forked from bottlerocket-os/bottlerocket
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathconfig-bottlerocket
90 lines (67 loc) · 2.25 KB
/
config-bottlerocket
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
# Because Bottlerocket does not have an initramfs, modules required to mount
# the root filesystem must be set to y.
# The root filesystem is ext4
CONFIG_EXT4_FS=y
# NVMe for EC2 Nitro platforms (C5, M5, and later)
CONFIG_BLK_DEV_NVME=y
CONFIG_NVME_CORE=y
# Xen blkfront for Xen-based EC2 platforms
CONFIG_XEN_BLKDEV_FRONTEND=y
# virtio for local testing with QEMU
CONFIG_VIRTIO=y
CONFIG_VIRTIO_BLK=y
CONFIG_VIRTIO_PCI=y
# dm-verity and enabling it on the kernel command line
CONFIG_BLK_DEV_DM=y
CONFIG_DAX=y
CONFIG_DM_INIT=y
CONFIG_DM_VERITY=y
# TCMU/LIO
CONFIG_TCM_USER2=m
# Enable EFI.
CONFIG_EFI=y
CONFIG_EFI_STUB=y
CONFIG_EFI_MIXED=y
# yama LSM for ptrace restrictions
CONFIG_SECURITY_YAMA=y
# Do not allow SELinux to be disabled at boot.
CONFIG_SECURITY_SELINUX_BOOTPARAM=n
# Do not allow SELinux to be disabled at runtime.
CONFIG_SECURITY_SELINUX_DISABLE=n
# Do not allow SELinux to use `enforcing=0` behavior.
CONFIG_SECURITY_SELINUX_DEVELOP=n
# Check the protection applied by the kernel for mmap and mprotect,
# rather than the protection requested by userspace.
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0
# Enable support for the kernel lockdown security module.
CONFIG_SECURITY_LOCKDOWN_LSM=y
# Enable lockdown early so that if the option is present on the
# kernel command line, it can be enforced.
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
# Enable zstd compression for squashfs.
CONFIG_SQUASHFS_ZSTD=y
# enable /proc/config.gz
CONFIG_IKCONFIG=y
CONFIG_IKCONFIG_PROC=y
# kernel headers at /sys/kernel/kheaders.tar.xz
CONFIG_IKHEADERS=y
# BTF debug info at /sys/kernel/btf/vmlinux
CONFIG_DEBUG_INFO_BTF=y
# We don't want to extend the kernel command line with any upstream defaults;
# Bottlerocket uses a fairly custom setup that needs tight control over it.
CONFIG_CMDLINE_EXTEND=n
# Enable ZSTD kernel image compression
CONFIG_HAVE_KERNEL_ZSTD=y
CONFIG_KERNEL_ZSTD=y
CONFIG_ZSTD_COMPRESS=y
CONFIG_ZSTD_DECOMPRESS=y
CONFIG_DECOMPRESS_ZSTD=y
# Load i8042 controller, keyboard, and mouse as modules, to avoid waiting for
# them before mounting the root device.
CONFIG_SERIO_I8042=m
CONFIG_KEYBOARD_ATKBD=m
CONFIG_MOUSE_PS2=m
# Enables support for checkpoint/restore
CONFIG_CHECKPOINT_RESTORE=y
# Enables support for LSI Logic's SAS based RAID controllers
CONFIG_MEGARAID_SAS=y