Set up Design Secure Develop Configure リファレンス
コードを表示
概要 Architecture Compatibility Display Settings Tests

Kernel Configuration

Use the following configuration settings as a base for an Android kernel configuration. Settings are organized into android-base, android-base-ARCH, and android-recommended .cfg files:

  • android-base. These options enable core Android features and should be configured as specified by all devices.
  • android-base-ARCH. These options enable core Android features and should be configured as specified by all devices of architecture ARCH. Not all architectures have a corresponding file of architecture-specific required options. If your architecture does not have a file, it does not have additional architecture-specific kernel configuration requirements for Android.
  • android-recommended. These options enable advanced Android features and are optional for devices.

These configuration files are located in the kernel/configs repo. Use the set of configuration files that corresponds to the version of the kernel you are using.

For details on controls already undertaken to strengthen the kernel on your devices, see System and Kernel Security. For details on required settings, see the Android Compatibility Definition Document (CDD).

Generating kernel config

For devices that have a minimalist defconfig, use the merge_config.sh script in the kernel tree to enable options: 

ARCH=ARCH scripts/kconfig/merge_config.sh <...>/device_defconfig <...>/android-base.cfg <...>/android-base-ARCH.cfg <...>/android-recommended.cfg

This generates a .config file you can use to save a new defconfig or compile a new kernel with Android features enabled.

Additional kernel config requirements

In some cases, the platform maintainer can choose from multiple kernel features to satisfy an Android dependency. Such dependencies cannot be expressed in the kernel config fragment files (described above) because the format for those files does not support logical expressions. In Android 9, Compatibility Test Suite (CTS) and Vendor Test Suite (VTS) verify the following requirements are satisfied:

  • CONFIG_OF=y or CONFIG_ACPI=y
  • 4.4 and 4.9 kernels have CONFIG_ANDROID_LOW_MEMORY_KILLER=y OR have both CONFIG_MEMCG=y and CONFIG_MEMCG_SWAP=y
  • CONFIG_DEBUG_RODATA=y or CONFIG_STRICT_KERNEL_RWX=y
  • CONFIG_DEBUG_SET_MODULE_RONX=y or CONFIG_STRICT_MODULE_RWX=y
  • For ARM64 only: CONFIG_ARM64_SW_TTBR0_PAN=y or CONFIG_ARM64_PAN=y

In addition, the CONFIG_INET_UDP_DIAG option must be set to y for 4.9 kernels in Android 9.

Enabling USB host mode options

For USB host mode audio, enable the following options: 

CONFIG_SND_USB=y
CONFIG_SND_USB_AUDIO=y
# CONFIG_USB_AUDIO is for a peripheral mode (gadget) driver

For USB host mode MIDI, enable the following option: 

CONFIG_SND_USB_MIDI=y

Seccomp-BPF with TSYNC

Seccomp-BPF is a kernel security technology that enables the creation of sandboxes to restrict the system calls a process is allowed to make. The TSYNC feature enables the use of Seccomp-BPF from multithreaded programs. This ability is limited to architectures that have seccomp support upstream (ARM, ARM64, x86, and x86_64).

Backporting for kernel 3.10 for ARM-32, X86, X86_64

Ensure CONFIG_SECCOMP_FILTER=y is enabled in the Kconfig (verified as of the Android 5.0 CTS), then cherry-pick the following changes from the AOSP kernel/common:android-3.10 repository:

Backporting for Kernel 3.10 for ARM-64

Ensure CONFIG_SECCOMP_FILTER=y is enabled in the Kconfig (verified as of the Android 5.0 CTS), then cherry-pick the following changes from the AOSP kernel/common:android-3.10 repository: