-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Fri, Apr 14, 2017 at 12:21:14PM -0600, Reg Tiangha wrote: > Here's my contribution to the project.
Thanks! Andrew, maybe it would be good idea to at least link to this thread somewhere in "Building" section of docs? Or copy this instruction there (the part about actual building and customizing), including adjustments here and in subsequent messages? > On my GitHub account, I've now got branches tracking kernels from 4.4 > all the way to 4.10. I assume you've also seen devel-* branches on my github account. > My intent is to keep them up-to-date with upstream > as much as possible, but all I can really test is to see is if they > still compile and/or install/boot. If there are any issues with new > versions, let me know, but I make no guarantees that I can actually > *fix* any regressions that may be introduced by upstream. That said, if > some people want to compile the latest kernel in a supported branch > themselves on their own schedules optimized for their specific hardware > setups, I hope this makes things a little easier you. > > https://github.com/rtiangha/qubes-linux-kernel/ > > > HOWTO: > > - You'll need at least 4GB of free space in /home for each kernel you > hope to compile. > > - In a Fedora TemplateVM matching the version running in your dom0, > install git and the qubes-kernel-vm-support package: > > sudo dnf install git qubes-kernel-vm-support > > I believe that should pull in everything you need to compile a kernel. > At the moment, if you want to build a kernel higher than 4.8, you'll > need to temporarily enable the current-testing repository since the > version that's in stable right now is too old to work with kernels 4.9 > and above. That'll probably change eventually. > > - Download sources: > > git clone https://github.com/rtiangha/qubes-linux-kernel.git > > - Enter directory: > > cd qubes-linux-kernel > > - Switch to the branch that you'd like to compile. For example, to > switch to the 4.4 branch: > > git checkout stable-4.4 Some signature verification of downloaded code would be useful here. I see you sign your commits, so it should be easy (look for "Good signature" at the top, also check if the key is what you expect): git show --show-signature Or in machine readable format: git show -s --format=%G? (should output "G" for good signature made with trusted key, see `git show --help` for details) Of course you need to have appropriate public key in your keyring first. > You can also choose from devel-4.8, stable-4.9, and devel-4.10. > > - Compile rpms: > > make rpms > > - The rpms will be stored in the rpms/x86_64 directory. Copy those to > dom0 using these instructions: > > https://www.qubes-os.org/doc/copy-from-dom0/ > > - Install rpms. In dom0, run: > > dnf install kernel-<version>.rpm kernel-qubes-vm-<version>.rpm Some, probably obvious warning: this will also execute some pre/post-installation scripts in the package. It means that if the building VM is compromised, it can include some code in the rpm package, that will compromise dom0 when you install it. > - Reboot and see if it works > > > TIPS: > > By default, the kernel configuration is set up for a very generic build > to work with a variety of hardware. If you're going to go through the > hassle of compiling your own kernels, you might as well optimize for > your particular hardware configuration. For example, if all you have > are AMD machines and no Intel machines, rather than compiling a kernel > for a generic x86_64 CPU, you can set the kernel to optimize for AMD > CPUs specifically and you may net some performance improvements as a result. > > - To do this, first download the kernel sources (make rpms automatically > does this for you): > > make get-sources Don't forget about 'make verify-sources' (check signature on downloaded tarball). It's better to call: make get-sources verify-sources > - Then extract the source files: > > tar Jxf linux-<version>.tar.xz > > - Move into the directory: > > cd linux-<version>.tar.xz cd linux-<version> > - Copy the default Qubes kernel configuration into the directory: > > cp ../config .config > > - Now, sometimes new drivers or kernel options will be introduced > in-between kernel versions. It is always useful to check for that and to > merge in anything new that you may find desirable. To do so, first run: > > make oldconfig > > What that will do is check the current kernel configuration file against > what's available in the new kernel version. If there's nothing new, then > it will exit gracefully. If there are some new things, it'll prompt you > on whether or not you want to include them. If you have no idea what to > do, you can probably just accept the default choices or just say No and > still be safe if the current kernel configuration works for you. > > - Customize your kernel: > > make menuconfig > > - You'll be presented with a menu with a whole lot of options. The > easiest ones to play with if you're just starting out is the Processor > Type; if you compile for your specific CPU rather than a generic one, > you may notice some performance improvements. Navigate to: > > Processor type and features -> Processor family > > And choose the Processor Family that best meets the machine you're > compiling for. In my case, I've got machines based on an Intel Core 2 > Quad Q6600, an Intel Core i7-980x, and an Intel Core i7-2720M that I run > Qubes on, and I install these kernels on all of them, so I select the > "Core 2/new Xeon" option when I compile kernels for myself. > > There are many kernel options that you can toggle, so if you want to go > further, I *highly* suggest reading up on the ArchLinux or Gentoo kernel > docs as they go more in depth on how to work with kernel options. Some > interesting things to try would be to disable any hardware drivers for > hardware you don't have, don't use, or will never use. Not only will > that cut down on the attack surface, but it'll also save you on > compilation time, RAM usage and disk space, which may result in some > performance improvements too. Just make sure not to disable a driver for > hardware that you actually have, and make sure you have a working dom0 > kernel installed already to boot back into, just in case the one you > created doesn't work. > > - When you're done, keep hitting ESC until you're asked if you want to > exit and save your work. Select "Yes". Then, copy back your work back to > the main directory: > > cp .config ../config > > - And then you can test your new configuration by compiling it with make > rpms. If you ever need to start over, run: > > make clean > > and it'll delete all of the directories with compiled stuff in it (it > won't touch the rpm directory though so your output will still be saved). > > > Compiling and customizing Linux kernels isn't too difficult. The main > costs are in disk space and compilation time, especially if you're > working with older or slower hardware. But once you're empowered to do > this on your own, you'll be able to compile and install kernels at your > leisure as well as keep up with upstream, rather than having to wait for > newer versions of the official ones to be released. > > Hope this helps! > > - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJY9BXvAAoJENuP0xzK19cs/lwH/A/cZl1oj/NRScHNpkRt4584 Po2rCFKj35rMVGWtnBy9ssOW5Tqt/w7roN2YXczvd5AsWIzZHJMOy80a47VuJBeF 4FREcE4a5hRv6sGHzrtqimIbx9UWCemjQBokvbtADWohwBLhxYXfK6XM6ONaZzZi k4F9/aLVizdFpt16EAGbsrT8d4jU1zISWcMNJie+0g9sflro+EO4clDGgdzyKHRJ i3bO6m5nBS5xkz1TjgKHZhqIKSncdkkcRmjHG7QBDYps7DYMsc1STOrugkpZGNls kvO6G1zlCeLHxnkUL5veXkqh+NXbAuTTu/jvn5L8nRarQRoafFJat25vOO8yLVQ= =kh6j -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170417011005.GA19207%40mail-itl. For more options, visit https://groups.google.com/d/optout.
