Kernel Configuration

This aims to be a guide for configuring a Linux kernel for a modern x86_64 machine containing hardware commonly found in laptops, desktops, and other consumer computers. Note, this guide will sway more minimally, meaning some features that are not strictly required will not be enabled. All features will be built directly into kernel, no modules. This article will not attempt to cover all possible configuration options, as it omits entire sections that are not relevant on such systems, as well as some hardware-specific configuration. Please also refer to the kernel's help text for further information on respective options. I'm not a kernel developer and comments here are not guaranteed to be functionally accurate. If you feel anything mentioned is wrong or should be switched around, reach out. This article assumes some prior knowledge of your system (eg. lspci, lscpu, lsusb, dmidecode, /proc/devices, etc.) and general kernel configuration/installation, such as obtaining sources, generating and maintaining .config, methods of configuration, compilation, and installation. Throughout, the following acronyms will be used:

General setup

Compile also drivers which will not load (CONFIG_COMPILE_TEST): N, DEV
Compile the kernel with warnings as errors (CONFIG_WERROR): Y, STD
Local version - append to kernel release (CONFIG_LOCALVERSION): empty, useful for git bisect
Automatically append version information (CONFIG_LOCALVERSION_AUTO): N, DEV
Build ID Salt (CONFIG_BUILD_SALT): empty, SEC
Kernel compression mode: ZSTD or Gzip for compatibility
Default init path (CONFIG_DEFAULT_INIT): empty, EMB
Default hostname (CONFIG_DEFAULT_HOSTNAME): empty, entre your machine's name if you'd like
System V IPC (CONFIG_SYSVIPC): Y, STD
POSIX Message Queues (CONFIG_POSIX_MQUEUE): N, not strictly necessary
General notification queue (CONFIG_WATCH_QUEUE): N, not strictly necessary
Enable process_vm_readv/writev syscalls (CONFIG_CROSS_MEMORY_ATTACH): N, not strictly necessary
uselib syscall (CONFIG_USELIB): N, OLD
Auditing support (CONFIG_AUDIT): N, not strictly necessary
Timers subsystem
- Timer tick handling: Idle dynticks system (tickless idle)
- Old Idle dynticks config (CONFIG_NO_HZ): N, OLD
- High Resolution Timer Support (CONFIG_HIGH_RES_TIMERS): Y, STD
- Clocksource watchdog maximum allowable skew (CONFIG_CLOCKSOURCE_WATCHDOG_MAX_SKEW_US): 100
BPF subsystem
- Enable bpf() system call (CONFIG_BPF_SYSCALL): N, not necessary if you do not have any programs that utilise
Preemption Model: Preemptible Kernel (Low-Latency Desktop)
Preemption behaviour defined on boot (CONFIG_PREEMPT_DYNAMIC): N
Core Scheduling for SMT (CONFIG_SCHED_CORE): Y, STD
CPU/Task time and stats accounting
- Cputime accounting: Simple tick based cputime accounting
- Fine granularity task level IRQ time accounting (CONFIG_IRQ_TIME_ACCOUNTING): N, DEV
- BSD Process Accounting (CONFIG_BSD_PROCESS_ACCT): N
- Export task/process statistics through netlink (CONFIG_TASKSTATS): N
- Pressure stall information tracking (CONFIG_PSI): N
CPU isolation (CONFIG_CPU_ISOLATION): N, EMB
RCU subsystem
- Make expert-level adjustments to RCU configuration (CONFIG_RCU_EXPERT): N, DEV
Kernel .config support (CONFIG_IKCONFIG): Y, STD
Enable access to .config through /proc/config.gz (CONFIG_IKCONFIG_PROC): Y, STD
Enable kernel headers through /sys/kernel/kheaders.tar.xz (CONFIG_IKHEADERS): N
Kernel log buffer size (CONFIG_LOG_BUF_SHIFT): 18
CPU kernel log buffer size contribution (CONFIG_LOG_CPU_MAX_BUF_SHIFT): 12
Scheduler features
- Enable utilization clamping for RT/FAIR tasks (CONFIG_UCLAMP_TASK): N, DEV
Control Group support (CONFIG_CGROUPS): Y, STD
- Favor dynamic modification latency reduction (CONFIG_CGROUP_FAVOR_DYNMODS): N
- Memory controller (CONFIG_MEMCG): Y, STD
- IO controller (CONFIG_BLK_CGROUP): Y, STD
- CPU controller (CONFIG_CGROUP_SCHED): Y, STD
  - Group scheduling for SCHED_OTHER (FAIR_GROUP_SCHED): Y, STD
  - CPU bandwidth provisioning for FAIR_GROUP_SCHED (CONFIG_CFS_BANDWIDTH): N
  - Group scheduling for SCHED_RR/FIFO (CONFIG_RT_GROUP_SCHED): N
- PIDs controller (CONFIG_CGROUP_PIDS): N
- RDMA controller (CONFIG_CGROUP_RDMA): N
- Freezer controller (CONFIG_CGROUP_FREEZER): N
- Cpuset controller (CONFIG_CPUSETS): N, only useful on NUMA machine
- Device Controller (CONFIG_CGROUP_DEVICE): N
- Simple CPU accounting controller (CONFIG_CGROUP_CPUACCT): Y, STD
- Perf controller (CONFIG_CGROUP_PERF): N
- Misc resource controller (CONFIG_CGROUP_MISC): Y
- Debug controller (CONFIG_CGROUP_DEBUG): N, DEV
Namespaces support (CONFIG_NAMESPACES): Y, STD, used heavily by web browsers
- UTS namespace (CONFIG_UTS_NS): Y
- TIME namespace (CONFIG_TIME_NS): Y
- IPC namespace (CONFIG_IPC_NS): Y
- User namespace (CONFIG_USER_NS): Y
- PID Namespaces (CONFIG_PID_NS): Y
- Network namespace (CONFIG_NET_NS): Y
Checkpoint/restore support (CONFIG_CHECKPOINT_RESTORE): N, VIRT
Automatic process group scheduling (CONFIG_SCHED_AUTOGROUP): N, OLD, Systemd/OpenRC handle this
Kernel -> userspace relay support (CONFIG_RELAY): Y, STD
Initial RAM filesystem and RAM disk (CONFIG_BLK_DEV_INITRD): N, not strictly necessary
Boot config support (CONFIG_BOOT_CONFIG): N, EMB
Preserve cpio archive mtimes in initramfs (CONFIG_INITRAMFS_PRESERVE_MTIME): N, without initramfs...
Compiler optimization level: Optimize for performance (-O2)
Configure standard kernel features (CONFIG_EXPERT): N, DEV/EMB, mostly syscalls
Enable kcmp() system call (CONFIG_KCMP): Y
Enable rseq() system call (CONFIG_RSEQ): Y
Enable cachestat() system call (CONFIG_CACHESTAT_SYSCALL): Y
Enabled debugging of rseq() system call (CONFIG_DEBUG_RSEQ): N, DEV
PC/104 support (CONFIG_PC104): N, EMB
Kernel Performance Events and Counters
- Kernel Performance events and counters (CONFIG_PERF_EVENTS): Y, STD
- Debug: use vmalloc to back perf mmap() buffers (CONFIG_DEBUG_PERF_USE_VMALLOC): N, DEV
Profiling support (CONFIG_PROFILING): N, DEV
Kexec and crash features: None

