1#
2# FIRECRACKER -- kernel configuration file for Firecracker VM
3#
4# This is largely a stripped-down version of the GENERIC kernel configuration
5# file, without drivers for hardware which will never appear inside the
6# Firecracker VM environment.  It adds support for the Virtio MMIO bus,
7# which Firecracker uses for exposing devices, and legacy mptable, which
8# Firecracker uses for exposing information about CPUs (since it doesn't
9# support ACPI).
10#
11# Since Firecracker loads the kernel directly via the PVH boot protocol,
12# it bypasses the boot loader; some environment variables are hard-coded
13# here which would normally be provided via device hints or loader.conf.
14#
15# For more information about the Firecracker VM, see:
16#
17#    https://firecracker-microvm.github.io/
18
19cpu		HAMMER
20ident		FIRECRACKER
21
22makeoptions	DEBUG=-g		# Build kernel with gdb(1) debug symbols
23makeoptions	WITH_CTF=1		# Run ctfconvert(1) for DTrace support
24
25options 	SCHED_ULE		# ULE scheduler
26options 	NUMA			# Non-Uniform Memory Architecture support
27options 	PREEMPTION		# Enable kernel thread preemption
28options 	VIMAGE			# Subsystem virtualization, e.g. VNET
29options 	INET			# InterNETworking
30options 	INET6			# IPv6 communications protocols
31options 	IPSEC_SUPPORT		# Allow kldload of ipsec and tcpmd5
32options 	ROUTE_MPATH		# Multipath routing support
33options 	FIB_ALGO		# Modular fib lookups
34options 	TCP_OFFLOAD		# TCP offload
35options 	TCP_BLACKBOX		# Enhanced TCP event logging
36options 	TCP_HHOOK		# hhook(9) framework for TCP
37options 	TCP_RFC7413		# TCP Fast Open
38options 	SCTP_SUPPORT		# Allow kldload of SCTP
39options 	KERN_TLS		# TLS transmit & receive offload
40options 	FFS			# Berkeley Fast Filesystem
41options 	SOFTUPDATES		# Enable FFS soft updates support
42options 	UFS_ACL			# Support for access control lists
43options 	UFS_DIRHASH		# Improve performance on big directories
44options 	UFS_GJOURNAL		# Enable gjournal-based UFS journaling
45options 	QUOTA			# Enable disk quotas for UFS
46options 	MD_ROOT			# MD is a potential root device
47options 	NFSCL			# Network Filesystem Client
48options 	NFSD			# Network Filesystem Server
49options 	NFSLOCKD		# Network Lock Manager
50options 	NFS_ROOT		# NFS usable as /, requires NFSCL
51options 	MSDOSFS			# MSDOS Filesystem
52options 	CD9660			# ISO 9660 Filesystem
53options 	PROCFS			# Process filesystem (requires PSEUDOFS)
54options 	PSEUDOFS		# Pseudo-filesystem framework
55options 	TMPFS			# Efficient memory filesystem
56options 	GEOM_RAID		# Soft RAID functionality.
57options 	GEOM_LABEL		# Provides labelization
58options 	EFIRT			# EFI Runtime Services support
59options 	COMPAT_FREEBSD32	# Compatible with i386 binaries
60options 	COMPAT_FREEBSD10	# Compatible with FreeBSD10
61options 	COMPAT_FREEBSD11	# Compatible with FreeBSD11
62options 	COMPAT_FREEBSD12	# Compatible with FreeBSD12
63options 	COMPAT_FREEBSD13	# Compatible with FreeBSD13
64options 	COMPAT_FREEBSD14	# Compatible with FreeBSD14
65options 	SCSI_DELAY=5000		# Delay (in ms) before probing SCSI
66options 	KTRACE			# ktrace(1) support
67options 	STACK			# stack(9) support
68options 	SYSVSHM			# SYSV-style shared memory
69options 	SYSVMSG			# SYSV-style message queues
70options 	SYSVSEM			# SYSV-style semaphores
71options 	_KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
72options 	PRINTF_BUFR_SIZE=128	# Prevent printf output being interspersed.
73options 	KBD_INSTALL_CDEV	# install a CDEV entry in /dev
74options 	HWPMC_HOOKS		# Necessary kernel hooks for hwpmc(4)
75options 	AUDIT			# Security event auditing
76options 	CAPABILITY_MODE		# Capsicum capability mode
77options 	CAPABILITIES		# Capsicum capabilities
78options 	MAC			# TrustedBSD MAC Framework
79options 	KDTRACE_FRAME		# Ensure frames are compiled in
80options 	KDTRACE_HOOKS		# Kernel DTrace hooks
81options 	DDB_CTF			# Kernel ELF linker loads CTF data
82options 	INCLUDE_CONFIG_FILE	# Include this file in kernel
83options 	RACCT			# Resource accounting framework
84options 	RACCT_DEFAULT_TO_DISABLED # Set kern.racct.enable=0 by default
85options 	RCTL			# Resource limits
86
87# Debugging support.  Always need this:
88options 	KDB			# Enable kernel debugger support.
