Lockdown is a useful and needed thing, thanks to consta@ for ideas about it.
Other LSMs may also be useful (nowadays multiple LSMs can be enabled, so enable as many as possible so thet users sould use them).
Answered with default values to most questions.
Reporting of granted accesses (CONFIG_SECURITY_SMACK_BRINGUP) and packet marking (CONFIG_SECURITY_SMACK_NETFILTER) in SMACK were enbaled
for debug and because it may be potentially useful. We do not have plans to use SMACK for now by default.
CONFIG_SYSFB_SIMPLEFB and CONFIG_FB_SIMPLEDRM are mutually exclusive (since kernel 5.15),
CONFIG_SYSFB_SIMPLEFB was disabled but CONFIG_FB_SIMPLEDRM was not enabled instead of it.
Enable CONFIG_FB_SIMPLEDRM as an old, less experimental solution.
(See also: https://wiki.gentoo.org/wiki/NVIDIA/nvidia-drivers -> enable simple framebuffer)
CONFIG_FB_SIMPLE was Y, but let's try to build it as a module (M).
We should try to reduce the size of vmlinuz for better support of PXE etc.
CONFIG_BLK_DEV_NULL_BLK can be N/Y and cannot be M. It is needed for tests, not for production, disabling it.
Other changes were generated automatically.
Information about config values was taken from:
From 804820df7bcb3d53a33ecd074b1eac277e938f24 Mon Sep 17 00:00:00 2001
From: Alexey Sheplyakov <asheplyakov@altlinux.org>
Date: Thu, 4 Feb 2021 19:35:14 +0400
Subject: [PATCH] config-aarch64: adjusted for Baikal-M (MBM1.0 board)
* DW_APB_TIMER=y, DW_APB_TIMER_OF=y: SoC clocks
* SERIAL_8250_DW=y: serial console
* I2C_DESIGNWARE_CORE=y, I2C_DESIGNWARE_PLATFORM=y: BMC (board
management controller) and RTC (Real Time Clock) are connected
via I2C.
* GPIO_DWAPB=y: device (PCIe, PHY, etc) reset/configuration
* RTC_DRV_PCF2127=y: RTC compiled in so the kernel automatically
sets the system time from the hardware clock
* TP_BMC=y: amongst other things handles the power button
* DRM_BAIKAL_VDU=m, DRM_BAIKAL_HDMI=m: video unit and HDMI transmitter
* CMA_SIZE_MBYTES=256: video display unit and GPU use system RAM, hence
CMA should reserve enough (contiguous) memory.
Note: CMA reserves memory during very early init, hence the size
has to be hard-coded into CONFIG
* MALI_MIDGARD=m: GPU driver, kernel side of proprietary mali blob.
Note: kernel mode code is GPLv2, so it's fine to distribute it.
* SENSORS_BT1_PVT=m: hardware temperature/voltage sensors
* PCI_BAIKAL=m: PCIe root complex. Compiled as a module since takes
ages (60 seconds or so) to probe the hardware. If compiled in
substantially increases the boot time, and machine is completely
unresponsive during probing PCIe. When built as a module probing
executes concurrently with other boot activities (unless booting
from a PCIe device)
* STMMAC_ETH=m, STMMAC_PLATFORM=m, DWMAC_BAIKAL=m: Ethernet driver
Change PREEMPT to PREEMPT_VOLUNTARY: it is a more in the middle interactivity which should be OK for both servers and desktops, Void Linux and Ubuntu have it. Previous value was too much preemption.
* disable Atom ISP as recommended by RussianNeuroMancer because it does not make cameras work on x86 Intel-based tablets where cameras are connected on i2c bus, but makes the camera consome power without working
* enable zswap by default and use the default allocator as in Arch Linux where zswap is enabled by default
https://wiki.archlinux.org/index.php/Zswap
* tune values of sysctls from le9 patch to make it have at least some effect on typical desktop and server systems but avoid too agressive OOM killer on systems with 2 GB RAM and less where OOM killer kills too many process
See discussion and my comments in the thread https://www.linux.org.ru/news/kernel/16052362
* remove not used variant of the patch which did not have any effect
Update existing x86 configs manually
Make an arm64 config based on them instead on the old one which was temporary copypasted from ALT Linux
In most cases I answered to `make ARCH=xxx defconfig` like this:
N/y -> Y
N/m(/y) -> M
Y/n(/m) -> Y
M/n(/y) -> M
But did not enable odd debug.
Probably too much hardware is enabled on arm64.