Processor type and features

Symmetric multi-processing support (CONFIG_SMP): Y, STD, all modern CPUs are multi-core
Enable MPS table (CONFIG_X86_MPARSE): N, OLD
x86 CPU resource control support (CONFIG_X86_CPU_RESCTRL): N, VIRT
Support for extended (non-PC) x86 platforms (CONFIG_X86_EXTENDED_PLATFORM): N, EMB
Intel Low Power Subsystem Support (CONFIG_X86_INTEL_LPSS): Y, if you have Haswell and later CPU
AMD ACPI2Platform devices support (CONFIG_X86_AMD_PLATFORM_DEVICE): N
Intel SoC IOSF Sideband support (CONFIG_IOSF_MBI): Y, STD
Single-depth WCHAN output (CONFIG_SCHED_OMIT_FRAME_POINTER): Y, STD
Linux guest support (CONFIG_HYPERVISOR_GUEST): N, VIRT
Processor family: Core 2/newer Xeon (or Generic-x86-64 if unsure)
Supported processor vendors (CONFIG_PROCESSOR_SELECT): N, EMB
Enable DMI scanning (CONFIG_DMI): Y, STD
Old AMD GART IOMMU support (CONFIG_GART_IOMMU): N, OLD
Enable Maximum number of SMP Processors and NUMA Nodes (CONFIG_MAXSMP): N, DEV
Maximum number of CPUs (CONFIG_NR_CPUS): sockets * cores * threads
Cluster scheduler support (CONFIG_SCHED_CLUSTER): Y, STD
Multi-core scheduler support (CONFIG_SCHED_MC): Y, STD
CPU core priorities scheduler support (CONFIG_SCHED_MC_PRIO): Y, STD
Reroute for broken boot IRQs (CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS): N, OLD
Machine Check / overheating reporting (CONFIG_X86_MCE): Y, STD
Support for deprecated /dev/mcelog character device (CONFIG_X86_MCELOG_LEGACY): N, OLD
Intel/AMD MCE features (CONFIG_X86_MCE_INTEL/AMD): Y, STD, choose based on your processor
Performance monitoring
- Intel uncore performance events (CONFIG_PERF_EVENTS_INTEL_UNCORE): Y, STD, for Intel
- Intel/AMD rapl performance events (CONFIG_PERF_EVENTS_INTEL_RAPL): Y, STD
- Intel cstate performance events (CONFIG_PERF_EVENTS_INTEL_CSTATE): Y, STD, for Intel
- AMD Processor Power Reporting Mechanism (CONFIG_PERF_EVENTS_AMD_POWER): Y, STD, for AMD
- AMD Uncore performance events (CONFIG_PERF_EVENTS_AMD_POWER): Y, STD, for AMD
Enable vsyscall emulation (CONFIG_X86_VSYSCALL_EMULATION): N
IOPERM and IOPL Emulation (CONFIG_X86_IOPL_IOPERM): N, SEC, not strictly necessary
Late microcode loading (CONFIG_MICROCODE_LATE_LOADING): N
/dev/cpu/*/msr - Model-specific register support (CONFIG_X86_MSR): Y, STD
/dev/cpu/*/cpuid - CPU information support (CONFIG_X86_CPUID): Y, STD
Enable 5-level page tables support (CONFIG_X86_5LEVEL): N, for machines with large (TBs) amounts of memory
AMD Secure Memory Encryption (SME) support (CONFIG_AMD_MEM_ENCRYPT): Y, for AMD
NUMA Memory Allocation and Scheduler Support (CONFIG_NUMA): N, unless you have multi socket CPU
Check for low memory corruption (CONFIG_X86_CHECK_BIOS_CORRUPTION): N
MTRR (Memory Type Range Register) support (CONFIG_MTRR): Y, STD
MTRR cleanup support (CONFIG_MTRR_SANITIZER): Y, STD
MTRR cleanup enable value (0-1) (CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT): 1, for true
MTRR cleanup spare reg num (0-7) (CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT): 1
x86 PAT support (CONFIG_X86_PAT): Y, STD
User Mode Instruction Prevention (CONFIG_X86_UMIP): Y
Indirect Branch Tracking (CONFIG_X86_KERNEL_IBT): N, SEC
Memory Protection Keys (CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS): Y, STD
TSX enable mode: auto
X86 userspace shadow stack (CONFIG_X86_USER_SHADOW_STACK): N, SEC
EFI runtime service support (CONFIG_EFI): Y, STD
EFI stub support (CONFIG_EFI_STUB): N, only if you boot kernel directly
EFI handover protocol (CONFIG_EFI_HANDOVER_PROTOCOL): N, OLD
EFI mixed-mode support (CONFIG_EFI_MIXED): N, only relevant (but still unneeded) on Apple hardware
Enable EFI fake memory map (CONFIG_EFI_FAKE_MEMMAP): N
Export EFI runtime maps to sysfs (CONFIG_EFI_RUNTIME_MAP): N
Timer frequency: 100 HZ for server, 300 HZ for laptop, 1000 HZ for low-latency requirements
Physical address where the kernel is loaded (CONFIG_PHYSICAL_START): 0x1000000
Build a relocatable kernel (CONFIG_RELOCATABLE): Y, STD
Randomize the address of the kernel image (KASLR) (CONFIG_RANDOMIZE_BASE): Y, SEC
Alignment value to which the kernel should be aligned (CONFIG_PHYSICAL_ALIGN): 0x200000
Randomize the kernel memory sections (CONFIG_RANDOMIZE_BASE): Y, SEC
Physcial memory mapping padding (CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING): 0x00
Linear Address Masking support (CONFIG_ADDRESS_MASKING): N
vsyscall table for legacy applications: None
Built-in kernel command line (CONFIG_CMDLINE_BOOL): N, unless booting kernel directly
Enable the LDT (local descriptor table) (CONFIG_MODIFY_LDT_SYSCALL): N, EMB
Enforce strict size checking for sigalstack (CONFIG_STRICT_SIGALSTACK_SIZE): N, DEV

