blob: b7c2067344918ad1a32acb50e6b36900dcee2e2a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
|
#
# SECURITY items
#
# Ensure this option is enabled.
value CONFIG_COMPAT_BRK n
value CONFIG_DEVKMEM n
value CONFIG_LSM_MMAP_MIN_ADDR 0
value CONFIG_SECURITY y
!exists CONFIG_SECURITY_FILE_CAPABILITIES | value CONFIG_SECURITY_FILE_CAPABILITIES y
value CONFIG_SECURITY_SELINUX y
value CONFIG_SECURITY_SMACK y
value CONFIG_SECURITY_YAMA y
value CONFIG_SYN_COOKIES y
value CONFIG_DEFAULT_SECURITY_APPARMOR y
# For architectures which support this option ensure it is enabled.
(arch i386 amd64 & value CONFIG_XEN_ACPI_PROCESSOR y) | !arch i386 amd64
!exists CONFIG_SECCOMP | value CONFIG_SECCOMP y
!exists CONFIG_HAVE_ARCH_SECCOMP_FILTER | value CONFIG_SECCOMP_FILTER y
!exists CONFIG_CC_STACKPROTECTOR | value CONFIG_CC_STACKPROTECTOR y
!exists CONFIG_DEBUG_RODATA | value CONFIG_DEBUG_RODATA y
!exists CONFIG_DEBUG_SET_MODULE_RONX | value CONFIG_DEBUG_SET_MODULE_RONX y
!exists CONFIG_STRICT_DEVMEM | value CONFIG_STRICT_DEVMEM y
# For architectures which support this option ensure it is disabled.
!exists CONFIG_COMPAT_VDSO | value CONFIG_COMPAT_VDSO n
!exists CONFIG_ACPI_CUSTOM_METHOD | value CONFIG_ACPI_CUSTOM_METHOD n
# Default to 32768 on ARM, 65536 for everything else.
(arch armel armhf & value CONFIG_DEFAULT_MMAP_MIN_ADDR 32768) | \
(!arch armel armhf & value CONFIG_DEFAULT_MMAP_MIN_ADDR 65536)
# CONFIG_USB_DEVICE_FS breaks udev USB firmware loading and is deprecated
# ensure it is disabled.
value CONFIG_USB_DEVICEFS n
# upstart requires DEVTMPFS be enabled and mounted by default.
value CONFIG_DEVTMPFS y
value CONFIG_DEVTMPFS_MOUNT y
# some /dev nodes require POSIX ACLs, like /dev/dsp
value CONFIG_TMPFS_POSIX_ACL y
# Ramdisk size should be a minimum of 64M
value CONFIG_BLK_DEV_RAM_SIZE 65536
# LVM requires dm_mod built in to activate correctly (LP: #560717)
value CONFIG_BLK_DEV_DM y
# sysfs: ensure all DEPRECATED items are off
!exists CONFIG_SYSFS_DEPRECATED_V2 | value CONFIG_SYSFS_DEPRECATED_V2 n
!exists CONFIG_SYSFS_DEPRECATED | value CONFIG_SYSFS_DEPRECATED n
# automatically add local version will cause packaging failure
value CONFIG_LOCALVERSION_AUTO n
# provide framebuffer console form the start
# UbuntuSpec:foundations-m-grub2-boot-framebuffer
value CONFIG_FRAMEBUFFER_CONSOLE y
# GRUB changes will rely on built in vesafb on x86,
# UbuntuSpec:foundations-m-grub2-boot-framebuffer
#(( arch i386 | arch amd64 ) & value CONFIG_FB_VESA y) | \
# value CONFIG_FB_VESA m | !exists CONFIG_FB_VESA
value CONFIG_FB_VESA m | !exists CONFIG_FB_VESA
# Build in uinput module so that it's always available (LP: 584812)
value CONFIG_INPUT_UINPUT y
# upstart relies on getting all of the kernel arguments
value CONFIG_INIT_PASS_ALL_PARAMS y
# Enabling CONFIG_IMA is vastly expensive, ensure it is off
value CONFIG_IMA n
# Ensure CONFIG_IPV6 is y, if this is a module we get a module load for
# every ipv6 packet, bad.
value CONFIG_IPV6 y
# Ensure ECRYPT_FS is y as it cannot be autoloaded and it has complex
# dependancies which can pull it =m at a whim.
value CONFIG_ECRYPT_FS y
# Ensure CONFIG_EFI_VARS is y as debian-installer relies on having
# access to efivars when installing in EFI mode. See LP:837332
value CONFIG_EFI_VARS y | !exists CONFIG_EFI_VARS
# Ensure CONFIG_FAT_FS is y for arm, needed to ensure we able to replace
# a kernel with the same version.
(arch armel armhf & value CONFIG_FAT_FS y) | \
(!arch armel armhf & value CONFIG_FAT_FS m)
# Ensure CONFIG_GPIO_TWL4030 is y for arm, LP:921934
(arch armel armhf & value CONFIG_GPIO_TWL4030 y) | \
(!arch armel armhf & (value CONFIG_GPIO_TWL4030 m | !exists CONFIG_GPIO_TWL4030))
# Ensure CONFIG_THERM_ADT746X is y for powerpc and powerpc-smp flavours.
# See LP:923094
!exists CONFIG_THERM_ADT746X | \
(flavour powerpc powerpc-smp & value CONFIG_THERM_ADT746X y)
# Ensure CONFIG_NVRAM is y for powerpc and powerpc-smp, LP:942193
(flavour powerpc powerpc-smp & value CONFIG_NVRAM y) | \
(value CONFIG_NVRAM m | !exists CONFIG_NVRAM)
# Ensure CONFIG_STUB_POULSBO is disabled if CONFIG_DRM_PSB is enabled
# See LP:899244
(!exists CONFIG_DRM_PSB | value CONFIG_DRM_PSB n) | \
((value CONFIG_DRM_PSB y | value CONFIG_DRM_PSB m) & (value CONFIG_STUB_POULSBO n | !exists CONFIG_STUB_POULSBO))
# Ensure CONFIG_B43_BCMA_EXTRA is disabled if CONFIG_BRCMSMAC is enabled.
# Otherwise b43 and brcmsmac will overlap in the hardware they claim to
# support.
(!exists CONFIG_BRCMSMAC | value CONFIG_BRCMSMAC n) | \
((value CONFIG_BRCMSMAC y | value CONFIG_BRCMSMAC m) & (value CONFIG_B43_BCMA_EXTRA n | !exists CONFIG_B43_BCMA_EXTRA))
# CONFIG_AUDIT_LOGINUID_IMMUTABLE is not compatible with upstart
value CONFIG_AUDIT_LOGINUID_IMMUTABLE n
|
