684 lines
17 KiB
Rust
684 lines
17 KiB
Rust
//! Real Linux kernel configuration for microVM boot.
|
|
//!
|
|
//! This module provides a minimal, valid Linux kernel `.config` suitable for
|
|
//! building a microVM kernel (Firecracker / QEMU microvm). The config enables
|
|
//! only what is needed: VirtIO drivers, networking, BPF, security hardening,
|
|
//! and a minimal filesystem. Everything else (sound, USB, DRM, wireless,
|
|
//! loadable modules) is disabled to keep the image small.
|
|
|
|
/// Minimal Linux kernel configuration for RVF microVM boot.
|
|
///
|
|
/// This is a valid Linux kernel `.config` file content. Key design decisions:
|
|
/// - No loadable modules (CONFIG_MODULES is not set) for security
|
|
/// - VirtIO PCI/block/net/vsock for Firecracker/QEMU compatibility
|
|
/// - BPF + JIT for eBPF programs embedded in RVF
|
|
/// - Security hardening (KASLR, stack protector, lockdown LSM)
|
|
/// - PREEMPT_NONE + NO_HZ_FULL for low-latency microVM
|
|
/// - Minimal filesystem support (ext4 + tmpfs + proc/sys/devtmpfs)
|
|
/// - No sound, USB, DRM, wireless, or other desktop hardware
|
|
pub const MICROVM_KERNEL_CONFIG: &str = r#"#
|
|
# RVF MicroVM Kernel Configuration
|
|
# Target: Linux 6.8.x for Firecracker / QEMU microvm
|
|
# Generated by rvf-kernel for RuVector Format computational containers
|
|
#
|
|
|
|
#
|
|
# General setup
|
|
#
|
|
CONFIG_LOCALVERSION="-rvf"
|
|
CONFIG_DEFAULT_HOSTNAME="rvf"
|
|
CONFIG_SWAP=y
|
|
CONFIG_SYSVIPC=y
|
|
CONFIG_POSIX_MQUEUE=y
|
|
CONFIG_AUDIT=y
|
|
CONFIG_NO_HZ_FULL=y
|
|
CONFIG_HIGH_RES_TIMERS=y
|
|
CONFIG_PREEMPT_NONE=y
|
|
CONFIG_TICK_CPU_ACCOUNTING=y
|
|
CONFIG_IKCONFIG=y
|
|
CONFIG_IKCONFIG_PROC=y
|
|
CONFIG_LOG_BUF_SHIFT=14
|
|
CONFIG_CGROUPS=y
|
|
CONFIG_CGROUP_SCHED=y
|
|
CONFIG_CGROUP_PIDS=y
|
|
CONFIG_CGROUP_CPUACCT=y
|
|
CONFIG_MEMCG=y
|
|
CONFIG_NAMESPACES=y
|
|
CONFIG_UTS_NS=y
|
|
CONFIG_IPC_NS=y
|
|
CONFIG_PID_NS=y
|
|
CONFIG_NET_NS=y
|
|
CONFIG_USER_NS=y
|
|
# CONFIG_MODULES is not set
|
|
CONFIG_CC_OPTIMIZE_FOR_SIZE=y
|
|
CONFIG_EXPERT=y
|
|
CONFIG_MULTIUSER=y
|
|
CONFIG_SYSFS_SYSCALL=y
|
|
CONFIG_FHANDLE=y
|
|
CONFIG_POSIX_TIMERS=y
|
|
CONFIG_PRINTK=y
|
|
CONFIG_BUG=y
|
|
CONFIG_ELF_CORE=y
|
|
CONFIG_BASE_FULL=y
|
|
CONFIG_FUTEX=y
|
|
CONFIG_EPOLL=y
|
|
CONFIG_SIGNALFD=y
|
|
CONFIG_TIMERFD=y
|
|
CONFIG_EVENTFD=y
|
|
CONFIG_AIO=y
|
|
CONFIG_IO_URING=y
|
|
