Kernel Configuration

Use the following configuration settings as a base for an Android kernel configuration. Settings are organized into android-base and android-recommended .cfg files:

  • android-base. These options enable core Android features and should be enabled by all devices.
  • android-recommended. These options enable advanced Android features and are optional for devices.

Both the android-base.cfg and android-recommended.cfg files are located in the android-common kernel repo at https://android.googlesource.com/kernel/common/.

In version 4.8 of the upstream Linux kernel, a new location (kernel/configs) was designated for kernel configuration fragments. The android base and recommended config fragments are located in that directory for branches based on 4.8 or later. For kernel branches based on releases prior to 4.8, the config fragments are located in the android/ directory.

For details on controls already undertaken to strengthen the kernel on your devices, see System and Kernel Security. For details on required settings, see the Android Compatibility Definition Document (CDD).

Generating kernel config

For devices that have a minimalist defconfig, you can use the following to enable options:

ARCH=arch scripts/kconfig/merge_config.sh path/device_defconfig android/configs/android-base.cfg android/configs/android-recommended.cfg

This generates a .config file you can use to save a new defconfig or compile a new kernel with Android features enabled.

Enabling USB host mode options

For USB host mode audio, enable the following options:

CONFIG_SND_USB=y
CONFIG_SND_USB_AUDIO=y
# CONFIG_USB_AUDIO is for a peripheral mode (gadget) driver

For USB host mode MIDI, enable the following option:

CONFIG_SND_USB_MIDI=y

Seccomp-BPF with TSYNC

Seccomp-BPF is a kernel security technology that enables the creation of sandboxes to restrict the system calls a process is allowed to make. The TSYNC feature enables the use of Seccomp-BPF from multithreaded programs. This ability is limited to architectures that have seccomp support upstream: ARM, ARM64, x86, and x86_64.

Backporting for Kernel 3.10 for ARM-32, X86, X86_64

Ensure that CONFIG_SECCOMP_FILTER=y is enabled in the Kconfig (verified as of the Android 5.0 CTS), then cherry-pick the following changes from the AOSP kernel/common:android-3.10 repository: 9499cd23f9d05ba159fac6d55dc35a7f49f9ce76..a9ba4285aa5722a3b4d84888e78ba8adc0046b28

Backporting for Kernel 3.10 for ARM-64

Ensure CONFIG_SECCOMP_FILTER=y is enabled in the Kconfig (verified as of the Android 5.0 CTS), then cherry-pick the following changes from the AOSP kernel/common:android-3.10 repository: