# # FIRECRACKER -- kernel configuration file for Firecracker VM # # This is largely a stripped-down version of the GENERIC kernel configuration # file, without drivers for hardware which will never appear inside the # Firecracker VM environment. It adds support for the Virtio MMIO bus, # which Firecracker uses for exposing devices, and legacy mptable, which # Firecracker uses for exposing information about CPUs (since it doesn't # support ACPI). # # Since Firecracker loads the kernel directly via the PVH boot protocol, # it bypasses the boot loader; some environment variables are hard-coded # here which would normally be provided via device hints or loader.conf. # # For more information about the Firecracker VM, see: # # https://firecracker-microvm.github.io/ cpu HAMMER ident FIRECRACKER makeoptions DEBUG=-g # Build kernel with gdb(1) debug symbols makeoptions WITH_CTF=1 # Run ctfconvert(1) for DTrace support options SCHED_ULE # ULE scheduler options NUMA # Non-Uniform Memory Architecture support options PREEMPTION # Enable kernel thread preemption options VIMAGE # Subsystem virtualization, e.g. VNET options INET # InterNETworking options INET6 # IPv6 communications protocols options IPSEC_SUPPORT # Allow kldload of ipsec and tcpmd5 options ROUTE_MPATH # Multipath routing support options FIB_ALGO # Modular fib lookups options TCP_OFFLOAD # TCP offload options TCP_BLACKBOX # Enhanced TCP event logging options TCP_HHOOK # hhook(9) framework for TCP options TCP_RFC7413 # TCP Fast Open options SCTP_SUPPORT # Allow kldload of SCTP options KERN_TLS # TLS transmit & receive offload options FFS # Berkeley Fast Filesystem options SOFTUPDATES # Enable FFS soft updates support options UFS_ACL # Support for access control lists options UFS_DIRHASH # Improve performance on big directories options UFS_GJOURNAL # Enable gjournal-based UFS journaling options QUOTA # Enable disk quotas for UFS options MD_ROOT # MD is a potential root device options NFSCL # Network Filesystem Client options NFSD # Network Filesystem Server options NFSLOCKD # Network Lock Manager options NFS_ROOT # NFS usable as /, requires NFSCL options MSDOSFS # MSDOS Filesystem options CD9660 # ISO 9660 Filesystem options PROCFS # Process filesystem (requires PSEUDOFS) options PSEUDOFS # Pseudo-filesystem framework options TMPFS # Efficient memory filesystem options GEOM_RAID # Soft RAID functionality. options GEOM_LABEL # Provides labelization options EFIRT # EFI Runtime Services support options COMPAT_FREEBSD32 # Compatible with i386 binaries options COMPAT_FREEBSD4 # Compatible with FreeBSD4 options COMPAT_FREEBSD5 # Compatible with FreeBSD5 options COMPAT_FREEBSD6 # Compatible with FreeBSD6 options COMPAT_FREEBSD7 # Compatible with FreeBSD7 options COMPAT_FREEBSD9 # Compatible with FreeBSD9 options COMPAT_FREEBSD10 # Compatible with FreeBSD10 options COMPAT_FREEBSD11 # Compatible with FreeBSD11 options COMPAT_FREEBSD12 # Compatible with FreeBSD12 options COMPAT_FREEBSD13 # Compatible with FreeBSD13 options COMPAT_FREEBSD14 # Compatible with FreeBSD14 options SCSI_DELAY=5000 # Delay (in ms) before probing SCSI options KTRACE # ktrace(1) support options STACK # stack(9) support options SYSVSHM # SYSV-style shared memory options SYSVMSG # SYSV-style message queues options SYSVSEM # SYSV-style semaphores options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions options PRINTF_BUFR_SIZE=128 # Prevent printf output being interspersed. options KBD_INSTALL_CDEV # install a CDEV entry in /dev options HWPMC_HOOKS # Necessary kernel hooks for hwpmc(4) options AUDIT # Security event auditing options CAPABILITY_MODE # Capsicum capability mode options CAPABILITIES # Capsicum capabilities options MAC # TrustedBSD MAC Framework options KDTRACE_FRAME # Ensure frames are compiled in options KDTRACE_HOOKS # Kernel DTrace hooks options DDB_CTF # Kernel ELF linker loads CTF data options INCLUDE_CONFIG_FILE # Include this file in kernel options RACCT # Resource accounting framework options RACCT_DEFAULT_TO_DISABLED # Set kern.racct.enable=0 by default options RCTL # Resource limits # Debugging support. Always need this: options KDB # Enable kernel debugger support. options KDB_TRACE # Print a stack trace for a panic. # For full debugger support use (turn off in stable branch): options BUF_TRACKING # Track buffer history options DDB # Support DDB. options FULL_BUF_TRACKING # Track more buffer history options GDB # Support remote GDB. options DEADLKRES # Enable the deadlock resolver options INVARIANTS # Enable calls of extra sanity checking options INVARIANT_SUPPORT # Extra sanity checks of internal structures, required by INVARIANTS options QUEUE_MACRO_DEBUG_TRASH # Trash queue(2) internal pointers on invalidation options WITNESS # Enable checks to detect deadlocks and cycles options WITNESS_SKIPSPIN # Don't run witness on spinlocks for speed options MALLOC_DEBUG_MAXZONES=8 # Separate malloc(9) zones options VERBOSE_SYSINIT=0 # Support debug.verbose_sysinit, off by default # Kernel dump features. options EKCD # Support for encrypted kernel dumps options GZIO # gzip-compressed kernel and user dumps options ZSTDIO # zstd-compressed kernel and user dumps options DEBUGNET # debugnet networking options NETDUMP # netdump(4) client support options NETGDB # netgdb(4) client support # Make an SMP-capable kernel by default options SMP # Symmetric MultiProcessor Kernel # Pseudo devices. device crypto # core crypto support device aesni # AES-NI OpenCrypto module device loop # Network loopback device rdrand_rng # Intel Bull Mountain RNG device ether # Ethernet support device vlan # 802.1Q VLAN support device tuntap # Packet tunnel. device md # Memory "disks" device gif # IPv6 and IPv4 tunneling device firmware # firmware assist module device xz # lzma decompression device bpf # Berkeley packet filter # Serial (COM) ports device uart # Generic UART driver # VirtIO support device virtio # Generic VirtIO bus (required) device virtio_mmio # VirtIO MMIO bus device vtnet # VirtIO Ethernet device device virtio_blk # VirtIO Block device # Linux KVM paravirtualization support device kvm_clock # KVM paravirtual clock driver # Netmap provides direct access to TX/RX rings on supported NICs device netmap # netmap(4) support # Firecracker exposes information via the legacy MP Table mechanism # rather than via ACPI (which it does not implement). device mptable # Firecracker launches the FreeBSD kernel directly, via the PVH boot # protocol, rather than via the boot loader; as such, we need to bake # device hints into the kernel configuration rather than relying on # device.hints being loaded, and likewise have no loader.conf to place # other settings into. envvar hint.uart.0.at="isa" envvar hint.uart.0.port="0x3F8" envvar hint.uart.0.flags="0x10" envvar hint.uart.0.irq="0x4" envvar hint.acpi.0.disabled="1" # Inside a VM, "power off" doesn't really yank the AC power, so there's # no need to worry about disks flushing caches before losing power. envvar kern.shutdown.poweroff_delay="0" # Firecracker seems to have a bug in its UART emulation. This works # around the problem. envvar hw.broken_txfifo="1" # We don't have an early timecounter to calibrate the TSC against, so # skip that; later in the boot process we have other timecounters. envvar machdep.disable_tsc_calibration="1" # Provide bug-for-bug compatibility with Linux in MP Table searching # and parsing. Firecracker relies on these bugs. options MPTABLE_LINUX_BUG_COMPAT # Disable the automatic registration of a PCI bridge; we do in fact # not have one. options NO_LEGACY_PCIB # Bus support. # Note that Firecracker provides neither ACPI nor PCI; but removing these # devices currently (2022-07-09) prevents the kernel from building. device acpi device pci # Xen HVM Guest Optimizations # NOTE: XENHVM depends on xenpci and xentimer. # They must be added or removed together. # NOTE: These are present in FIRECRACKER because the PVH boot method # originates from Xen; once that code is untangled these can be removed. options XENHVM # Xen HVM kernel infrastructure device xenpci # Xen HVM Hypervisor services driver device xentimer # Xen x86 PV timer device