Kernel Configuration

Use the following configuration settings as a base for an Android kernel configuration. Settings are organized into android-base, android-base-<arch>, and android-recommended .cfg files:

• android-base. These options enable core Android features and should be configured as specified by all devices.
• android-base-<arch>. These options enable core Android features and should be configured as specified by all devices of architecture <arch>. Not all architectures have a corresponding file of architecture-specific required options. If your architecture does not have a file, it does not have any additional architecture-specific kernel configuration requirements for Android.
• android-recommended. These options enable advanced Android features and are optional for devices.

These configuration files are located in the kernel/configs repo. Use the set of configuration files that corresponds to the version of the kernel you are using.

For details on controls already undertaken to strengthen the kernel on your devices, see System and Kernel Security. For details on required settings, see the Android Compatibility Definition Document (CDD).

Generating kernel config

For devices that have a minimalist defconfig, you can use the merge_config.sh script in the kernel tree to enable options:

ARCH=<arch> scripts/kconfig/merge_config.sh <...>/device_defconfig <...>/android-base.cfg <...>/android-base-<arch>.cfg <...>/android-recommended.cfg

This generates a .config file you can use to save a new defconfig or compile a new kernel with Android features enabled.

Enabling USB host mode options

For USB host mode audio, enable the following options:

CONFIG_SND_USB=y
CONFIG_SND_USB_AUDIO=y
# CONFIG_USB_AUDIO is for a peripheral mode (gadget) driver

For USB host mode MIDI, enable the following option:

CONFIG_SND_USB_MIDI=y

Seccomp-BPF with TSYNC

Seccomp-BPF is a kernel security technology that enables the creation of sandboxes to restrict the system calls a process is allowed to make. The TSYNC feature enables the use of Seccomp-BPF from multithreaded programs. This ability is limited to architectures that have seccomp support upstream: ARM, ARM64, x86, and x86_64.

Backporting for Kernel 3.10 for ARM-32, X86, X86_64

Ensure that CONFIG_SECCOMP_FILTER=y is enabled in the Kconfig (verified as of the Android 5.0 CTS), then cherry-pick the following changes from the AOSP kernel/common:android-3.10 repository: 9499cd23f9d05ba159fac6d55dc35a7f49f9ce76..a9ba4285aa5722a3b4d84888e78ba8adc0046b28

• a03 a242 arch: Introduce smp_load_acquire(), smp_store_release() by Peter Zijlstra
• 987a0f 1 introduce for_each_thread() to replace the buggy while_each_thread() by Oleg Nesterov
• 2a30a43 seccomp: create internal mode-setting function by Kees Cook
• b8a9cff seccomp: extract check/assign mode helpers by Kees Cook
• 8908dde seccomp: split mode setting routines by Kees Cook
• e985fd4 seccomp: add "seccomp" syscall by Kees Cook
• 9d0ff69 sched: move no_new_privs into new atomic flags by Kees Cook
• b6a12bf seccomp: split filter prep from check and apply by Kees Cook
• 61b6b88 seccomp: introduce writer locking by Kees Cook
• c852ef7 seccomp: allow mode setting across threads by Kees Cook
• f14a5db seccomp: implement SECCOMP_FILTER_FLAG_TSYNC by Kees Cook
• 9ac8600 seccomp: Replace BUG(!spin_is_locked()) with assert_spin_lock by Guenter Roeck
• 900e9fd seccomp: fix syscall numbers for x86 and x86_64 by Lee Campbell
• a9ba428 ARM: add seccomp syscall by Kees Cook

Backporting for Kernel 3.10 for ARM-64

Ensure CONFIG_SECCOMP_FILTER=y is enabled in the Kconfig (verified as of the Android 5.0 CTS), then cherry-pick the following changes from the AOSP kernel/common:android-3.10 repository:

• cfc7e99e9 arm64: Add __NR_* definitions for compat syscalls by JP Abgrall
• bf11863 arm64: Add audit support by AKASHI Takahiro
• 3e21c0b arm64: audit: Add audit hook in syscall_trace_enter/exit() by JP Abgrall
• 9499cd2 syscall_get_arch: remove useless function arguments by Eric Paris
• 2a30a43 seccomp: create internal mode-setting function by Kees Cook
• b8a9 cff seccomp: extract check/assign mode helpers by Kees Cook
• 8908dde seccomp: split mode setting routines by Kees Cook
• e985fd4 seccomp: add "seccomp" syscall by Kees Cook
• 9d0ff69 sched: move no_new_privs into new atomic flags by Kees Cook
• b6a12bf seccomp: split filter prep from check and apply by Kees Cook
• 61b6b88 seccomp: introduce writer locking by Kees Cook
• c852ef7 seccomp: allow mode setting across threads by Kees Cook
• f14a5db seccomp: implement SECCOMP_FILTER_FLAG_TSYNC by Kees Cook
• 9ac8600 seccomp: Replace BUG(!spin_is_locked()) with assert_spin_lock by Guenter Roeck
• 900e9fd seccomp: fix syscall numbers for x86 and x86_64 by Lee Campbell
• a9ba428 ARM: add seccomp syscall by Kees Cook
• 4190090 ARM: 8087/1: ptrace: reload syscall number after secure_computing() check by Will Deacon
• abbfed9 arm64: ptrace: add PTRACE_SET_SYSCALL by AKASHI Takahiro
• feb2843 arm64: ptrace: allow tracer to skip a system call by AKASHI Takahiro
• dab1073 asm-generic: add generic seccomp.h for secure computing mode 1 by AKASHI Takahiro
• 4f1 2b53 add seccomp syscall for compat task by AKASHI Takahiro
• 7722723 arm64: add SIGSYS siginfo for compat task by AKASHI Takahiro
• 210957c arm64: add seccomp support by AKASHI Takahiro