Power management and ACPI options

Suspend to RAM and standby (CONFIG_SUSPEND): Y, N for servers
Skip kernel's sys_sync() on suspend to RAM/standby (CONFIG_SUSPEND_SKIP_SYNC): N
Hibernation (aka 'suspend to disk') (CONFIG_HIBERNATION): Y, if desired. N for servers
Opportunistic sleep (CONFIG_PM_SLEEP): N, EMB
Userspace opportunistic sleep (CONFIG_PM_USERSPACE_AUTOSLEEP): N, EMB
User space wakeup sources interface (CONFIG_PM_WAKELOCKS): N, EMB
Device power management core functionality (CONFIG_PM): Y, STD
Power Management Debug Support (CONFIG_PM_DEBUG): N, DEV
Enable workqueue power-efficient mode by default (CONFIG_WQ_POWER_EFFICIENT_DEFAULT): N
Energy Model for devices with DVFS (CONFIG_ENERGY_MODEL): N
ACPI Support (CONFIG_ACPI): Y, STD
- AML debugger interface (CONFIG_ACPI_DEBUGGER): N DEV
- ACPI Serial Port Console Redirection Support (CONFIG_ACPI_SPCR_TABLE): N, DEV
- ACPI Firmware Performance Data Table (FPDT) support (CONFIG_ACPI_FPDT): Y, STD
- Allow support ACPI revision to be overridden (CONFIG_ACPI_REV_OVERRIDE_POSSIBLE): N
- EC read/write access through /sys/kernel/debug/ec (CONFIG_ACPI_EC_DEBUGFS): N, DEV
- AC Adapater (CONFIG_ACPI_AC): Y, if present
- Battery (CONFIG_ACPI_BATTERY): Y, on laptops
- Button (CONFIG_ACPI_BUTTON): Y
- Video (CONFIG_ACPI_VIDEO): Y
- Fan (CONFIG_ACPI_FAN): Y
- ACPI Time and Alarm (TAD) Device Support (CONFIG_ACPI_TAD): Y
- Dock (CONFIG_ACPI_DOCK): Y, if using docking station
- Processor (CONFIG_ACPI_PROCESSOR): Y
- Processor Aggregator (CONFIG_ACPI_PROCESSOR_AGGREGATOR): Y
- Thermal Zone (CONFIG_ACPI_THERMAL): Y
- Custom DSDT Table file to include (CONFIG_ACPI_CUSTOM_DSDT_FILE): empty
- Debug Statements (CONFIG_ACPI_DEBUG): N, DEV
- PCI slot detection driver (CONFIG_ACPI_PCI_SLOT): N, DEV
- Container and Module Devices (CONFIG_ACPI_CONTAINER): Y
- Smart Battery System (CONFIG_ACPI_SBS): Y, on laptops
- Hardware Error Device (CONFIG_ACPI_HED): Y
- Boottime Graphics Resource Table support (CONFIG_ACPI_BGRT): N
- Hardware-reduced ACPI support only (CONFIG_ACPI_REDUCED_HARDWWARE_ONLY): N
- ACPI Platform Error Interface (APEI) (CONFIG_ACPI_APEI): Y
- APEI Generic Hardware Error Source (CONFIG_ACPI_APEI_GHES): Y
- APEI Error Record Serialization Table (ERST) Debug Support (CONFIG_ACPI_APEI_ERST_DEBUG): N, DEV
- Intel DPTF (Dynamic Platform and Thermal Framework) (CONFIG_ACPI_DPTF): Y, on Intel processors
- ACPI configfs support (CONFIG_ACPI_CONFIGFS): N
- ACPI Platform Firmware Runtime Update and Telemetry (CONFIG_ACPI_PFRUT): N
- ACPI PCC Address Space (CONFIG_ACPI_PCC): Y, STD, for UEFI
- ACPI FFH Address Space (CONFIG_ACPI_FFH): N
- PMIC (Power Management Integrated Circuit) operation region support (CONFIG_PMIC_OPREGION): N
- Platform Runtime Mechanism Support (CONFIG_ACPI_PRMT): Y
Power Management Timer Support (CONFIG_X86_PM_TIMER): Y, STD
CPU Frequency scaling
- CPU frequency transition statistics (CONFIG_CPU_FREQ_STAT): N, DEV
- Default CPUFreq governor: performance
- 'performance' governor (CONFIG_CPU_FREQ_GOV_PERFORMANCE): Y
- 'powersave' governor (CONFIG_CPU_FREQ_GOV_POWERSAVE): N, not strictly necessary
- 'userspace' governor for userspace frequency scaling (CONFIG_CPU_FREQ_GOV_USERSPACE): N, not strictly necessary
- 'ondemand' cpufreq policy governor (CONFIG_CPU_FREQ_GOV_ONDEMAND): N
- 'conservative' cpufreq governor (CONFIG_CPU_FREQ_GOV_CONSERVATIVE): N
- 'schedutil' cpufreq policy governor (CONFIG_CPU_FREQ_GOV_SCHEDUTIL): Y
- Intel P state control (CONFIG_X86_INTEL_PSTATE): Y, on Intel processors
- Processor Clocking Control interface driver (CONFIG_X86_PCC_CPUFREQ): N, OLD
- AMD Processor P-State driver (CONFIG_X86_AMD_PSTATE): Y, on AMD processors
- selftest for AMD Processor P-State driver (CONFIG_X86_AMD_PSTATE_UT): N, DEV
- ACPI Processor P-States driver (CONFIG_X86_ACPI_CPUFREQ): Y, STD
- Intel Enhanced SpeedStep (CONFIG_X86_SPEEDSTEP_CENTRINO): N, OLD
- Intel Pentium 4 clock modulation (CONFIG_X86_P4_CLOCKMOD): N, OLD
CPU Idle
- CPU idle PM support (CONFIG_CPU_IDLE): Y, STD
- Ladder governor (for periodic timer tick) (CPU_IDLE_GOV_LADDER): N
- Menu governor (for tickless system) (CPU_IDLE_GOV_MENU): Y
- Timer events oriented governor (CONFIG_CPU_IDLE_GOV_TEO): N
Cpuidle Driver for Intel Processors (CONFIG_INTEL_IDLE): Y, on Intel processors

Memory Management options

Support for paging of anonymous memory (swap) (CONFIG_SWAP): Y, STD

Slab allocator options

Configure for minimal memory footprint (CONFIG_SLUB_TINY): N, EMB
Allow slab caches to be merged (CONFIG_SLAB_MERGE_DEFAULT): Y
Randomize slab freelist (CONFIG_SLAB_FREELIST_RANDOM): Y, SEC
Harden slab freelist metadata (CONFIG_SLAB_FREELIST_HARDENED): Y, SEC
Enable performance statistics (CONFIG_SLUB_STATS): N, DEV
Enable per cpu partial caches (CONFIG_SLUB_CPU_PARTIAL): Y, on multicore systems...
Randomize slab caches for normal kmalloc (CONFIG_RANDOM_KMALLOC_CACHES): N, SEC

Page allocator randomization (CONFIG_SHUFFLE_PAGE_ALLOCATOR): Y, SEC

Disable heap randomization (CONFIG_COMPAT_BRK): N, OLD

Sparse Memory virtual memmap (CONFIG_SPARSE_VMEMMAP): Y, STD

Memory hotplug (MEMORY_HOTPLUG): N, VIRT

Allow for memory compaction (CONFIG_COMPACTION): Y, STD

Free page reporting (CONFIG_PAGE_REPORTING): N, VIRT

Page migration (CONFIG_MIGRATION): Y, auto enabled if needed

Maximum scale factor of PCP (Per-CPU pageset) batch allocate/free (CONFIG_PCP_BATCH_SCALE_MAX): 5

Enable KSM for page merging (CONFIG_KSM): N, VIRT

Low address space to protect from user allocation (CONFIG_DEFAULT_MMAP_ADDR): 65536

Enable recovery from hardware memory errors (CONFIG_MEMORY_FAILURE): N, unless you have ECC memory

