Kernel Configuration

Use the following configuration settings as a base for an Android kernel configuration. Settings are organized into android-base, android-base-<arch>, and android-recommended .cfg files:

  • android-base. These options enable core Android features and should be configured as specified by all devices.
  • android-base-<arch>. These options enable core Android features and should be configured as specified by all devices of architecture <arch>. Not all architectures have a corresponding file of architecture-specific required options. If your architecture does not have a file, it does not have any additional architecture-specific kernel configuration requirements for Android.
  • android-recommended. These options enable advanced Android features and are optional for devices.

These configuration files are located in the kernel/configs repo. Use the set of configuration files that corresponds to the version of the kernel you are using.

For details on controls already undertaken to strengthen the kernel on your devices, see System and Kernel Security. For details on required settings, see the Android Compatibility Definition Document (CDD).

Generating kernel config

For devices that have a minimalist defconfig, you can use the merge_config.sh script in the kernel tree to enable options:

ARCH=<arch> scripts/kconfig/merge_config.sh <...>/device_defconfig <...>/android-base.cfg <...>/android-base-<arch>.cfg <...>/android-recommended.cfg

This generates a .config file you can use to save a new defconfig or compile a new kernel with Android features enabled.

Enabling USB host mode options

For USB host mode audio, enable the following options:

CONFIG_SND_USB=y
CONFIG_SND_USB_AUDIO=y
# CONFIG_USB_AUDIO is for a peripheral mode (gadget) driver

For USB host mode MIDI, enable the following option:

CONFIG_SND_USB_MIDI=y

Seccomp-BPF with TSYNC

Seccomp-BPF is a kernel security technology that enables the creation of sandboxes to restrict the system calls a process is allowed to make. The TSYNC feature enables the use of Seccomp-BPF from multithreaded programs. This ability is limited to architectures that have seccomp support upstream: ARM, ARM64, x86, and x86_64.

Backporting for Kernel 3.10 for ARM-32, X86, X86_64

Ensure that CONFIG_SECCOMP_FILTER=y is enabled in the Kconfig (verified as of the Android 5.0 CTS), then cherry-pick the following changes from the AOSP kernel/common:android-3.10 repository: 9499cd23f9d05ba159fac6d55dc35a7f49f9ce76..a9ba4285aa5722a3b4d84888e78ba8adc0046b28

Backporting for Kernel 3.10 for ARM-64

Ensure CONFIG_SECCOMP_FILTER=y is enabled in the Kconfig (verified as of the Android 5.0 CTS), then cherry-pick the following changes from the AOSP kernel/common:android-3.10 repository: