Paketmanager abgewickelt werden, genauso wie jedes andere Systempaket. Es ist möglich eine eigene Kernelkonfigurationsdatei bereitzustellen, wenn Anpassungen notwendig sind. Dies ist der am wenigsten aufwendige Prozess und eignet sich perfekt für neue Gentoo-Benutzer, da er sofort funktioniert und nur minimale Eingriffe des Systemadministrators erfordert.
- Hybridansatz: Genkernel
- Neue Kernelquellen werden über den Systempaketmanager installiert. Systemadministratoren benutzen Gentoos genkernel Werkzeug, um den Linux-Kernel, seine dazugehörigen Module und (optional aber nicht standardmäßig aktiviert) eine initramfs-Datei zu konfigurieren, automatisch zu bauen und zu installieren. Es ist möglich, eine benutzerdefinierte Kernelkonfigurationsdatei bereitzustellen, wenn eine Anpassung erforderlich ist. Zukünftige Kernelkonfigurationen, -kompilierungen und -installationen erfordern die Beteiligung des Systemadministrators in Form der Ausführung von eselect kernel, genkernel und möglicherweise andere Befehle für jede Aktualisierung.
- Vollständige manuelle Vorgehensweise
- Neue Kernelquellen werden über den Systempaketmanager installiert. Der Kernel wird manuell konfiguriert, gebaut und installiert unter Verwendung des eselect kernel und einer Reihe von make Befehlen. Künftige Kernel-Updates wiederholen den manuellen Prozess des Konfigurierens, Erstellens und Installieren der Kernel-Dateien. Dies ist der aufwändigste Prozess, bietet aber maximale Kontrolle über den Kernel-Aktualisierungsprozess.
Der Kern, um den alle Distributionen gebaut sind, ist der Linux Kernel. Er ist die Schicht zwischen den Benutzerprogrammen und der Systemhardware. Obwohl das Handbuch seinen Benutzern verschiedene Kernel-Quellen anbietet, ist eine umfassendere Auflistung mit detaillierter Beschreibung auf der Kernel Übersichtsseite verfügbar.
Kernel installation tasks such as copying the kernel image to /boot or the EFI System Partition, generating an initramfs and/or Unified Kernel Image, updating bootloader configuration, can be automated with installkernel. Users may wish to configure and install sys-kernel/installkernel before proceeding. See the Kernel installation section below for more more information.
Distribution kernels
Distribution Kernels are ebuilds that cover the complete process of unpacking, configuring, compiling, and installing the kernel. The primary advantage of this method is that the kernels are updated to new versions by the package manager as part of @world upgrade. This requires no more involvement than running an emerge command. Distribution kernels default to a configuration supporting the majority of hardware, however two mechanisms are offered for customization: savedconfig and config snippets. See the project page for more details on configuration.
Optional: Signed kernel modules
The kernel modules in the prebuilt distribution kernel (sys-kernel/gentoo-kernel-bin) are already signed. To sign the modules of kernels built from source enable the modules-sign USE flag, and optionally specify which key to use for signing in /etc/portage/make.conf:
/etc/portage/make.conf
Enable module signingUSE="modules-sign"
# Optionally, to use custom signing keys.
MODULES_SIGN_KEY="/path/to/kernel_key.pem"
MODULES_SIGN_CERT="/path/to/kernel_key.pem" # Only required if the MODULES_SIGN_KEY does not also contain the certificate.
MODULES_SIGN_HASH="sha512" # Defaults to sha512.
If MODULES_SIGN_KEY is not specified the kernel build system will generate a key, it will be stored in /usr/src/linux-x.y.z/certs. It is recommended to manually generate a key to ensure that it will be the same for each kernel release. A key may be generated with:
root #
openssl req -new -nodes -utf8 -sha256 -x509 -outform PEM -out kernel_key.pem -keyout kernel_key.pem
The MODULES_SIGN_KEY and MODULES_SIGN_CERT may be different files. For this example the pem file generated by OpenSSL includes both the key and the accompanying certificate, and thus both variables are set to the same value.