Transparent Hugepage Support (CONFIG_TRANSPARENT_HUGEPAGE): N, unless you have large amounts of memory

Contiguous Memory Allocator (CONFIG_CMA): N

Defer initialisation of struct pages to kthreads (CONFIG_DEFERRED_PAGE_INIT): N

Enable idle page tracking (CONFIG_IDLE_PAGE_TRACKING): N

Support DMA zone (ZONE_DMA): Y

Support DMA32 zone (ZONE_DMA32): Y

Enable VM event counters /proc/vmstat (CONFIG_VM_EVENT_COUNTERS): Y

Collect percpu memory statistics (CONFIG_PERCPU_STATS): N, DEV

Enable a module to run time tests on dma_pool (CONFIG_DMAPOOL_TEST): N, DEV

Enable memfd_create() system call (MEMFD_CREATE): Y

Enable memfd_secreat() system call (CONFIG_SECRETMEM): Y

Anonymous VMA name support (CONFIG_ANON_VMA_NAME): N, SEC

Enable userfaultfd() system call (CONFIG_USERFAULTFD): N, VIRT

Multi-Gen LRU (CONFIG_LRU_GEN): N

Data Access Monitoring

DAMON: Data Access Monitoring Framework (CONFIG_DAMON): N

Network support

Networking options

Packet Socket (CONFIG_PACKET): Y, STD
Packet: sockets monitoring interface (CONFIG_PACKET_DIAG): Y, STD
Unix domain sockets (CONFIG_UNIX): Y
UNIX: socket monitoring interface (CONFIG_UNIX_DIAG)
Transport Layer Security support (CONFIG_TLS): N
Transformation user configuration interface (CONFIG_XFRM_USER): N, not strictly necessary
Transformation virtual interface (CONFIG_XFRM_INTERFACE): N
Transformation sub policy support (CONFIG_XFRM_SUB_POLICY): N, DEV
Transformation migrate database (CONFIG_XFRM_MIGRATE): N, unless on mobile
Transformation statistics (CONFIG_XFRM_STATISTICS):N, DEV
PF_KEY sockets (CONFIG_NET_KEY): N
TCP/IP networking (CONFIG_INET): Y, STD
IP: multicasting (CONFIG_IP_MULTICAST): N
IP: advanced router (CONFIG_IP_ADVANCED_ROUTER): N, unless acting as router
IP: kernel level autoconfiguration (CONFIG_IP_PNP): N, unless using PXE
IP: tunneling (CONFIG_INET_IPIP): N
IP: GRE demultiplexer (CONFIG_NET_IPGRE_DEMUX): N
IP: TCP syncookie support (CONFIG_SYN_COOKIES): N, SEC
Virtual (secure) IP: tunneling (CONFIG_NET_IPVTI): N
IP: Foo (IP protocols) over UDP (CONFIG_NET_FOU): N
IP: FOU encapsulation of IP tunnels (CONFIG_NET_FOU_IP_TUNNELS): N
IP: AH transformation (CONFIG_INET_AH): Y, STD
IP: ESP transformation (CONFIG_INET_ESP): Y, STD
IP: ESP transformation offload (CONFIG_INET_ESP_OFFLOAD): N
IP: ESP in TCP encapsulation (RFC 8229) (CONFIG_INET_ESPINTCP): N
IP: IPComp transformation (CONFIG_INET_IPCOMP): N
INET: Source port perturbation table size (as power of 2) (CONFIG_INET_TABLE_PERTUB_ORDER): 16
INET: socket monitoring interface (CONFIG_INET_DIAG): N
TCP: advanced congestion control (CONFIG_TCP_CONG_ADVANCED): N
TCP: Authentication Option (RFC5925) (CONFIG_TCP_AO): N
TCP: MD5 Signature Option Support (RFC2385) (CONFIG_TCP_MD5SIG): N
The IPv6 protocol (CONFIG_IPV6): Y

IPv6: Router Preference (RFC 4191) support (CONFIG_IPV6_ROUTER_PREF): N
IPv6: Enable RFC 4429 Optimistic DAD (CONFIG_IPV6_OPTIMISTIC_DAD): N
IPv6: AH transformation (CONFIG_IPV6_AH): Y, STD
IPv6: ESP transformation (CONFIG_INET6_ESP): Y, STD
IPv6: ESP transformation offload (CONFIG_INET6_ESP_OFFLOAD): N
IPv6: ESP in TCP encapsulation (RFC 8229) (CONFIG_INET6_ESPINTCP): N
IPv6: IPComp transformation (CONFIG_INET6_IPCOMP): N
IPv6: Mobility (CONFIG_IPV6_MIP6): N
IPv6: Identifier Locator Addressing (ILA) (CONFIG_IPV6_ILA): N
Virtual (secure) IPv6: tunneling (CONFIG_IPV6_VTI): N
IPv6: IPv6-in-IPv4 tunnel (SIT driver) (CONFIG_IPV6_SIT): Y, STD
IPv6: IPv6 Rapid Deployment (6RD) (CONFIG_IPV6_SIT_6RD): N
IPv6: IP-in-IPv6 tunnel (RFC2473) (CONFIG_IPV6_TUNNEL): N
IPv6: Multiple Routing Tables (CONFIG_IPV6_MULTIPLE_TABLES): N
IPv6: multicast routing (CONFIG_IPV6_MROUTE): N
IPv6: Segment Routing Header encapsulation support (CONFIG_IPV6_SEG6_LWTUNNEL): N
IPv6: Segment Routing HMAC support (CONFIG_IPV6_SEG6_HMAC): N
IPv6: RPL Source Routing Header support (CONFIG_IPV6_RPL_LWTUNNEL): N
IPv6: IOAM Pre-allocated Trace insertion support (CONFIG_IPV6_IOAM6_LWTUNNEL): N

MPTCP: Multipath TCP (CONFIG_MPTCP): N
Security Marking (CONFIG_NETWORK_SECMARK): N, auto enabled if needed
Timestamping in PHY devices (CONFIG_NETWORK_PHY_TIMESTAMPING): N
Network packet filtering framework (Netfilter) (CONFIG_NETFILTER): Y, this is firewall

Advanced netfilter configuration (CONFIG_NETFILTER_ADVANCED): Y
Core Netfilter Configuration

Netfilter ingress support (CONFIG_NETFILTER_INGRESS): Y
Netfilter egress support (CONFIG_NETFILTER_EGRESS): Y
Netfilter OSF over NFNETLINK interface (CONFIG_NETFILTER_NETLINK_OSF): Y
Syslog packet logging (CONFIG_NF_LOG_SYSLOG): Y
Netfilter Xtables support (CONFIG_NETFILTER_XTABLES): Y
nfmark target and match support (CONFIG_NETFILTER_XT_MARK): Y
N to all others

IP set support (CONFIG_IP_SET): N
IP virtual server support (CONFIG_IP_VS): N
IP: Netfilter Configuration

