User:Pietinger/Experimental/Manual Configuring Kernel Version 6.9
Even though this page is in the user namespace, corrections and additions are much appreciated! This is simply wiki policy, this page can be moved to the main wiki as soon as it achieves critical mass more.
Manual Configuring Kernel Version 6.9
I wrote this article because 6.9 is interesting for AMD user (has now a better AMD P-State) and also Intel user which have a newer Intel CPU with hybrid architecture (P- and E-cores).
Notes for 6.9
- Reworked x86 topology code for better handling Intel Core hybrid CPUs.
- Intel Fastboot support is now enabled across all supported graphics generations.
- Support for larger frame-buffer console fonts with modern 4K+ displays. (TBH I was not able to find them :-(
- Continued work on the experimental Intel Xe DRM kernel graphics driver that Intel is aiming to get ready in time for Xe2 / Lunar Lake.
- The old ntfs filesystem implementation has been removed in favor of ntfs3.
- The ext2 filesystem has been marked as deprecated, mostly as a result of its inability to properly represent dates after January 2038. The filesystem is not going anywhere anytime soon, and ext2 filesystems are also covered by the ext4 module, but users are being encouraged to avoid it.
- The kernel's Integrity Measurement Architecture and Extended Verification module (IMA/EVM) have been converted into proper Linux security modules. There should be no user-visible effects, but this change, which was enabled by the slowly proceeding security-module stacking work, simplifies the code considerably.
- All mitigations have been renamed (https://www.phoronix.com/news/Linux-6.9-CONFIG-MITIGATIONS):
x86/bugs: Rename CONFIG_GDS_FORCE_MITIGATION => CONFIG_MITIGATION_GDS_FORCE x86/bugs: Rename CONFIG_CPU_IBPB_ENTRY => CONFIG_MITIGATION_IBPB_ENTRY x86/bugs: Rename CONFIG_CALL_DEPTH_TRACKING => CONFIG_MITIGATION_CALL_DEPTH_TRACKING x86/bugs: Rename CONFIG_PAGE_TABLE_ISOLATION => CONFIG_MITIGATION_PAGE_TABLE_ISOLATION x86/bugs: Rename CONFIG_RETPOLINE => CONFIG_MITIGATION_RETPOLINE x86/bugs: Rename CONFIG_SLS => CONFIG_MITIGATION_SLS x86/bugs: Rename CONFIG_CPU_UNRET_ENTRY => CONFIG_MITIGATION_UNRET_ENTRY x86/bugs: Rename CONFIG_CPU_IBRS_ENTRY => CONFIG_MITIGATION_IBRS_ENTRY x86/bugs: Rename CONFIG_CPU_SRSO => CONFIG_MITIGATION_SRSO x86/bugs: Rename CONFIG_RETHUNK => CONFIG_MITIGATION_RETHUNK
Upgrade from 6.6
Please read:
- User:Pietinger/Experimental/Manual_Configuring_Kernel_Version_6.7#Upgrade_from_6.6
- User:Pietinger/Experimental/Manual_Configuring_Kernel_Version_6.8#Upgrade_from_6.7
and then the following chapter.
Upgrade from 6.8
Before you start check the capability of your CPU for FRED because you will need it for the 1. question in make oldconfig:
root #
cpuid | grep FRED
FRED transitions & MSRs = false
If you do the make oldconfig there are only a few questions where you cannot simply accept the default via <return>. Of course it depends on your system and your choices. Here is a possible list (I have left out - as always - all new modules for some new hardware; if you have one of them, enable it):
1. Flexible Return and Event Delivery (X86_FRED) [N/y/?] (NEW) 2. Mitigations for CPU vulnerabilities (CPU_MITIGATIONS) [Y/n/?] (NEW) Remove the kernel mapping in user mode (MITIGATION_PAGE_TABLE_ISOLATION) [Y/n/?] (NEW) Avoid speculative indirect branches in kernel (MITIGATION_RETPOLINE) [Y/n/?] (NEW) Enable return-thunks (MITIGATION_RETHUNK) [Y/n/?] (NEW) Mitigate RSB underflow with call depth tracking (MITIGATION_CALL_DEPTH_TRACKING) [Y/n/?] (NEW) Enable IBRS on kernel entry (MITIGATION_IBRS_ENTRY) [Y/n/?] (NEW) Mitigate Straight-Line-Speculation (MITIGATION_SLS) [N/y/?] (NEW) Force GDS Mitigation (MITIGATION_GDS_FORCE) [N/y/?] (NEW) 3. AMD Processor P-State default mode (X86_AMD_PSTATE_DEFAULT_MODE) [3] (NEW) 4. Trim unused exported kernel symbols (TRIM_UNUSED_KSYMS) [N/y/?] (NEW) 5. arptables-legacy packet filtering support (IP_NF_ARPFILTER) [N/y/?] (NEW) 6. Compressed RAM block device support (ZRAM) [N/m/y/?] (NEW) 7. Default authorization mode for USB devices (USB_DEFAULT_AUTHORIZATION_MODE) [1] (NEW) 8. FUSE passthrough operations support (FUSE_PASSTHROUGH) [Y/n/?] (NEW) 9. Perform checking for signed arithmetic wrap-around (UBSAN_SIGNED_WRAP) [Y/n/?] (NEW)
2. If you have hardened your kernel with KSPP and had SLS active then enable it again (because the default is "No"). The same is true for "Force GDS Mitigation".
3. You will get this question only if you had X86_AMD_PSTATE enabled. 3 means -> Active (EPP)
4. You will get this question only if you have module support (I have not). You might enable it if you DONT use external modules (like nvidia).
5. Help says: "This is only needed for arptables-legacy(8). Neither arptables-nft nor nftables need this to work."
6. You will get this question only if you have enabled one of the compression modules (LZO, ZSTD, LZ4HC or, 842) of the kernel ->
Depends on: BLK_DEV [=y] && BLOCK [=y] && SYSFS [=y] && MMU [=y] && (CRYPTO_LZO [=y] || CRYPTO_ZSTD [=n] || CRYPTO_LZ4 [=n] || CRYPTO_LZ4HC [=n] || CRYPTO_842 [=n])
I dont need / use it. Enable it if you want use a compressed TMPFS.
7. Help says: "With value 0 all connected USB devices with the exception of root hub require user space authorization before they can be used. With value 1 (default) no user space authorization is required to use connected USB devices." Because this is a security feature I think it will become interesting in the future ... as soon as we have an user space application for it ... ;-)
8. You will get this question only if you had FUSE enabled (I have). If you have heavy use of FUSE take the default. (I dont took the default because my only application which needs it is dolphin.)
9. You will get this question only if you had hardened your kernel with KSPP and had UBSAN enabled. Take the default.
New Installation
Please configure according to the instructions of User:Pietinger/Tutorials/Manual_Configuring_Kernel_Version_6.6. Please read then:
- User:Pietinger/Experimental/Manual_Configuring_Kernel_Version_6.7#New_Installation
- User:Pietinger/Experimental/Manual_Configuring_Kernel_Version_6.8#New_Installation
and then the previous chapter.