OpenSSL will ask some questions about the user generating the key, it is recommended to fill in these questions as detailed as possible.
Store the key in a safe location, at the very least the key should be readable only by the root user. Verify this with:
root #
ls -l kernel_key.pem
-r-------- 1 root root 3164 Jan 4 10:38 kernel_key.pem
If this outputs anything other then the above, correct the permissions with:
root #
chown root:root kernel_key.pem
root #
chmod 400 kernel_key.pem
Optional: Signing the kernel image (Secure Boot)
The kernel image in the prebuilt distribution kernel (sys-kernel/gentoo-kernel-bin) is already signed for use with Secure Boot. To sign the kernel image of kernels built from source enable the secureboot USE flag, and optionally specify which key to use for signing in /etc/portage/make.conf. Note that signing the kernel image for use with secureboot requires that the kernel modules are also signed, the same key may be used to sign both the kernel image and the kernel modules:
/etc/portage/make.conf
Enable custom signing keysUSE="modules-sign secureboot"
# Optionally, to use custom signing keys.
MODULES_SIGN_KEY="/path/to/kernel_key.pem"
MODULES_SIGN_CERT="/path/to/kernel_key.pem" # Only required if the MODULES_SIGN_KEY does not also contain the certificate.
MODULES_SIGN_HASH="sha512" # Defaults to sha512.
# Optionally, to boot with secureboot enabled, may be the same or different signing key.
SECUREBOOT_SIGN_KEY="/path/to/kernel_key.pem"
SECUREBOOT_SIGN_CERT="/path/to/kernel_key.pem"
The SECUREBOOT_SIGN_KEY and SECUREBOOT_SIGN_CERT may be different files. For this example the pem file generated by OpenSSL includes both the key and the accompanying certificate, and thus both variables are set to the same value.
For this example the same key that was generated to sign the modules is used to sign the kernel image. It is also possible to generate and use a second separate key for signing the kernel image. The same OpenSSL command as in the previous section may be used again.
See the above section for instructions on generating a new key, the steps may be repeated if a separate key should be used to sign the kernel image.
To successfully boot with Secure Boot enabled, the used bootloader must also be signed and the certificate must be accepted by the UEFI firmware or Shim. This will be explained later in the handbook.
Installing a distribution kernel
To build a kernel with Gentoo patches from source, type:
root #
emerge --ask sys-kernel/gentoo-kernel
System administrators who want to avoid compiling the kernel sources locally can instead use precompiled kernel images:
root #
emerge --ask sys-kernel/gentoo-kernel-bin
Distribution Kernels, such as sys-kernel/gentoo-kernel and sys-kernel/gentoo-kernel-bin, by default, expect to be installed alongside an initramfs. Before running emerge to install the kernel users should ensure that sys-kernel/installkernel has been configured to utilize an initramfs generator (for example Dracut) as described in the installkernel section.
Upgrading and cleaning up
Once the kernel is installed, the package manager will automatically update it to newer versions. The previous versions will be kept until the package manager is requested to clean up stale packages. To reclaim disk space, stale packages can be trimmed by periodically running emerge with the --depclean
option:
root #
emerge --depclean
Alternatively, to specifically clean up old kernel versions:
root #
emerge --prune sys-kernel/gentoo-kernel sys-kernel/gentoo-kernel-bin
By design, emerge only removes the kernel build directory. It does not actually remove the kernel modules, nor the installed kernel image. To completely clean-up old kernels, the app-admin/eclean-kernel tool may be used.
Post-install/upgrade tasks
An upgrade of a distribution kernel is capable of triggering an automatic rebuild for external kernel modules installed by other packages (for example: sys-fs/zfs-kmod or x11-drivers/nvidia-drivers). This automated behaviour is enabled by enabling the dist-kernel USE flag. When required, this same flag will also trigger re-generation of the initramfs.