IPv4 socket lookup support (CONFIG_NF_SOCKET_IPV4): Y
IPv4 tproxy support (NF_TPROXY_IPV4): Y
Netfilter IPv4 packet duplication to alternate destination (CONFIG_NF_DUP_IPV4): Y
ARP packet logging (CONFIG_NF_LOG_ARP): Y
IPv4 packet logging (CONFIG_NF_LOG_IPV4): Y
IPv4 packet rejection (NF_REJECT_IPV4): Y
IP tables support (CONFIG_IP_NF_IPTABLES): N
ARP tables support (CONFIG_IP_NF_ARPTABLES): N

IPv6: Netfilter Configuration

IPv6 socket lookup support (CONFIG_NF_SOCKET_IPV6): Y
IPv6 tproxy support (NF_TPROXY_IPV6): Y
Netfilter IPv6 packet duplication to alternate destination (CONFIG_NF_DUP_IPV6): Y
IPv6 packet rejection (NF_REJECT_IPV6): Y
IPv6 packet logging (CONFIG_NF_LOG_IPV6): Y
IP6 tables support (CONFIG_IP6_NF_IPTABLES): N

The DCCP Protocol (CONFIG_IP_DCCP): N
The SCTP Protocol (CONFIG_IP_SCTP): N, used by Telcos
The Reliable Datagram Sockets Protocol (CONFIG_RDS): N
The TIPC Protocol (CONFIG_TIPC): N
Asynchronous Transfer Mode (ATM) (CONFIG_ATM): N, used by DSL modems
Layer Two Tunneling Protocol (L2TP) (CONFIG_L2TP): N, unless using a VPN
802.1d Ethernet Bridging (CONFIG_BRIDGE): N, VIRT
Distributed Switch Architecture (CONFIG_NET_DSA): N
802.1Q/802.1ad VLAN Support (CONFIG_VLAN_8021Q): N
ANSI/IEEE 802.2 LLC type 2 support (CONFIG_LLC2): N
Appletalk protocol support (CONFIG_ATALK): N, OLD
CCITT X.25 Packet Layer (CONFIG_X25): N
LAPB Data Link Driver (CONFIG_LAPB): N
Phonet protocols family (CONFIG_PHONET): N
6LoWPAN Support (CONFIG_6LOWPAN): N
IEEE Std 802.15.4 Low-Rate Wireless Personal Area Networks Support (CONFIG_IEEE802154): N
QoS and/or fair queueing (CONFIG_NET_SCHED): Y

N to all others

Data Center Bridging support (CONFIG_DCB): N
DNS Resolver support (CONFIG_DNS_RESOLVER): N
B.A.T.M.A.N Advanced Meshing Protocol (CONFIG_BATMAN_ADV): N
Open vSwitch (CONFIG_OPENVSWITCH): N
Virtual Socket protocol (CONFIG_VSOCKETS): N, VIRT
NETLINK: socket monitoring interface (CONFIG_NETLINK_DIAG): N
MultiProtocol Label Switching (CONFIG_MPLS): N
Network Service Header (NSH) protocol (CONFIG_NET_NSH): N
High-availability Seamless Redundancy (HSR & PRP) (CONFIG_HSR): N
Switch (and switch-ish) device support (CONFIG_NET_SWITCHDEV): N
L3 Master device support (CONFIG_NET_L3_MASTER_DEV): N
Qualcomm IPC Router support (CONFIG_QRTR): N
NCSI interface support (CONFIG_NET_NCSI): N
Use percpu variables to maintain network device refcount (CONFIG_PCPU_DEV_REFCNT): Y
Maximum number of fragments per skb_shared_info (CONFIG_MAX_SKB_FRAGS): 17
Network priority cgroup (CONFIG_CGROUP_NET_PRIO): N
Network classid cgroup (CONFIG_CGROUP_NET_CLASSID): N

Amateur Radio support (CONIG_HAMRADIO): N

CAN bus subsystem support (CONFIG_CAN): N, used in vehicles

Bluetooth subsystem support (CONFIG_BT): Y, if desired

Bluetooth Classic (BR/EDR) features (CONFIG_BT_BREDR): Y
RFCOMM protocol support (CONFIG_BT_RFCOMM): Y
RFCOMM TTY support (CONFIG_BT_RFCOMM_TTY): N
BNEP protocol support (CONFIG_BT_BNEP): N
HIDP protocol support (CONFIG_BT_HIDP): Y, for input devices
Bluetooth High Speed (HS) features (CONFIG_BT_HS): Y
Bluetooth Low Energy (LE) features (CONFIG_BT_LE): Y
Bluetooth L2CAP Enhanced Credit Flow Control (CONFIG_BT_LE_L2CAP_ECRED): Y
Enable LED triggers (CONFIG_BT_LEDS): N
Enable Microsoft extensions (CONFIG_BT_MSFTEXT): N
Enable Android Open Source Project extensions (CONFIG_BT_AOSPEXT): N
Bluetooth self testing support (CONFIG_BT_SELFTEST): N, DEV
Enable runtime option for debugging statements (CONFIG_BT_FEATURE_DEBUG): N, DEV
Bluetooth device drivers

HCI USB driver (CONFIG_BT_HCIBTUSB): Y, most bt cards are attached via usb
Enable USB poll_sync for Bluetooth USB devices by default (CONFIG_BT_HCIBTUSB_POLL_SYNC): Y, STD
Enable others based on hardware...

RxRPC session sockets (CONFIG_AF_RXRPC): N

KCM sockets (CONFIG_AF_KCM): N

MCTP core protocol support (CONFIG_MCTP): N

Wireless (WIRELESS): Y, if needed

cfg80211 - wireless configuration API (CONFIG_CFG80211): Y, STD
nl80211 testmode command (CONFIG_NL80211_TESTMODE): N, DEV
enable developer warnings (CONFIG_CFG80211_DEVELOPER_WARNINGS): N, DEV
cfg80211 certification onus (CONFIG_CFG80211_CERTIFICATION_ONUS): N
enable powersave by default (CONFIG_CFG80211_DEFAULT_PS): Y
support CRDA (CONFIG_CFG80211_CRDA_SUPPORT): Y
cfg80211 wireless extensions compatibility (CONFIG_CFG80211_WEXT): N
Generic IEEE 802.11 Networking Stack (mac80211) (CONFIG_MAC80211): Y, STD
Minstrel (CONFIG_MAC80211_RC_MINSTREL): Y
Default rate control algorithm: Minstrel
Enable mac80211 mesh networking support (CONFIG_MAC80211_MESH): N, OLD
Enable LED triggers (CONFIG_MAC80211_LEDS): N
Trace all mac80211 debug messages (CONFIG_MAC80211_MESSAGE_TRACING): N, DEV
Select mac80211 debugging features (CONFIG_MAC80211_DEBUG_MENU): N, DEV

RF switch subsystem support (CONFIG_RFKILL): N, may be needed for some network/bt cards