CONFIG_ADVISE_SYSCALLS=y
|
|
CONFIG_KALLSYMS=y
|
|
CONFIG_EMBEDDED=y
|
|
|
|
#
|
|
# Processor type and features
|
|
#
|
|
CONFIG_64BIT=y
|
|
CONFIG_SMP=y
|
|
CONFIG_NR_CPUS=64
|
|
CONFIG_SCHED_SMT=y
|
|
CONFIG_X86_X2APIC=y
|
|
CONFIG_X86_LOCAL_APIC=y
|
|
CONFIG_X86_IO_APIC=y
|
|
CONFIG_X86_TSC=y
|
|
CONFIG_MICROCODE=y
|
|
CONFIG_X86_MSR=y
|
|
CONFIG_X86_CPUID=y
|
|
CONFIG_PARAVIRT=y
|
|
CONFIG_PARAVIRT_SPINLOCKS=y
|
|
CONFIG_KVM_GUEST=y
|
|
CONFIG_HYPERVISOR_GUEST=y
|
|
CONFIG_RANDOMIZE_BASE=y
|
|
CONFIG_X86_DIRECT_GBPAGES=y
|
|
CONFIG_NUMA=y
|
|
CONFIG_MTRR=y
|
|
CONFIG_X86_PAT=y
|
|
|
|
#
|
|
# Memory management
|
|
#
|
|
CONFIG_SPARSEMEM_VMEMMAP=y
|
|
CONFIG_MEMORY_HOTPLUG=y
|
|
CONFIG_TRANSPARENT_HUGEPAGE=y
|
|
CONFIG_COMPACTION=y
|
|
CONFIG_KSM=y
|
|
|
|
#
|
|
# Networking
|
|
#
|
|
CONFIG_NET=y
|
|
CONFIG_PACKET=y
|
|
CONFIG_UNIX=y
|
|
CONFIG_INET=y
|
|
CONFIG_IP_MULTICAST=y
|
|
CONFIG_IP_ADVANCED_ROUTER=y
|
|
CONFIG_IP_ROUTE_MULTIPATH=y
|
|
CONFIG_IP_PNP=y
|
|
CONFIG_IP_PNP_DHCP=y
|
|
CONFIG_TCP_CONG_CUBIC=y
|
|
CONFIG_TCP_CONG_BBR=y
|
|
CONFIG_DEFAULT_BBR=y
|
|
CONFIG_IPV6=y
|
|
CONFIG_NETFILTER=y
|
|
CONFIG_NF_CONNTRACK=y
|
|
CONFIG_NF_TABLES=y
|
|
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
|
|
CONFIG_IP_NF_IPTABLES=y
|
|
CONFIG_IP_NF_FILTER=y
|
|
CONFIG_IP_NF_NAT=y
|
|
CONFIG_IP_NF_MANGLE=y
|
|
CONFIG_VSOCKETS=y
|
|
CONFIG_VIRTIO_VSOCKETS=y
|
|
CONFIG_BRIDGE=y
|
|
CONFIG_VLAN_8021Q=y
|
|
|
|
#
|
|
# Device drivers — VirtIO (Firecracker/QEMU)
|
|
#
|
|
CONFIG_VIRTIO_PCI=y
|
|
CONFIG_VIRTIO_BLK=y
|
|
CONFIG_VIRTIO_NET=y
|
|
CONFIG_VIRTIO_BALLOON=y
|
|
CONFIG_VIRTIO_CONSOLE=y
|
|
CONFIG_VIRTIO_MMIO=y
|
|
CONFIG_VIRTIO_INPUT=y
|
|
CONFIG_HW_RANDOM_VIRTIO=y
|
|
|
|
#
|
|
# Block devices
|
|
#
|
|
CONFIG_BLK_DEV=y
|
|
CONFIG_BLK_DEV_LOOP=y
|
|
CONFIG_BLK_DEV_RAM=y
|
|
CONFIG_BLK_DEV_RAM_SIZE=65536
|
|
|
|
#
|
|
# SCSI (for virtio-scsi)
|
|
#
|
|
CONFIG_SCSI=y
|
|
CONFIG_BLK_DEV_SD=y
|
|
CONFIG_SCSI_VIRTIO=y
|
|
|
|
#
|
|
# Serial / console
|
|
#
|
|
CONFIG_SERIAL_8250=y
|
|
CONFIG_SERIAL_8250_CONSOLE=y
|
|
CONFIG_HW_RANDOM=y
|
|
CONFIG_TTY=y
|
|
CONFIG_VT=y
|
|
CONFIG_VT_CONSOLE=y
|
|
|
|
#
|
|
# Filesystems
|
|
#
|
|
CONFIG_EXT4_FS=y
|
|
CONFIG_EXT4_FS_POSIX_ACL=y
|
|
CONFIG_EXT4_FS_SECURITY=y
|
|
CONFIG_TMPFS=y
|
|
CONFIG_TMPFS_POSIX_ACL=y
|
|
CONFIG_PROC_FS=y
|
|
CONFIG_PROC_SYSCTL=y
|
|
CONFIG_SYSFS=y
|
|
CONFIG_DEVTMPFS=y
|
|
CONFIG_DEVTMPFS_MOUNT=y
|
|
# CONFIG_FUSE_FS is not set
|
|
# CONFIG_NFS_FS is not set
|
|
# CONFIG_CIFS is not set
|
|
|
|
#
|
|
# BPF subsystem
|
|
#
|
|
CONFIG_BPF=y
|
|
CONFIG_BPF_SYSCALL=y
|
|
CONFIG_BPF_JIT=y
|
|
CONFIG_BPF_JIT_ALWAYS_ON=y
|
|
CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
|
|
CONFIG_CGROUP_BPF=y
|
|
CONFIG_BPF_LSM=y
|
|
CONFIG_BPF_STREAM_PARSER=y
|
|
|
|
#
|
|
# Security
|
|
#
|
|
CONFIG_SECURITY=y
|
|
CONFIG_SECURITY_NETWORK=y
|
|
CONFIG_SECURITY_LOCKDOWN_LSM=y
|
|
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
|
|
CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
|
|
CONFIG_SECURITY_YAMA=y
|
|
CONFIG_SECURITY_LANDLOCK=y
|
|
CONFIG_SECCOMP=y
|
|
CONFIG_SECCOMP_FILTER=y
|
|
CONFIG_STACKPROTECTOR=y
|
|
CONFIG_STACKPROTECTOR_STRONG=y
|
|
CONFIG_FORTIFY_SOURCE=y
|
|
CONFIG_HARDENED_USERCOPY=y
|
|
CONFIG_STATIC_USERMODEHELPER=y
|
|
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
|
|
# CONFIG_SECURITY_SELINUX is not set
|
|
# CONFIG_SECURITY_APPARMOR is not set
|
|
|
|
#
|
|
# Crypto
|
|
#
|
|
CONFIG_CRYPTO=y
|
|
CONFIG_CRYPTO_SHA256=y
|
|
CONFIG_CRYPTO_SHA512=y
|
|
CONFIG_CRYPTO_AES=y
|
|
CONFIG_CRYPTO_GCM=y
|
|
CONFIG_CRYPTO_CHACHA20POLY1305=y
|
|
CONFIG_CRYPTO_ECDH=y
|
|
CONFIG_CRYPTO_CURVE25519=y
|
|
|
|
#
|
|
# Disabled subsystems (keep image small)
|
|
#
|
|
# CONFIG_SOUND is not set
|
|
# CONFIG_USB_SUPPORT is not set
|
|
# CONFIG_DRM is not set
|
|
# CONFIG_WIRELESS is not set
|
|
# CONFIG_WLAN is not set
|
|
# CONFIG_BLUETOOTH is not set
|
|
# CONFIG_INPUT_JOYSTICK is not set
|
|
# CONFIG_INPUT_TABLET is not set
|
|
# CONFIG_INPUT_TOUCHSCREEN is not set
|
|
# CONFIG_MEDIA_SUPPORT is not set
|
|
# CONFIG_AGP is not set
|
|
# CONFIG_PCMCIA is not set
|
|
# CONFIG_INFINIBAND is not set
|
|
# CONFIG_ISDN is not set
|
|
# CONFIG_PARPORT is not set
|
|
# CONFIG_PHONE is not set
|
|
# CONFIG_ACCESSIBILITY is not set
|
|
# CONFIG_FIRMWARE_EDID is not set
|
|
# CONFIG_LOGO is not set
|
|
# CONFIG_FB is not set
|
|
# CONFIG_BACKLIGHT_CLASS_DEVICE is not set
|
|
|
|
#
|
|
# Debugging (minimal for production)
|
|
#
|
|
CONFIG_PRINTK_TIME=y
|
|
CONFIG_MAGIC_SYSRQ=y
|
|
CONFIG_DEBUG_KERNEL=y
|
|
# CONFIG_DEBUG_INFO_DWARF5 is not set
|
|
# CONFIG_KPROBES is not set
|
|
# CONFIG_FTRACE is not set
|
|
"#;
|
|
|
|
/// Ultra-fast boot kernel configuration optimized for sub-100ms cold start.