It is highly recommended to enable this flag globally via /etc/portage/make.conf when using a distribution kernel:
/etc/portage/make.conf
Enabling USE=dist-kernelUSE="dist-kernel"
Manually rebuilding the initramfs or Unified Kernel Image
If required, manually trigger such rebuilds by, after a kernel upgrade, executing:
root #
emerge --ask @module-rebuild
If any kernel modules (e.g. ZFS) are needed at early boot, rebuild the initramfs afterward via:
root #
emerge --config sys-kernel/gentoo-kernel
root #
emerge --config sys-kernel/gentoo-kernel-bin
After installing the Distribution Kernel successfully, it is now time to proceed to the next section: Configuring the system.
Installieren der Kernel-Quellen
Für die Installation und Kompilierung des Kernels für amd64-basierte Systeme empfiehlt Gentoo das Paket sys-kernel/gentoo-sources.
Wählen Sie eine geeignete Kernelquelle und installieren Sie sie mit emerge:
root #
emerge --ask sys-kernel/gentoo-sources
Dieser Befehl installiert die Quellen des Linux-Kernels in dem Verzeichnis /usr/src/. Im Namen des angelegten Unterverzeichnisses steht die Version des Linux-Kernels (beispielsweise /usr/src/linux-4.9.16-gentoo). Der emerge-Befehl erzeugt einen symbolischen Link /usr/src/linux auf dieses Verzeichnis, wenn das USE-Flag symlink
bei dem Paket gesetzt ist.
Es ist gute Praxis, einen Symlink /usr/src/linux auf das Verzeichnis mit dem Source-Code der Kernel-Version zeigen zu lassen, die auf dem System läuft. Dieser Symlink wird nicht automatisch erzeugt. Er kann jedoch einfach mit Hilfe des eselect Kernel Modules erzeugt werden.
Weitere Informationen über Zweck und Handhabung des Symlinks finden Sie unter Kernel/Upgrade.
Lassen Sie eine Liste der installierten Kernel anzeigen:
root #
eselect kernel list
Available kernel symlink targets: [1] linux-6.6.21-gentoo
Mit folgendem Befehl können Sie einen symbolischen Link namens linux anlegen:
root #
eselect kernel set 1
root #
ls -l /usr/src/linux
lrwxrwxrwx 1 root root 12 Oct 13 11:04 /usr/src/linux -> linux-6.6.21-gentoo
Alternative: Manuelle Konfiguration
In case it was missed, this section requires the kernel sources to be installed. Be sure to obtain the relevant kernel sources, then return here for the rest of section.
Manually configuring a kernel is commonly seen as one of the most difficult procedures a system administrator has to perform. Nothing is less true - after configuring a few kernels no one remembers that it was difficult! There are two ways for a Gentoo user to manage a manual kernel system, both of which are listed below:
Modprobed-db process
A very easy way to manage the kernel is to first install sys-kernel/gentoo-kernel-bin and use the sys-kernel/modprobed-db to collect information about what the system requires. modprobed-db is a tool which monitors the system via crontab to add all modules of all devices over the system's life to make sure it everything a user needs is supported. For example, if an Xbox controller is added after installation, then modprobed-db will add the modules to be built next time the kernel is rebuilt. More on this topic can be found in the Modprobed-db article.
Manual process
This method allows a user to have full control of how their kernel is built with as minimal help from outside tools as they wish. Some could consider this as making it hard for the sake of it.
Eine Sache ist jedoch wahr: um einen Kernel manuell konfigurieren zu können, ist es wichtig, das System zu kennen. Die meisten Informationen erhalten Sie durch das Programm lspci, das im Paket sys-apps/pciutils enthalten ist.
root #
emerge --ask sys-apps/pciutils
root #
lspci
root #
lspci -v
Innerhalb der chroot-Umgebung können Sie jegliche pcilib-Warnung (wie pcilib: cannot open /sys/bus/pci/devices) ignorieren, die lspci auswerfen könnte.