Plan 9 Resource Sharing Support (9P2000) (CONFIG_NET_9P): N, VIRT

CAIF support (CONFIG_CAIF): N

Ceph core library (CONFIG_CEPH_LIB): N

NFC subsystem support (CONFIG_NFC): N, EMB

Packet-sampling netlink channel (CONFIG_PSAMPLE): N

Inter-FE based on IETF ForCES InterFE LFB (CONFIG_NET_IFE): N

Network light weight tunnels (CONFIG_LWTUNNEL): N

Generic failover module (CONFIG_FAILOVER): N, VIRT

Netlink interface for ethtool (CONFIG_ETHTOOL_NETLINK): N

File systems

Validate filesystem parameter description (CONFIG_VALIDATE_FS_PARSER): N
Second extended fs support (CONFIG_EXT2_FS): N, covered by ext4
The Extended 3 (ext3) filesystem (CONFIG_EXT3_FS): N, covered by ext4
The Extended 4 (ext4) filesystem (CONFIG_EXT4_FS): Y, assuming ext4 is used
Use ext4 for ext2 file systems (CONFIG_EXT4_USE_FOR_EXT2): Y, STD
Ext4 POSIX Access Control Lists (CONFIG_EXT4_FS_POSIX_ACL): N
Ext4 Security Labels (CONFIG_EXT4_FS_SECURITY): Y, SEC
Ext4 debugging support (CONFIG_EXT4_DEBUG): N, DEV
JBD2 (ext4) deubgging support (CONFIG_JBD2_DEBUG): N, DEV
Reiserfs support (CONFIG_REISERFS_FS): N, OLD
JFS filesystem support (CONFIG_JFS_FS): N
XFS filesystem support (CONFIG_XFS_FS): N, for server
GFS2 file system support (CONFIG_GFS2_FS): N
Btrfs filesystem support (CONFIG_BTRFS_FS): N, unreliable...
NILFS2 file system support (CONFIG_NILFS2_FS): N
F2FS filesystem support (CONFIG_F2FS_FS): N
bcachefs filesystem support (CONFIG_BCACHEFS_FS): N
Enable filesystem export operations for block IO (CONFIG_EXPORTFS_BLOCK_OPS): N
Enable POSIX file locking API (CONFIG_FILE_LOCKING): Y
FS Encryption (Per-file encryption) (CONFIG_FS_ENCRYPTION): N
FS Verity (read-only file-based authenticity protection) (CONFIG_FS_VERITY): N
Dnotify support (CONFIG_DNOTIFY): Y, STD
Inotify support for userspace (CONFIG_INOTIFY_USER): Y, STD
Filesystem wide access notification (CONFIG_FANOTIFY): Y, STD
Quota Support (CONFIG_QUOTA): N
Kernel automounter support (CONFIG_AUTOFS_FS): Y, if using systemd
FUSE (Filesystem in Userspace support) (CONFIG_FUSE_FS): Y
Character device in Userspace support (CONFIG_CUSE): N
Virtio Filesystem (CONFIG_VIRTIO_FS): N, VIRT
Overlay filesystem support (CONFIG_OVERLAY_FS): N
CD-ROM/DVD Filesystems

ISO 9660 CDROM file system support (CONFIG_ISO9660_FS): N, unless you intend to mount ISO images
UDF file system support (CONFIG_UDF_FS): N, unless DVD hardware is present

DOS/FAT/EXFAT/NT Filesystems

MSDOS fs support (CONFIG_MSDOS_FS): N, OLD
VFAT (Windows-95) fs support (CONFIG_VFAT_FS): Y, commonly used by USB storage
Default codepage for FAT (CONFIG_FAT_DEFAULT_CODEPAGE): 437, unless in Russia/Asia
Default iocharset for FAT (CONFIG_FAT_DEFAULT_IOCHARSET): ios8859-1
Enable FAT UTF-8 option by default (CONFIG_FAT_DEFAULT_UTF8): N
exFAT filesystem support (CONFIG_EXFAT_FS): N
NTFS file system support (CONFIG_NTFS_FS): N, Windows disks
NTFS debugging support (CONFIG_NTFS_DEBUG): N, DEV
NTFS writesupport (CONFIG_NTFS_RW): N
NTFS Read-Write file system support (CONFIG_NTFS3_FS): N

Pseudo filesystems

/proc file system support (CONFIG_PROC_FS): Y, STD
/proc/kcore support (CONFIG_PROC_KCORE): N, SEC
Sysctl support (/proc/sys) (CONFIG_PROC_SYSCTL): Y
Enable /proc page monitoring (CONFIG_PROC_PAGE_MONITOR): Y
sysfs file system support (CONFIG_SYSFS): Y
Tmpfs virtual memory file system support (former shm fs) (CONFIG_TMPFS): Y, STD
Tmpfs POSIX Access Control Lists (CONFIG_TMPFS_POSIX_ACL): Y
Tmpfs extended attributes (CONFIG_TMPFS_XATTR): Y, STD
Use 64-bit ino_t by default in tmpfs (CONFIG_TMPFS_INODE64): N
Tmpfs quota support (CONFIG_TMPFS_QUOTA): N
HugeTLB file system support (CONFIG_HUGETLBFS): N, irrelevant due to THP
Userspace-driven configuration filesystem (CONFIG_CONFIGFS_FS): N
EFI Variable filesystem (CONFIG_EFIVAR_FS): Y, STD

Miscellaneous filesystems (CONFIG_MISC_FILESYSTEMS): N
Network File Systems (CONFIG_NETWORK_FILESYSTEMS): N, unless needed
Native language support (CONFIG_NLS): Y

Default NLS Option (CONFIG_NLS_DEFAULT): utf8
Codepage 437 (United States, Canada) (CONFIG_NLS_CODEPAGE_437): Y
ASCII (United States) (CONFIG_NLS_ASCII): Y
NLS UTF-8 (CONFIG_NLS_UTF8): Y
Select others as needed

UTF-8 normalization and casefolding support (CONFIG_UNICODE): N

Cryptographic API

Crypto core or helper

Cryptographic algorithm manager (CONFIG_CRYPTO_MANAGER): Y, STD
Userspace cryptographic algorithm configuration (CONFIG_CRYPTO_USER): N
Disable run-time self tests (CONFIG_CRYPTO_MANAGER_DISABLE_TESTS): Y
Null algorithms (CONFIG_CRYPTO_NULL): Y
Parallel crypto engine (CONFIG_CRYPTO_PCRYPT): N
Software async crypto daemon (CONFIG_CRYPTO_CRYPTD): N
Authenc support (CONFIG_CRYPTO_AUTHENC): Y
Testing module (CONFIG_CRYPTO_TEST): N, DEV

Public-key cryptography

RSA (Rivest-Shamir-Adleman) (CONFIG_CRYPTO_RSA): Y, STD
DH (Diffie-Hellman) (CONFIG_CRYPTO_DH): N
ECDH (Elliptic Curve Diffie-Hellman) (CONFIG_CRYPTO_ECDH): Y
ECDSA (Elliptic Curve Digital Signature Algorithm) (CONFIG_CRYPTO_ECDSA): N
EC-RDSA (Elliptic Curve Russian Digital Signature Algorithm) (CONFIG_CRYPTO_ECRDSA): N
SM2 (ShangMi 2) (CONFIG_CRYPTO_SM2): N
Curve25519 (CONFIG_CRYPTO_CURVE25519): N