|
|
///
|
|
/// Compared to the general-purpose `MICROVM_KERNEL_CONFIG`, this strips:
|
|
/// - NUMA detection, memory hotplug, THP, KSM, compaction
|
|
/// - cgroups, namespaces, audit, POSIX IPC
|
|
/// - SCSI subsystem, loop/RAM block devices, ext4
|
|
/// - Netfilter, bridge, VLAN, IPv6
|
|
/// - All debug/tracing infrastructure
|
|
/// - Reduced NR_CPUS (4 vs 64) for faster SMP init
|
|
/// - LZ4 compression for fastest decompression
|
|
/// - Optimized for performance (not size)
|
|
///
|
|
/// Trade-offs:
|
|
/// - No container isolation (no cgroups/namespaces)
|
|
/// - No persistent filesystem (initramfs-only boot)
|
|
/// - No IPv6 networking
|
|
/// - No firewall/NAT (no netfilter)
|
|
/// - Slightly larger image (performance-optimized codegen)
|
|
pub const ULTRAFAST_BOOT_CONFIG: &str = r#"#
|
|
# RVF Ultra-Fast Boot Kernel Configuration
|
|
# Target: Linux 6.8.x for sub-100ms cold start
|
|
# Optimized for: minimal init path, fastest decompression, direct-to-service
|
|
#
|
|
|
|
#
|
|
# General setup — stripped to bare minimum
|
|
#
|
|
CONFIG_LOCALVERSION="-rvf-fast"
|
|
CONFIG_DEFAULT_HOSTNAME="rvf"
|
|
# CONFIG_SWAP is not set
|
|
# CONFIG_SYSVIPC is not set
|
|
# CONFIG_POSIX_MQUEUE is not set
|
|
# CONFIG_AUDIT is not set
|
|
CONFIG_NO_HZ_FULL=y
|
|
CONFIG_HIGH_RES_TIMERS=y
|
|
CONFIG_PREEMPT_NONE=y
|
|
CONFIG_TICK_CPU_ACCOUNTING=y
|
|
# CONFIG_IKCONFIG is not set
|
|
# CONFIG_IKCONFIG_PROC is not set
|
|
CONFIG_LOG_BUF_SHIFT=12
|
|
# CONFIG_CGROUPS is not set
|
|
# CONFIG_NAMESPACES is not set
|
|
# CONFIG_MODULES is not set
|
|
CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y
|
|
CONFIG_EXPERT=y
|
|
CONFIG_MULTIUSER=y
|
|
# CONFIG_SYSFS_SYSCALL is not set
|
|
CONFIG_FHANDLE=y
|
|
CONFIG_POSIX_TIMERS=y
|
|
CONFIG_PRINTK=y
|
|
CONFIG_BUG=y
|
|
# CONFIG_ELF_CORE is not set
|
|
# CONFIG_BASE_FULL is not set
|
|
CONFIG_FUTEX=y
|
|
CONFIG_EPOLL=y
|
|
CONFIG_SIGNALFD=y
|
|
CONFIG_TIMERFD=y
|
|
CONFIG_EVENTFD=y
|
|
CONFIG_AIO=y
|
|
# CONFIG_IO_URING is not set
|
|
# CONFIG_ADVISE_SYSCALLS is not set
|
|
# CONFIG_KALLSYMS is not set
|
|
CONFIG_EMBEDDED=y
|
|
|
|
#
|
|
# Processor — minimal SMP, no NUMA
|
|
#
|
|
CONFIG_64BIT=y
|
|
CONFIG_SMP=y
|
|
CONFIG_NR_CPUS=4
|
|
# CONFIG_SCHED_SMT is not set
|
|
CONFIG_X86_LOCAL_APIC=y
|
|
CONFIG_X86_IO_APIC=y
|
|
CONFIG_X86_TSC=y
|
|
# CONFIG_MICROCODE is not set
|
|
# CONFIG_X86_MSR is not set
|
|
# CONFIG_X86_CPUID is not set
|