Eine weitere Quelle von Systeminformationen ist lsmod. Diese Anweisung zeigt Ihnen, welche Kernel-Module die Installations-CD verwendet. Dies liefert gute Hinweise darauf, was im Kernel aktiviert werden sollte.
Gehen Sie in das Kernel Quellverzeichnis und führen Sie make menuconfig aus. Dies wird eine menübasierte Konfigurationsmaske starten.
root #
cd /usr/src/linux
root #
make menuconfig
The kernel has a method of autodetecting the modules currently being used on the installcd which will give a great starting point to allow a user to configure their own. This can be called by using:
root #
make localmodconfig
It's now time to configure using nconfig:
root #
make nconfig
Die Linux Kernel-Konfiguration hat viele, viele Abschnitte. Wir listen zunächst einige Optionen auf, die aktiviert werden müssen (ansonsten wird Gentoo nicht funktionieren, oder ohne zusätzliche Veränderungen nicht richtig funktionieren). Wir haben im Gentoo Wiki auch einen Gentoo Kernel-Konfigurationsleitfaden, der weiterhelfen könnte.
Enabling required options
Bei Verwendung des Pakets sys-kernel/gentoo-sources wird dringend empfohlen, die Gentoo-spezifischen Konfigurations-Optionen zu aktivieren. Diese stellen sicher, dass eine Mindestmenge von Kernel-Funktionen vorhanden ist, die für das einwandfreie Funktionieren erforderlich ist:
Gentoo Linux --->
Generic Driver Options --->
[*] Gentoo Linux support
[*] Linux dynamic and persistent device naming (userspace devfs) support
[*] Select options required by Portage features
Support for init systems, system and service managers --->
[*] OpenRC, runit and other script based systems and managers
[*] systemd
Die Wahl für die letzten beiden Zeilen sollte natürlich von dem gewählten Init-System abhängen (OpenRC vs. systemd). Es ist kein Fehler, die Unterstützung für beide Init-Systeme zu aktivieren.
Wenn das Paket sys-kernel/vanilla-sources verwendet wird, gibt es die Auswahlmöglichkeiten für das Init-System nicht. Die Aktivierung der notwendigen Kernel-Optionen ist natürlich trotzdem möglich - aber eine Beschreibung würde den Rahmen dieses Handbuchs sprengen.
Enabling support for typical system components
Stellen Sie sicher, dass jeder Treiber, der für das Booten des Systems wichtig ist (z.B. SATA-Controller, NVMe-Blockgeräteunterstützung, Dateisystemunterstützung, usw.), im Kernel und nicht also Modul kompiliert ist, da das System sonst möglicherweise nicht vollständig booten kann.
Als Nächstes wählen Sie den genauen Prozessor-Typ. Es wird auch empfohlen, die MCE-Funktion zu aktivieren (wenn verfügbar), so dass Benutzer bei Hardwareproblemen benachrichtigt werden können. Auf einigen Architekturen (wie z.B. X86_64) werden diese Fehler nicht über dmesg, sondern auf /dev/mcelog ausgegeben. Dies erfordert das Paket app-admin/mcelog.