89options 	KDB_TRACE		# Print a stack trace for a panic.
90# For full debugger support use (turn off in stable branch):
91options 	BUF_TRACKING		# Track buffer history
92options 	DDB			# Support DDB.
93options 	FULL_BUF_TRACKING	# Track more buffer history
94options 	GDB			# Support remote GDB.
95options 	DEADLKRES		# Enable the deadlock resolver
96options 	INVARIANTS		# Enable calls of extra sanity checking
97options 	INVARIANT_SUPPORT	# Extra sanity checks of internal structures, required by INVARIANTS
98options 	QUEUE_MACRO_DEBUG_TRASH	# Trash queue(2) internal pointers on invalidation
99options 	WITNESS			# Enable checks to detect deadlocks and cycles
100options 	WITNESS_SKIPSPIN	# Don't run witness on spinlocks for speed
101options 	MALLOC_DEBUG_MAXZONES=8	# Separate malloc(9) zones
102options 	VERBOSE_SYSINIT=0	# Support debug.verbose_sysinit, off by default
103
104# Kernel dump features.
105options 	EKCD			# Support for encrypted kernel dumps
106options 	GZIO			# gzip-compressed kernel and user dumps
107options 	ZSTDIO			# zstd-compressed kernel and user dumps
108options 	DEBUGNET		# debugnet networking
109options 	NETDUMP			# netdump(4) client support
110options 	NETGDB			# netgdb(4) client support
111
112# Make an SMP-capable kernel by default
113options 	SMP			# Symmetric MultiProcessor Kernel
114
115# Pseudo devices.
116device		crypto			# core crypto support
117device		aesni			# AES-NI OpenCrypto module
118device		loop			# Network loopback
119device		rdrand_rng		# Intel Bull Mountain RNG
120device		ether			# Ethernet support
121device		vlan			# 802.1Q VLAN support
122device		tuntap			# Packet tunnel.
123device		md			# Memory "disks"
124device		gif			# IPv6 and IPv4 tunneling
125device		firmware		# firmware assist module
126device		xz			# lzma decompression
127device		bpf			# Berkeley packet filter
128
129# Serial (COM) ports
130device		uart			# Generic UART driver
131
132# VirtIO support
133device		virtio			# Generic VirtIO bus (required)
134device		virtio_mmio		# VirtIO MMIO bus
135device		vtnet			# VirtIO Ethernet device
136device		virtio_blk		# VirtIO Block device
137
138# Linux KVM paravirtualization support
139device		kvm_clock		# KVM paravirtual clock driver
140
141# Netmap provides direct access to TX/RX rings on supported NICs
142device		netmap			# netmap(4) support
143
144# Firecracker exposes information via the legacy MP Table mechanism
145# rather than via ACPI (which it does not implement).
146device		mptable
147
148# Firecracker launches the FreeBSD kernel directly, via the PVH boot
149# protocol, rather than via the boot loader; as such, we need to bake
150# device hints into the kernel configuration rather than relying on
151# device.hints being loaded, and likewise have no loader.conf to place
152# other settings into.
153envvar	hint.uart.0.at="isa"
154envvar	hint.uart.0.port="0x3F8"
155envvar	hint.uart.0.flags="0x10"
156envvar	hint.uart.0.irq="0x4"
157envvar	hint.acpi.0.disabled="1"
158
159# Inside a VM, "power off" doesn't really yank the AC power, so there's
160# no need to worry about disks flushing caches before losing power.
161envvar	kern.shutdown.poweroff_delay="0"
162
163# Firecracker seems to have a bug in its UART emulation.  This works
164# around the problem.
165envvar	hw.broken_txfifo="1"
166
167# We don't have an early timecounter to calibrate the TSC against, so
168# skip that; later in the boot process we have other timecounters.
169envvar	machdep.disable_tsc_calibration="1"
170
171# Provide bug-for-bug compatibility with Linux in MP Table searching
172# and parsing.  Firecracker relies on these bugs.
173options 	MPTABLE_LINUX_BUG_COMPAT
174
175# Disable the automatic registration of a PCI bridge; we do in fact
176# not have one.
177options 	NO_LEGACY_PCIB
178
179# Bus support.
180# Note that Firecracker provides neither ACPI nor PCI; but removing these
181# devices currently (2022-07-09) prevents the kernel from building.
182device		acpi
183device		pci
184
185# Xen HVM Guest Optimizations
186# NOTE: XENHVM depends on xenpci and xentimer.
187# They must be added or removed together.
188# NOTE: These are present in FIRECRACKER because the PVH boot method
189# originates from Xen; once that code is untangled these can be removed.
190options 	XENHVM			# Xen HVM kernel infrastructure
191device		xenpci			# Xen HVM Hypervisor services driver
192device		xentimer		# Xen x86 PV timer device
193
194# EFI devices
195device		efidev			# EFI pseudo-device
196device		efirtc			# EFI RTC
197