|
# CONFIG_PARAVIRT is not set
|
|
# CONFIG_KVM_GUEST is not set
|
|
CONFIG_HYPERVISOR_GUEST=y
|
|
CONFIG_RANDOMIZE_BASE=y
|
|
# CONFIG_NUMA is not set
|
|
# CONFIG_MTRR is not set
|
|
|
|
#
|
|
# Memory — no hotplug, no THP, no KSM
|
|
#
|
|
CONFIG_SPARSEMEM_VMEMMAP=y
|
|
# CONFIG_MEMORY_HOTPLUG is not set
|
|
# CONFIG_TRANSPARENT_HUGEPAGE is not set
|
|
# CONFIG_COMPACTION is not set
|
|
# CONFIG_KSM is not set
|
|
|
|
#
|
|
# Networking — minimal TCP/IP only
|
|
#
|
|
CONFIG_NET=y
|
|
CONFIG_PACKET=y
|
|
CONFIG_UNIX=y
|
|
CONFIG_INET=y
|
|
CONFIG_IP_PNP=y
|
|
CONFIG_IP_PNP_DHCP=y
|
|
CONFIG_TCP_CONG_CUBIC=y
|
|
# CONFIG_IPV6 is not set
|
|
# CONFIG_NETFILTER is not set
|
|
CONFIG_VSOCKETS=y
|
|
CONFIG_VIRTIO_VSOCKETS=y
|
|
# CONFIG_BRIDGE is not set
|
|
# CONFIG_VLAN_8021Q is not set
|
|
|
|
#
|
|
# Device drivers — VirtIO only
|
|
#
|
|
CONFIG_VIRTIO_PCI=y
|
|
CONFIG_VIRTIO_BLK=y
|
|
CONFIG_VIRTIO_NET=y
|
|
CONFIG_VIRTIO_MMIO=y
|
|
CONFIG_HW_RANDOM_VIRTIO=y
|
|
|
|
#
|
|
# Block — no loop, no RAM disk, no SCSI
|
|
#
|
|
CONFIG_BLK_DEV=y
|
|
# CONFIG_BLK_DEV_LOOP is not set
|
|
# CONFIG_BLK_DEV_RAM is not set
|
|
# CONFIG_SCSI is not set
|
|
|
|
#
|
|
# Serial / console — minimal
|
|
#
|
|
CONFIG_SERIAL_8250=y
|
|
CONFIG_SERIAL_8250_CONSOLE=y
|
|
CONFIG_HW_RANDOM=y
|
|
CONFIG_TTY=y
|
|
# CONFIG_VT is not set
|
|
|
|
#
|
|
# Filesystems — initramfs only, no persistent FS
|
|
#
|
|
CONFIG_TMPFS=y
|
|
CONFIG_PROC_FS=y
|
|
CONFIG_PROC_SYSCTL=y
|
|
CONFIG_SYSFS=y
|
|
CONFIG_DEVTMPFS=y
|
|
CONFIG_DEVTMPFS_MOUNT=y
|
|
# CONFIG_EXT4_FS is not set
|
|
# CONFIG_FUSE_FS is not set
|
|
# CONFIG_NFS_FS is not set
|
|
# CONFIG_CIFS is not set
|
|
|
|
#
|
|
# Initramfs compression — LZ4 for fastest decompression
|
|
#
|
|
CONFIG_RD_LZ4=y
|
|
CONFIG_INITRAMFS_COMPRESSION_LZ4=y
|
|
|
|
#
|
|
# BPF subsystem
|
|
#
|
|
CONFIG_BPF=y
|
|
CONFIG_BPF_SYSCALL=y
|
|
CONFIG_BPF_JIT=y
|
|
CONFIG_BPF_JIT_ALWAYS_ON=y
|
|
CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
|
|
|
|
#
|
|
# Security — essential hardening only
|
|
#
|
|
CONFIG_SECURITY=y
|
|
CONFIG_SECURITY_LOCKDOWN_LSM=y
|
|
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
|
|
CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
|
|
CONFIG_SECCOMP=y
|
|
CONFIG_SECCOMP_FILTER=y
|
|
CONFIG_STACKPROTECTOR=y
|
|
CONFIG_STACKPROTECTOR_STRONG=y
|
|
CONFIG_FORTIFY_SOURCE=y
|
|
# CONFIG_SECURITY_SELINUX is not set
|
|
# CONFIG_SECURITY_APPARMOR is not set
|
|
# CONFIG_SECURITY_YAMA is not set
|
|
# CONFIG_SECURITY_LANDLOCK is not set
|
|
|
|
#
|
|
# Crypto — minimal
|
|
#
|
|
CONFIG_CRYPTO=y
|
|
CONFIG_CRYPTO_SHA256=y
|
|
CONFIG_CRYPTO_AES=y
|
|
CONFIG_CRYPTO_CHACHA20POLY1305=y
|
|
|
|
#
|
|
# Disabled subsystems
|
|
#
|
|
# CONFIG_SOUND is not set
|
|
# CONFIG_USB_SUPPORT is not set
|
|
# CONFIG_DRM is not set
|
|
# CONFIG_WIRELESS is not set
|
|
# CONFIG_WLAN is not set
|
|
# CONFIG_BLUETOOTH is not set
|
|
# CONFIG_INPUT_JOYSTICK is not set
|
|
# CONFIG_INPUT_TABLET is not set
|
|
# CONFIG_INPUT_TOUCHSCREEN is not set
|
|
# CONFIG_MEDIA_SUPPORT is not set
|
|
# CONFIG_AGP is not set
|
|
# CONFIG_PCMCIA is not set
|
|
# CONFIG_INFINIBAND is not set
|
|
# CONFIG_ISDN is not set
|
|
# CONFIG_PARPORT is not set
|
|
# CONFIG_PHONE is not set
|
|
# CONFIG_ACCESSIBILITY is not set
|
|
# CONFIG_LOGO is not set
|
|
# CONFIG_FB is not set
|
|
# CONFIG_BACKLIGHT_CLASS_DEVICE is not set
|
|
|
|
#
|
|
# Debugging — completely disabled for speed
|
|
#
|
|
CONFIG_PRINTK_TIME=y
|
|
CONFIG_CONSOLE_LOGLEVEL_DEFAULT=1
|
|
# CONFIG_MAGIC_SYSRQ is not set
|
|
# CONFIG_DEBUG_KERNEL is not set
|
|
# CONFIG_DEBUG_INFO_DWARF5 is not set
|
|
# CONFIG_KPROBES is not set
|
|
# CONFIG_FTRACE is not set
|
|
"#;
|
|
|
|
/// Required config options for the ultra-fast boot kernel.
|
|
pub const ULTRAFAST_REQUIRED_OPTIONS: &[&str] = &[
|
|
"CONFIG_64BIT=y",
|
|
"CONFIG_SMP=y",
|
|
"CONFIG_VIRTIO_PCI=y",
|
|
"CONFIG_VIRTIO_BLK=y",
|
|
"CONFIG_VIRTIO_NET=y",
|
|
"CONFIG_BPF=y",
|
|
"CONFIG_BPF_JIT=y",
|
|
"CONFIG_BPF_SYSCALL=y",
|
|
"CONFIG_VSOCKETS=y",
|
|
"CONFIG_VIRTIO_VSOCKETS=y",
|
|
"CONFIG_SECURITY_LOCKDOWN_LSM=y",
|
|
"CONFIG_STACKPROTECTOR_STRONG=y",
|
|
"CONFIG_RANDOMIZE_BASE=y",
|
|
"CONFIG_PREEMPT_NONE=y",
|
|
"CONFIG_NO_HZ_FULL=y",
|
|
"# CONFIG_MODULES is not set",
|
|
"# CONFIG_SOUND is not set",
|
|
"# CONFIG_USB_SUPPORT is not set",
|
|
"# CONFIG_DRM is not set",
|
|
"# CONFIG_WIRELESS is not set",
|
|
"# CONFIG_CGROUPS is not set",
|
|
"# CONFIG_NUMA is not set",
|
|
"# CONFIG_EXT4_FS is not set",
|
|
"# CONFIG_DEBUG_KERNEL is not set",
|
|
"CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y",
|
|
];
|
|
|
|
/// Required config options that MUST be present for a valid RVF microVM kernel.
|
|
///
|
|
/// These are checked by `validate_config()` to ensure the config wasn't
|
|
/// accidentally stripped of critical options.