Wählen Sie auch Maintain a devtmpfs file system to mount at /dev, damit kritische Gerätedateien bereits früh im Boot-Prozess verfügbar sind (CONFIG_DEVTMPFS and CONFIG_DEVTMPFS_MOUNT):
Device Drivers --->
Generic Driver Options --->
[*] Maintain a devtmpfs filesystem to mount at /dev
[*] Automount devtmpfs at /dev, after the kernel mounted the rootfs
Überprüfen Sie, dass SCSI disk Unterstützung aktiviert wurde (CONFIG_BLK_DEV_SD):
Device Drivers --->
SCSI device support --->
<*> SCSI device support
<*> SCSI disk support
Device Drivers --->
<*> Serial ATA and Parallel ATA drivers (libata) --->
[*] ATA ACPI Support
[*] SATA Port Multiplier support
<*> AHCI SATA support (ahci)
[*] ATA BMDMA support
[*] ATA SFF support (for legacy IDE and PATA)
<*> Intel ESB, ICH, PIIX3, PIIX4 PATA/SATA support (ata_piix)
Überprüfen Sie, ob die grundlegende NVMe-Unterstützung aktiviert wurde:
Device Drivers --->
<*> NVM Express block device
Device Drivers --->
NVME Support --->
<*> NVM Express block device
Es kann nicht schaden, die folgende zusätzliche NVMe-Unterstützung zu aktivieren:
[*] NVMe multipath support
[*] NVMe hardware monitoring
<M> NVM Express over Fabrics FC host driver
<M> NVM Express over Fabrics TCP host driver
<M> NVMe Target support
[*] NVMe Target Passthrough support
<M> NVMe loopback device support
<M> NVMe over Fabrics FC target driver
< > NVMe over Fabrics FC Transport Loopback Test driver (NEW)
<M> NVMe over Fabrics TCP target support
Gehen Sie nun zu den Dateisystemen (File Systems) und aktivieren Sie die Dateisysteme, die auf dem System verwendet werden sollen. Kompilieren Sie das Dateisystem, das als Root-Dateisystem verwendet wird, nicht als Modul. Andernfalls wird das Gentoo-System möglicherweise nicht in der Lage sein, die Root-Partition einzuhängen. Wählen Sie ebenfalls Virtual memory und /proc file system. Wählen Sie eine oder mehrere der folgenden Optionen, die auf dem System benötigt werden:
File systems --->
<*> Second extended fs support
<*> The Extended 3 (ext3) filesystem
<*> The Extended 4 (ext4) filesystem
<*> Btrfs filesystem support
<*> XFS filesystem support
DOS/FAT/NT Filesystems --->
<*> MSDOS fs support
<*> VFAT (Windows-95) fs support
Pseudo Filesystems --->
[*] /proc file system support
[*] Tmpfs virtual memory file system support (former shm fs)
Wenn PPPoE für die Internetverbindung, oder ein Einwahl-Modem verwendet wird, aktivieren Sie die folgenden Optionen (CONFIG_PPP, CONFIG_PPP_ASYNC, and CONFIG_PPP_SYNC_TTY):
Device Drivers --->
Network device support --->
<*> PPP (point-to-point protocol) support
<*> PPP over Ethernet
<*> PPP support for async serial ports
<*> PPP support for sync tty ports
Die beiden Komprimierungsoptionen schaden nicht, werden aber auch nicht unbedingt benötigt. Ebenso wenig wie die PPP over Ethernet Option, die vielleicht nur von ppp benötigt wird, wenn 'kernel mode PPPoE' konfiguriert wird.
Vergessen Sie nicht, die Unterstützung von Netzwerkkarten (Ethernet oder Wireless-LAN) zu aktivieren.
Die meisten Systeme haben auch mehrere Prozessorkerne zur Verfügung. Daher ist es wichtig, Symmetric multi-processing support zu aktivieren (CONFIG_SMP):
Processor type and features --->
[*] Symmetric multi-processing support
In Mehrkernsystemen zählt jeder Kern als ein Prozessor.
Wenn Sie USB-Eingabegeräte (wie Tastatur oder Maus) oder andere USB-Geräte verwenden, vergessen Sie nicht, diese ebenfalls zu aktivieren:
Device Drivers --->
HID support --->
-*- HID bus support
<*> Generic HID driver
[*] Battery level reporting for HID devices
USB HID support --->
<*> USB HID transport layer
[*] USB support --->
<*> xHCI HCD (USB 3.0) support
<*> EHCI HCD (USB 2.0) support
<*> OHCI HCD (USB 1.1) support
<*> Unified support for USB4 and Thunderbolt --->
Optional: Signed kernel modules
To automatically sign the kernel modules enable CONFIG_MODULE_SIG_ALL:
[*] Enable loadable module support
-*- Module signature verification
[*] Automatically sign all modules
Which hash algorithm should modules be signed with? (Sign modules with SHA-512) --->
Optionally change the hash algorithm if desired.
To enforce that all modules are signed with a valid signature, enable CONFIG_MODULE_SIG_FORCE as well:
[*] Enable loadable module support
-*- Module signature verification
[*] Require modules to be validly signed
[*] Automatically sign all modules
Which hash algorithm should modules be signed with? (Sign modules with SHA-512) --->
To use a custom key, specify the location of this key in CONFIG_MODULE_SIG_KEY. If unspecified, the kernel build system will generate a key. It is recommended to generate one manually instead. This can be done with:
root #
openssl req -new -nodes -utf8 -sha256 -x509 -outform PEM -out kernel_key.pem -keyout kernel_key.pem
OpenSSL will ask some questions about the user generating the key, it is recommended to fill in these questions as detailed as possible.
Store the key in a safe location, at the very least the key should be readable only by the root user. Verify this with:
root #
ls -l kernel_key.pem
-r-------- 1 root root 3164 Jan 4 10:38 kernel_key.pem
If this outputs anything other then the above, correct the permissions with:
root #
chown root:root kernel_key.pem
root #
chmod 400 kernel_key.pem
-*- Cryptographic API --->
Certificates for signature checking --->
(/path/to/kernel_key.pem) File name or PKCS#11 URI of module signing key
To also sign external kernel modules installed by other packages via linux-mod-r1.eclass
, enable the modules-sign USE flag globally:
/etc/portage/make.conf
Enable module signingUSE="modules-sign"
</div>
<div lang="en" dir="ltr" class="mw-content-ltr">
# Optionally, when using custom signing keys.
MODULES_SIGN_KEY="/path/to/kernel_key.pem"
MODULES_SIGN_CERT="/path/to/kernel_key.pem" # Only required if the MODULES_SIGN_KEY does not also contain the certificate
MODULES_SIGN_HASH="sha512" # Defaults to sha512
MODULES_SIGN_KEY and MODULES_SIGN_CERT may point to different files. For this example, the pem file generated by OpenSSL includes both the key and the accompanying certificate, and thus both variables are set to the same value.
Optional: Signing the kernel image (Secure Boot)
When signing the kernel image (for use on systems with Secure Boot enabled) it is recommended to set the following kernel config options:
General setup --->
Kexec and crash features --->
[*] Enable kexec system call
[*] Enable kexec file based system call
[*] Verify kernel signature during kexec_file_load() syscall
[*] Require a valid signature in kexec_file_load() syscall
[*] Enable ""image"" signature verification support
</div>
<div lang="en" dir="ltr" class="mw-content-ltr">
[*] Enable loadable module support
-*- Module signature verification
[*] Require modules to be validly signed
[*] Automatically sign all modules
Which hash algorithm should modules be signed with? (Sign modules with SHA-512) --->
</div>
<div lang="en" dir="ltr" class="mw-content-ltr">
Security options --->
[*] Integrity subsystem
[*] Basic module for enforcing kernel lockdown
[*] Enable lockdown LSM early in init
Kernel default lockdown mode (Integrity) --->
</div>
<div lang="en" dir="ltr" class="mw-content-ltr">
[*] Digital signature verification using multiple keyrings
[*] Enable asymmetric keys support
-*- Require all keys on the integrity keyrings be signed
[*] Provide keyring for platform/firmware trusted keys
[*] Provide a keyring to which Machine Owner Keys may be added
[ ] Enforce Machine Keyring CA Restrictions
Where ""image"" is a placeholder for the architecture specific image name. These options, from the top to the bottom: enforces that the kernel image in a kexec call must be signed (kexec allows replacing the kernel in-place), enforces that kernel modules are signed, enables lockdown integrity mode (prevents modifying the kernel at runtime), and enables various keychains.
