config-bcm27xx.cfg

##################################################
# FedBerry BCM270x specific kernel config options
##################################################

#Unset local version
CONFIG_LOCALVERSION=""

#Add / edit our own default kernel boot time options
CONFIG_CMDLINE="dwc_otg.lpm_enable=0 console=ttyAMA0,115200 kgdboc=ttyAMA0,115200 console=tty1 root=/dev/mmcblk0p2 ro rootfstype=ext4 rootwait nortc"

#Use ondemand govenor by default
CONFIG_CPU_FREQ_DEFAULT_GOV_POWERSAVE=n
CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND=y

#Enable some SECCOMP filter options (need to disable OABI first)
CONFIG_OABI_COMPAT=n

#We want to use our own logo
CONFIG_LOGO_LINUX_CLUT224=n

#IPV6 should be built in (saves some selinux hassels)
CONFIG_IPV6=y
CONFIG_CRC_CCITT=y
CONFIG_NETFILTER_XTABLES=y
CONFIG_IP_NF_IPTABLES=y

#Enable SELinux
CONFIG_PERSISTENT_KEYRINGS=y
CONFIG_BIG_KEYS=y
CONFIG_ENCRYPTED_KEYS=m
CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_SECURITY_PATH=n
CONFIG_LSM_MMAP_MIN_ADDR=65536
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS=9
CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE=256
CONFIG_SECURITY_SMACK=n
CONFIG_SECURITY_TOMOYO=n
CONFIG_SECURITY_APPARMOR=n
CONFIG_SECURITY_LOADPIN=n
CONFIG_SECURITY_YAMA=y
CONFIG_SECURITY_YAMA_STACKED=y
CONFIG_SECURITY_SAFESETID=n
CONFIG_INTEGRITY=n
CONFIG_DEFAULT_SECURITY_SELINUX=y
CONFIG_DEFAULT_SECURITY_YAMA=n
CONFIG_DEFAULT_SECURITY_DAC=n
CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y
CONFIG_NETLABEL=y
CONFIG_NETWORK_SECMARK=y
CONFIG_NF_CONNTRACK_SECMARK=y
CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m
CONFIG_NETFILTER_XT_TARGET_SECMARK=m
CONFIG_IP_NF_SECURITY=m
CONFIG_IP6_NF_SECURITY=m
CONFIG_F2FS_FS_SECURITY=y
CONFIG_LSM="yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"

#Enable Zswap support
CONFIG_ZSWAP=y
CONFIG_ZPOOL=y
CONFIG_ZBUD=y
CONFIG_Z3FOLD=y
CONFIG_SQUASHFS_LZ4=y
CONFIG_CRYPTO_LZ4=y
CONFIG_CRYPTO_LZ4HC=y

#Enable BPF/cgroup based firewalling
CONFIG_CGROUP_BPF=y
CONFIG_BPF=y
CONFIG_BPF_LSM=y
CONFIG_BPF_SYSCALL=y
CONFIG_BPF_JIT_ALWAYS_ON=y
CONFIG_IPV6_SEG6_BPF=y
CONFIG_NETFILTER_XT_MATCH_BPF=m
CONFIG_NET_CLS_BPF=m
CONFIG_NET_ACT_BPF=m
CONFIG_BPF_JIT=y
CONFIG_BPF_STREAM_PARSER=y
CONFIG_LWTUNNEL_BPF=y

#initial-setup (ananconda/blivet workaround)
CONFIG_EFI_VARS=y
CONFIG_EFI_BOOTLOADER_CONTROL=n

# Required to boot Fedora IoT edition
CONFIG_EFI_ARMSTUB_DTB_LOADER=y
CONFIG_EFI=y

# Don't want dwc2 built-in for bcmrpi3_defconfig (aarch64)
CONFIG_USB_DWC2=m
CONFIG_USB_DWC2_HOST=n
CONFIG_USB_DWC2_PERIPHERAL=n
CONFIG_USB_DWC2_DUAL_ROLE=y

# Enable btrfs support
CONFIG_BTRFS_FS=y

# Enable for Fedora 34 user-space
CONFIG_FW_LOADER_COMPRESS=y

CONFIG_CMA_DEBUGFS=y

# Add Ceph RBD and FS support

CONFIG_BLK_DEV_RBD=m
CONFIG_CEPH_LIB=m
CONFIG_CEPH_LIB_PRETTYDEBUG=n
CONFIG_CEPH_LIB_USE_DNS_RESOLVER=n
CONFIG_CEPH_FS=m
CONFIG_CEPH_FSCACHE=y
CONFIG_CEPH_FS_POSIX_ACL=y
CONFIG_CEPH_FS_SECURITY_LABEL=ny

CONFIG_SUSPEND=y
CONFIG_SUSPEND_FREEZER=y

CONFIG_CGROUP_MISC=y

CONFIG_CHECKPOINT_RESTORE=y

# Enable Pressure Stall Information
CONFIG_PSI=y

CONFIG_BLK_DEV_RAM=m

# Once bcm2711_defconfig enabled xz compression
# we have to disable it here as modules gets
# compressed by the .spec file logic anyway.
CONFIG_MODULE_COMPRESS_XZ=n

# Enable bpf
CONFIG_LSM="yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"
CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
CONFIG_BPF_PRELOAD=y
CONFIG_BPF_PRELOAD_UMD=m
CONFIG_TEST_BPF=m