Block ciphers

AES (Advanced Encryption Standard) (CONFIG_CRYPTO_AES): Y, STD
AES (Advanced Encryption standard) (fixed time) (CONFIG_CRYPTO_AES_TI): N
ARIA (CONFIG_CRYPTO_ARIA): N
Blowfish (CONFIG_CRYPTO_BLOWFISH): N
Camellia (CONFIG_CRYPTO_CAMELLIA): N
CAST5 (CAST-128) (CONFIG_CRYPTO_CAST5): N
CAST6 (CAST-256) (CONFIG_CRYPTO_CAST6): N
DES and Triple DES EDE (CONFIG_CRYPTO_DES): N
FCrypt (CONFIG_CRYPTO_FCRYPT): N
Serpent (CONFIG_CRYPTO_SEPRENT): N
SM4 (ShangMi 4) (CONFIG_CRYPTO_SM4_GENERIC): N
Twofish (CONFIG_CRYPTO_TWOFISH): N

Length-preserving ciphers and modes

Adiantum (CONFIG_CRYPTO_ADIANTUM): N
ChaCha (CONFIG_CRYPTO_CHACHA20): N
CBC (Cipher Block Chaining) (CONFIG_CRYPTO_CBC): Y, STD
CTR (Counter) (CONFIG_CRYPTO_CTR): Y, STD
CTS (Cipher Text Stealing) (CONFIG_CRYPTO_CTS): N
ECB (Electronic Codebook) (CONFIG_CRYPTO_ECB): Y, STD
HCTR2 (CONFIG_CRYPTO_HCTR2): N
KW (AES Key Wrap) (CONFIG_CRYPTO_KEYWRAP): N
PCBC (Propagating Cipher Block Chaining) (CONFIG_CRYPTO_PCBC): N
XTS (XOR Encrypt XOR with ciphertext stealing) (CONFIG_CRYPTO_XTS): N

AEAD (authenticated encryption with associated data) ciphers

AEGIS-128 (CONFIG_CRYPTO_AEGIS128): N
ChaCha20-Poly1305 (CONFIG_CRYPTO_CHACHA20POLY1305): N
CCM (Counter with Cipher Block Chaining-MAC) (CONFIG_CRYPTO_CCM): Y
GCM (Galois/Counter Mode) and GMAC (GCM MAC) (CONFIG_CRYPTO_GCM): Y
Sequence Number IV Generator (CONFIG_CRYPTO_SEQIV): Y
Encrypted Chain IV Generator (CONFIG_CRYPTO_ECHAINIV): Y
Encrypted Salt-Sector IV Generator (CONFIG_CRYPTO_ESSIV): N

Hashes, digests, and MACs

BLAKE2b (CONFIG_CRYPTO_BLAKE2B): N, unless using btrfs
CMAC (Cipher-based MAC) (CONFIG_CRYPTO_CMAC): Y
GHASH (CONFIG_CRYPTO_GHASH): Y
HMAC (Keyed-Hash MAC) (CONFIG_CRYPTO_HMAC): Y
MD4 (CONFIG_CRYPTO_MD4): N, OLD
MD5 (CONFIG_CRYPTO_MD5): Y
Miachel MIC (CONFIG_CRYPTO_MICHAEL_MIC): N
Poly1305 (CONFIG_CRYPTO_POLY1305): N
RIPEMD-160 (CONFIG_CRYPTO_RMD160): N
SHA-1 (CONFIG_CRYPTO_SHA1): N
SHA-224 and SHA-256 (CONFIG_CRYPTO_SHA256): Y
SHA-384 and SHA-512 (CONFIG_CRYPTO_SHA512): Y
SHA-3 (CONFIG_CRYPTO_SHA3): Y
SM3 (ShangMi 3) (CONFIG_CRYPTO_SM3_GENERIC): N
Streebog (CONFIG_CRYPTO_STREEBOG): N
VMAC (CONFIG_CRYPTO_VMAC): N
Whirlpool (CONFIG_CRYPTO_WP512): N
XCBC-MAC (Extended Cipher Block Chaining MAC) (CONFIG_CRYPTO_XCBC): N
xxHash (CONFIG_CRYPTO_XXHASH): N, unless using btrfs

CRCs (cyclic redundancy checks)

CRC32c (CONFIG_CRYPTO_CRC32C): Y, used by many filesystems
CRC32 (CONFIG_CRYPTO_CRC32): N
CRCT10DIF (CONFIG_CRYPTO_CRCT10DIF): N
CRC64 based on Rocksoft Model algorithm (CONFIG_CRYPTO_CRC64_ROCKSOFT): Y

Compression

Deflate (CONFIG_CRYPTO_DEFLATE): N
LZO (CONFIG_CRYPTO_LZO): N
842 (CONFIG_CRYPTO_842): N
LZ4 (CONFIG_CRYPTO_LZ4): N
LZ4HC (CONFIG_CRYPTO_LZ4HC): N
Zstd (CONFIG_CRYPTO_ZSTD): Y

Random number generation

ANSI PRNG (Pseudo Random Number Generator) (CONFIG_CRYPTO_ANSI_CPRNG): N
NIST SP800-90A DRBG (Deterministic Random Bit Generator) (CONFIG_CRYPTO_DRBG_MENU): Y
CPU Jitter: Non-Deterministic RNG (Random Number Generator) (CONFIG_CRYPTO_JITTERENTROPY): Y

Userspace interface

None

Accelerated Cryptographic Algorithms for CPU (x86)

None

Hardware crypto devices (CONFIG_CRYPTO_HW): N, unless present
Asymmetric (public-key cryptographic) key type

Asymmetric public-key crypto algorithm subtype (CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE): Y
X.509 certificate parser (CONFIG_X509_CERTIFICATE_PARSER): Y
PKCS#8 private key parser (CONFIG_PKCS8_PRIVATE_KEY_PARSER): N
PKCS#7 message parser (CONFIG_PKCS7_MESSAGE_PARSER): Y
PKCS#7 testing key type (CONFIG_PKCS7_TEST_KEY): N
Support for PE file signature verification (CONFG_SIGNED_PE_FILE_VERIFICATION): N
Run FIPS selftests on the X.509+PKCS7 signature verification (CONFIG_FIPS_SIGNATURE_SELFTEST): N

Certificates for signature checking

Provide system-wide ring of trusted keys (CONFIG_SYSTEM_TRUSTED_KEYRING): Y
Additional X.509 keys for default system keyring (CONFIG_SYSTEM_TRUSTED_KEYS): N
Reserve area for inserting a certificate without recompiling (CONFIG_SYSTEM_EXTRA_CERTIFICATE): N
Provide a keyring to which extra trustable keys may be added (CONFIG_SECONDARY_TRUSTED_KEYRING): N
Provide system-wide ring of blacklisted keys (CONFIG_SYSTEM_BLACKLIST_KEYRING): N

Kernel hacking

Most options here are development related, but some offer security enhancements.