On arches that do not natively support decompressing the kernel (e.g. arm64 and riscv), the kernel must be built with its own decompressor (zboot):
Device Drivers --->
Firmware Drivers --->
EFI (Extensible Firmware Interface) Support --->
[*] Enable the generic EFI decompressor
After compilation of the kernel, as explained in the next section, the kernel image must be signed. First install app-crypt/sbsigntools and then sign the kernel image:
root #
emerge --ask app-crypt/sbsigntools
root #
sbsign /usr/src/linux-x.y.z/path/to/kernel-image --cert /path/to/kernel_key.pem --key /path/to/kernel_key.pem --out /usr/src/linux-x.y.z/path/to/kernel-image
For this example, the same key that was generated to sign the modules is used to sign the kernel image. It is also possible to generate and use a second separate key for signing the kernel image. The same OpenSSL command as in the previous section may be used again.
Then proceed with the installation.
To automatically sign EFI executables installed by other packages, enable the secureboot USE flag globally:
/etc/portage/make.conf
Enable Secure BootUSE="modules-sign secureboot"
</div>
<div lang="en" dir="ltr" class="mw-content-ltr">
# Optionally, to use custom signing keys.
MODULES_SIGN_KEY="/path/to/kernel_key.pem"
MODULES_SIGN_CERT="/path/to/kernel_key.pem" # Only required if the MODULES_SIGN_KEY does not also contain the certificate.
MODULES_SIGN_HASH="sha512" # Defaults to sha512
</div>
<div lang="en" dir="ltr" class="mw-content-ltr">
# Optionally, to boot with secureboot enabled, may be the same or different signing key.
SECUREBOOT_SIGN_KEY="/path/to/kernel_key.pem"
SECUREBOOT_SIGN_CERT="/path/to/kernel_key.pem"
SECUREBOOT_SIGN_KEY and SECUREBOOT_SIGN_CERT may point to different files. For this example, the pem file generated by OpenSSL includes both the key and the accompanying certificate, and thus both variables are set to the same value.
When generating an Unified Kernel Image with systemd's
ukify
the kernel image will be signed automatically before inclusion in the unified kernel image and it is not necessary to sign it manually.
Architekturspezifische Kernel-Konfiguration
Stellen Sie sicher, dass Sie IA32 Emulation auswählen, wenn 32-Bit Programme unterstützt werden sollen (CONFIG_IA32_EMULATION). Gentoo installiert standardmäßig ein Multilib System (gemischte 32-Bit/64-Bit Umgebung). Deshalb wird diese Option benötigt, wenn kein no-multilib Profil verwendet wird.
Processor type and features --->
[ ] Machine Check / overheating reporting
[ ] Intel MCE Features
[ ] AMD MCE Features
Processor family (AMD-Opteron/Athlon64) --->
( ) Opteron/Athlon64/Hammer/K8
( ) Intel P4 / older Netburst based Xeon
( ) Core 2/newer Xeon
( ) Intel Atom
( ) Generic-x86-64
Binary Emulations --->
[*] IA32 Emulation
Aktivieren Sie den GPT Partitions-Label Support, falls das zuvor beim Partitionieren der Festplatte verwendet wurde (CONFIG_PARTITION_ADVANCED and CONFIG_EFI_PARTITION):
-*- Enable the block layer --->
Partition Types --->
[*] Advanced partition selection
[*] EFI GUID Partition support
Aktivieren Sie die EFI Stub Unterstützung, EFI Variablen und EFI Framebuffer im Linux Kernel, wenn Sie UEFI zum Booten des Systems verwenden (CONFIG_EFI, CONFIG_EFI_STUB, CONFIG_EFI_MIXED, CONFIG_EFI_VARS und CONFIG_FB_EFI):
Processor type and features --->
[*] EFI runtime service support
[*] EFI stub support
[*] EFI mixed-mode support
Device Drivers
Firmware Drivers --->
EFI (Extensible Firmware Interface) Support --->
<*> EFI Variable Support via sysfs
Graphics support --->
Frame buffer Devices --->