|
|
pub const REQUIRED_OPTIONS: &[&str] = &[
|
|
"CONFIG_64BIT=y",
|
|
"CONFIG_SMP=y",
|
|
"CONFIG_VIRTIO_PCI=y",
|
|
"CONFIG_VIRTIO_BLK=y",
|
|
"CONFIG_VIRTIO_NET=y",
|
|
"CONFIG_BPF=y",
|
|
"CONFIG_BPF_JIT=y",
|
|
"CONFIG_BPF_SYSCALL=y",
|
|
"CONFIG_VSOCKETS=y",
|
|
"CONFIG_VIRTIO_VSOCKETS=y",
|
|
"CONFIG_EXT4_FS=y",
|
|
"CONFIG_SECURITY_LOCKDOWN_LSM=y",
|
|
"CONFIG_STACKPROTECTOR_STRONG=y",
|
|
"CONFIG_RANDOMIZE_BASE=y",
|
|
"CONFIG_PREEMPT_NONE=y",
|
|
"CONFIG_NO_HZ_FULL=y",
|
|
"# CONFIG_MODULES is not set",
|
|
"# CONFIG_SOUND is not set",
|
|
"# CONFIG_USB_SUPPORT is not set",
|
|
"# CONFIG_DRM is not set",
|
|
"# CONFIG_WIRELESS is not set",
|
|
];
|
|
|
|
/// Validate that a kernel config string contains all required options.
|
|
///
|
|
/// Returns `Ok(())` if all required options are present, or `Err` with
|
|
/// a list of missing options.
|
|
pub fn validate_config(config: &str) -> Result<(), Vec<&'static str>> {
|
|
let missing: Vec<&str> = REQUIRED_OPTIONS
|
|
.iter()
|
|
.filter(|&&opt| !config.lines().any(|line| line.trim() == opt))
|
|
.copied()
|
|
.collect();
|
|
|
|
if missing.is_empty() {
|
|
Ok(())
|
|
} else {
|
|
Err(missing)
|
|
}
|
|
}
|
|
|
|
#[cfg(test)]
|
|
mod tests {
|
|
use super::*;
|
|
|
|
#[test]
|
|
fn microvm_config_has_all_required_options() {
|
|
let result = validate_config(MICROVM_KERNEL_CONFIG);
|
|
assert!(
|
|
result.is_ok(),
|
|
"missing required options: {:?}",
|
|
result.unwrap_err()
|
|
);
|
|
}
|
|
|
|
#[test]
|
|
fn config_disables_modules() {
|
|
assert!(MICROVM_KERNEL_CONFIG.contains("# CONFIG_MODULES is not set"));
|
|
}
|
|
|
|
#[test]
|
|
fn config_enables_virtio() {
|
|
assert!(MICROVM_KERNEL_CONFIG.contains("CONFIG_VIRTIO_PCI=y"));
|
|
assert!(MICROVM_KERNEL_CONFIG.contains("CONFIG_VIRTIO_BLK=y"));
|
|
assert!(MICROVM_KERNEL_CONFIG.contains("CONFIG_VIRTIO_NET=y"));
|
|
assert!(MICROVM_KERNEL_CONFIG.contains("CONFIG_VIRTIO_VSOCKETS=y"));
|
|
}
|
|
|
|
#[test]
|
|
fn config_enables_bpf() {
|
|
assert!(MICROVM_KERNEL_CONFIG.contains("CONFIG_BPF=y"));
|
|
assert!(MICROVM_KERNEL_CONFIG.contains("CONFIG_BPF_JIT=y"));
|
|
assert!(MICROVM_KERNEL_CONFIG.contains("CONFIG_BPF_SYSCALL=y"));
|
|
assert!(MICROVM_KERNEL_CONFIG.contains("CONFIG_BPF_JIT_ALWAYS_ON=y"));
|
|
}
|
|
|
|
#[test]
|
|
fn config_enables_security_hardening() {
|
|
assert!(MICROVM_KERNEL_CONFIG.contains("CONFIG_SECURITY_LOCKDOWN_LSM=y"));
|
|
assert!(MICROVM_KERNEL_CONFIG.contains("CONFIG_STACKPROTECTOR_STRONG=y"));
|
|
assert!(MICROVM_KERNEL_CONFIG.contains("CONFIG_RANDOMIZE_BASE=y"));
|
|
assert!(MICROVM_KERNEL_CONFIG.contains("CONFIG_SECCOMP=y"));
|
|
assert!(MICROVM_KERNEL_CONFIG.contains("CONFIG_SECCOMP_FILTER=y"));
|
|
assert!(MICROVM_KERNEL_CONFIG.contains("CONFIG_FORTIFY_SOURCE=y"));
|
|
}
|
|
|
|
#[test]
|
|
fn config_disables_desktop_hardware() {
|
|
assert!(MICROVM_KERNEL_CONFIG.contains("# CONFIG_SOUND is not set"));
|
|
assert!(MICROVM_KERNEL_CONFIG.contains("# CONFIG_USB_SUPPORT is not set"));
|
|
assert!(MICROVM_KERNEL_CONFIG.contains("# CONFIG_DRM is not set"));
|
|
assert!(MICROVM_KERNEL_CONFIG.contains("# CONFIG_WIRELESS is not set"));
|
|
assert!(MICROVM_KERNEL_CONFIG.contains("# CONFIG_BLUETOOTH is not set"));
|
|
}
|
|
|
|
#[test]
|
|
fn validate_catches_missing_options() {
|
|
let incomplete = "CONFIG_64BIT=y\nCONFIG_SMP=y\n";
|
|
let result = validate_config(incomplete);
|
|
assert!(result.is_err());
|
|
let missing = result.unwrap_err();
|
|
assert!(missing.contains(&"CONFIG_VIRTIO_PCI=y"));
|
|
}
|
|
|
|
#[test]
|
|
fn ultrafast_config_has_all_required_options() {
|
|
let missing: Vec<&str> = ULTRAFAST_REQUIRED_OPTIONS
|
|
.iter()
|
|
.filter(|&&opt| !ULTRAFAST_BOOT_CONFIG.lines().any(|line| line.trim() == opt))
|
|
.copied()
|
|
.collect();
|
|
assert!(
|
|
missing.is_empty(),
|
|
"ultrafast config missing required options: {:?}",
|
|
missing
|
|
);
|
|
}
|
|
|
|
#[test]
|
|
fn ultrafast_config_disables_heavy_subsystems() {
|
|
assert!(ULTRAFAST_BOOT_CONFIG.contains("# CONFIG_CGROUPS is not set"));
|
|
assert!(ULTRAFAST_BOOT_CONFIG.contains("# CONFIG_NAMESPACES is not set"));
|
|
assert!(ULTRAFAST_BOOT_CONFIG.contains("# CONFIG_NUMA is not set"));
|
|
assert!(ULTRAFAST_BOOT_CONFIG.contains("# CONFIG_AUDIT is not set"));
|
|
assert!(ULTRAFAST_BOOT_CONFIG.contains("# CONFIG_EXT4_FS is not set"));
|
|
assert!(ULTRAFAST_BOOT_CONFIG.contains("# CONFIG_NETFILTER is not set"));
|
|
assert!(ULTRAFAST_BOOT_CONFIG.contains("# CONFIG_IPV6 is not set"));
|
|
assert!(ULTRAFAST_BOOT_CONFIG.contains("# CONFIG_DEBUG_KERNEL is not set"));
|
|
}
|
|
|
|
#[test]
|
|
fn ultrafast_config_optimizes_for_performance() {
|
|
assert!(ULTRAFAST_BOOT_CONFIG.contains("CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y"));
|
|
assert!(ULTRAFAST_BOOT_CONFIG.contains("CONFIG_NR_CPUS=4"));
|
|
assert!(ULTRAFAST_BOOT_CONFIG.contains("CONFIG_RD_LZ4=y"));
|
|
assert!(ULTRAFAST_BOOT_CONFIG.contains("CONFIG_CONSOLE_LOGLEVEL_DEFAULT=1"));
|
|
}
|
|
|
|
#[test]
|
|
fn ultrafast_config_is_nonzero_length() {
|
|
assert!(ULTRAFAST_BOOT_CONFIG.len() > 500);
|
|
}
|
|
|
|
#[test]
|
|
fn config_sets_localversion() {
|
|
assert!(MICROVM_KERNEL_CONFIG.contains("CONFIG_LOCALVERSION=\"-rvf\""));
|
|
}
|
|
|
|
#[test]
|
|
fn config_is_nonzero_length() {
|
|
assert!(MICROVM_KERNEL_CONFIG.len() > 1000);
|
|
}
|
|
}
|