printk and dmesg options

Show timing information on printks (CONFIG_PRINTK_TIME): Y
Show caller information on printks (CONFIG_PRINTK_CALLER): N
Show build ID information in stacktraces (CONFIG_STACKTRACE_BUILD_ID): N
Default console loglevel (1-15) (CONFIG_CONSOLE_LOGLEVEL_DEFAULT): 7, can be lowered to silence chatty programs
quiet console loglevel (1-15) (CONFIG_CONSOLE_LOGLEVEL_QUIET): 4
Default message log level (1-7) (CONFIG_MESSAGE_LOGLEVEL_DEFAULT): 4
Delay each boot printk message by N milliseconds (CONFIG_BOOT_PRINTK_DELAY): N, unless slow booting system
Enable dynamic printk() support (CONFIG_DYNAMIC_DEBUG): N
Enable core function of dynamic debug support (CONFIG_DYNAMIC_DEBUG_CORE): N
Support symbolic error names in printf (CONFIG_SYMBOLIC_ERRNAME): Y
Verbose BUG() reporting (CONFIG_DEBUG_BUGVERBOSE): N

Kernel debugging (CONFIG_DEBUG_KERNEL): Y
Miscellaneous debug code (CONFIG_DEBUG_MISC): N
Compile-time checks and compiler options

Debug information: Disable debug information (CONFIG_DEBUG_INFO_NONE)
Warn for stack frames larger than (CONFIG_FRAME_WARN): 2048
Strip assembler-generated symbols during link (CONFIG_STRIP_ASM_SYMS): N
Install uapi headers to usr/include (CONFIG_HEADERS_INSTALL): N
Make section mismatch errors non-fatal (CONFIG_SECTION_MISMATCH_WARN_ONLY): Y
Force all function address 64B aligned (CONFIG_DEBUG_FORCE_FUNCTION_ALIGN_64B): N
Generate vmlinux.map file when linking (CONFIG_VMLINUX_MAP): N
Force weak per-cpu definitions (CONFIG_DEBUG_FORCE_WEAK_PER_CPU): N

Memory Debugging

Extend memmap on extra space for more information on page (CONFIG_PAGE_EXTENSION): N
Debug page memory allocations (CONFIG_DEBUG_PAGEALLOC): N
Enable SLUB debugging support (CONFIG_SLUB_DEBUG): N
Track page owner (CONFIG_PAGE_OWNER): N
Check for invalind mappings in user page tables (CONFIG_PAGE_TABLE_CHECK): N
Poison pages after freeing (CONFIG_PAGE_POISONING): N
Testcase for the marking rodata read-only (CONFIG_DEBUG_RODATA_TEST): N
Warn on W+X mappings at boot (CONFIG_DEBUG_WX): Y
Kernel memory leak detector (CONFIG_DEBUG_KMEMLEAK): N
Statistics for per-vma locks (CONFIG_PER_VMA_LOCK_STATS): N
Debug object operations (CONFIG_DEBUG_OBJECTS): N
Stack utilization instrumentation (CONFIG_DEBUG_STACK_USAGE): N
Detect stack corruption on calls to schedule() (CONFIG_SCHED_STACK_END_CHECK): N
Debug VM (CONFIG_DEBUG_VM): N
Debug arch page table for semantics compliance (CONFIG_DEBUG_VM_PGTABLE): N
Debug VM translations (CONFIG_DEBUG_VIRTUAL): N
Debug memory initialisation (CONFIG_DEBUG_MEMORY_INIT): N
Debug access to per_cpu maps (CONFIG_DEBUG_PER_CPU_MAPS): N
Enforce kmap_local temporary mappings (CONFIG_DEBUG_KMAP_LOCAL_FORCE_MAP): N
KASAN: dynamic memory safety error detector (CONFIG_KASAN): N
KFENCE: low-overhead sampling based memory safety error detector (CONFIG_KFENCE): N
KMSAN: detector of unitialized values use (CONFIG_KMSAN): N

Debug shared IRQ handlers (CONFIG_DEBUG_SHIRQ): N
Debug Oops, Lockups and Hangs

Panic on Oops (CONFIG_PANIC_ON_OOPS): Y, SEC
panic timeout (CONFIG_PANIC_TIMEOUT): -1, SEC
Detect Soft Lockups (CONFIG_SOFTLOCKUP_DETECTOR): N
Detect Hard Lockups (CONFIG_HARDLOCKUP_DETECTOR): N
Detect Hung Tasks (CONFIG_DETECT_HUNG_TASKS): N
Detect Workqueue Stalls (CONFIG_WQ_WATCHDOG): N
Report per-cpu work items which hog CPU for too long (CONFIG_WQ_CPU_INTENSIVE_REPORT): N

Enable extra timekeeping sanity checking (CONFIG_DEBUG_TIMEKEEPING): N
Debug preemptible kernel (CONFIG_DEBUG_PREEMPT): N
Lock Debugging (spinlocks, mutexes, etc...)

None

Debugging for CPUs failing to respond to backtrace requests (CONFIG_NMI_CHECK_CPU): N
Debug IRQ flag manipulation (CONFIG_DEBUG_IRQFLAGS): N
Stack backtrace support (CONFIG_STACKTRACE): Y, SEC
Warn for all uses of unseeded randomness (CONFIG_WARN_ALL_UNSEEDED_RANDOM): N
kobject debugging (CONFIG_DEBUG_KOBJECT): N
Debug kernel data structures

Debug linked list manipulation (CONFIG_DEBUG_LIST): Y, SEC
Debug priority linked list manipulation (CONFIG_DEBUG_PLIST): Y, SEC
Debug SG table operations (CONFIG_DEBUG_SG): N
Debug notifier call chains (CONFIG_DEBUG_NOTIFIERS): Y, SEC
Debug maple trees (CONFIG_DEBUG_MAPLE_TREE): N

RCU Debugging

None

Force round-robin CPU selection for unbound work items (CONFIG_DEBUG_WQ_FORCE_RR_CPU): N
Enable CPU hotplug state control (CONFIG_CPU_HOTPLUG_STATE_CONTROL): N
Latency measuring infrastructure (CONFIG_LATENCYTOP): N
Traces (CONFIG_FTRACE): N
Remote debugging over FireWire early on boot (CONFIG_PROVIDE_OHCI1394_DMA_INIT): N
Sample kernel code (CONFIG_SAMPLES): N
x86 Debugging

Enable verbose x86 bootup info message (CONFIG_X86_VERBOSE_BOOTUP): Y
Early printk (CONFIG_EARLY_PRINTK): N
Dump the EFI pagetable (CONFIG_EFI_PGT_DUMP): N
Set upper limit of TLB entries to flush one-by-one (CONFIG_DEBUG_TLBFLUSH): N
x86 instruction decoder selftest (CONFIG_X86_DECODER_SELFTEST): N
IO delay type: port 0x80 based port-IO delay (CONFIG_IO_DELAY_0X80)
CPA self-test code (CONFIG_CPA_DEBUG): N
Debug low-level entry code (CONFIG_DEBUG_ENTRY): N
NMI Selftest (CONFIG_DEBUG_NMI_SELFTEST): N
Debug the x86 FPU code (CONFIG_X86_DEBUG_FPU): N
ATOM Punit debug driver (CONFIG_PUNIT_ATOM_DEBUG): N
Choose kernel unwinder: ORC unwinder (CONFIG_UNWINDER_ORC)