<*> Support for frame buffer devices --->
[*] EFI-based Framebuffer Support
File Systems
Pseudo filesystems ---> <*> EFI Variable filesystem
}} To enable the Kernel options for the use of SOF Firmware covered earlier:
Device Drivers --->
Sound card support --->
Advanced Linux Sound Architecture --->
<M> ALSA for SoC audio support --->
[*] Sound Open Firmware Support --->
<M> SOF PCI enumeration support
<M> SOF ACPI enumeration support
<M> SOF support for AMD audio DSPs
[*] SOF support for Intel audio DSPs
Kompilieren und installieren
Mit beendeter Konfiguration ist es nun an der Zeit, den Kernel zu kompilieren und zu installieren. Schließen Sie die Konfiguration und starten Sie den Kompiliervorgang:
root #
make && make modules_install
Es ist möglich, parallele Builds durch make -jX zu aktivieren, wobei
X
eine Ganzzahl ist und die Anzahl der Tasks angibt, die der Build-Prozess parallel starten darf. Dies ist ähnlich wie die Variable MAKEOPTS in der Anleitung zu /etc/portage/make.conf.Wenn der Kernel fertig kompiliert ist, kopieren Sie das Kernel-Abbild nach /boot/. Dies erfolgt durch den Befehl make install:
root #
make install
Dies kopiert das Kernel-Abbild zusammen mit der Datei System.map und der Kernel-Konfigurationsdatei nach /boot/.
Deprecated: Genkernel
Genkernel should only be considered by users with a required need that only Genkernel can meet. For others, it is recommended to use the Distribution kernel or manually compile their own as it will make maintaining a Gentoo system a lot more simple. An example of why genkernel is more difficult to manage is the lack of integration with sys-kernel/installkernel. This means a user will not get the same level of automation as provided by the other methods; for example, Unified Kernel Images will need to be created manually when using Genkernel.
Users still wishing to use Genkernel should see the Genkernel article for more information.
Kernel-Module
Auflistung der verfügbaren Kernelmodule
Hardware-Module manuell aufzulisten ist optional. In den meisten Fällen werden alle Hardwaremodule, die als angeschlossen erkannt werden, von udev geladen. Es ist jedoch nicht schädlich, wenn Module, die automatisch geladen werden, aufgelistet werden. Module können nicht zweimal geladen werden; sie werden entweder geladen oder nicht geladen. Manchmal benötigt exotische Hardware Hilfe, um ihre Treiber zu laden.
Die Module, die bei jedem Bootvorgang geladen werden müssen, können in die Dateien /etc/modules-load.d/*.conf im Format eines Moduls pro Zeile eingetragen werden. Wenn zusätzliche Optionen für die Module benötigt werden, sollten diese stattdessen in /etc/modprobe.d/*.conf-Dateien gesetzt werden.
Um alle Module anzuzeigen, die für eine bestimmte Kernelversion verfügbar sind, geben Sie den folgenden Befehl find ein. Vergessen Sie nicht, "<Kernelversion>" durch die entsprechende Version des zu durchsuchenden Kernels zu ersetzen:
root #
find /lib/modules/<Kernelversion>/ -type f -iname '*.o' -or -iname '*.ko' | less
Erzwingung des Ladens bestimmter Kernelmodule
Um den Kernel zu zwingen, das Modul 3c59x.ko (den Treiber für eine bestimmte 3Com-Netzwerkkartenfamilie) zu laden, bearbeiten Sie die Datei /etc/modules-load.d/network.conf und geben Sie den Modulnamen darin in.
root #
mkdir -p /etc/modules-load.d
root #
nano -w /etc/modules-load.d/network.conf
Beachten Sie, dass das Dateisuffix .ko des Moduls für den Lademechanismus unbedeutend ist und in der Konfigurationsdatei weggelassen wird:
/etc/modules-load.d/network.conf
Laden des 3c59x Moduls erzwingen3c59x
Setzen Sie die Installation mit der Konfiguration des Systems fort.