1# 2# FIRECRACKER -- kernel configuration file for Firecracker VM 3# 4# This is largely a stripped-down version of the GENERIC kernel configuration 5# file, without drivers for hardware which will never appear inside the 6# Firecracker VM environment. It adds support for the Virtio MMIO bus, 7# which Firecracker uses for exposing devices, and legacy mptable, which 8# Firecracker uses for exposing information about CPUs (since it doesn't 9# support ACPI). 10# 11# Since Firecracker loads the kernel directly via the PVH boot protocol, 12# it bypasses the boot loader; some environment variables are hard-coded 13# here which would normally be provided via device hints or loader.conf. 14# 15# For more information about the Firecracker VM, see: 16# 17# https://firecracker-microvm.github.io/ 18 19cpu HAMMER 20ident FIRECRACKER 21 22makeoptions DEBUG=-g # Build kernel with gdb(1) debug symbols 23makeoptions WITH_CTF=1 # Run ctfconvert(1) for DTrace support 24 25options SCHED_ULE # ULE scheduler 26options NUMA # Non-Uniform Memory Architecture support 27options PREEMPTION # Enable kernel thread preemption 28options VIMAGE # Subsystem virtualization, e.g. VNET 29options INET # InterNETworking 30options INET6 # IPv6 communications protocols 31options IPSEC_SUPPORT # Allow kldload of ipsec and tcpmd5 32options ROUTE_MPATH # Multipath routing support 33options FIB_ALGO # Modular fib lookups 34options TCP_OFFLOAD # TCP offload 35options TCP_BLACKBOX # Enhanced TCP event logging 36options TCP_HHOOK # hhook(9) framework for TCP 37options TCP_RFC7413 # TCP Fast Open 38options SCTP_SUPPORT # Allow kldload of SCTP 39options KERN_TLS # TLS transmit & receive offload 40options FFS # Berkeley Fast Filesystem 41options SOFTUPDATES # Enable FFS soft updates support 42options UFS_ACL # Support for access control lists 43options UFS_DIRHASH # Improve performance on big directories 44options UFS_GJOURNAL # Enable gjournal-based UFS journaling 45options QUOTA # Enable disk quotas for UFS 46options MD_ROOT # MD is a potential root device 47options NFSCL # Network Filesystem Client 48options NFSD # Network Filesystem Server 49options NFSLOCKD # Network Lock Manager 50options NFS_ROOT # NFS usable as /, requires NFSCL 51options MSDOSFS # MSDOS Filesystem 52options CD9660 # ISO 9660 Filesystem 53options PROCFS # Process filesystem (requires PSEUDOFS) 54options PSEUDOFS # Pseudo-filesystem framework 55options TMPFS # Efficient memory filesystem 56options GEOM_RAID # Soft RAID functionality. 57options GEOM_LABEL # Provides labelization 58options EFIRT # EFI Runtime Services support 59options COMPAT_FREEBSD32 # Compatible with i386 binaries 60options COMPAT_FREEBSD4 # Compatible with FreeBSD4 61options COMPAT_FREEBSD5 # Compatible with FreeBSD5 62options COMPAT_FREEBSD6 # Compatible with FreeBSD6 63options COMPAT_FREEBSD7 # Compatible with FreeBSD7 64options COMPAT_FREEBSD9 # Compatible with FreeBSD9 65options COMPAT_FREEBSD10 # Compatible with FreeBSD10 66options COMPAT_FREEBSD11 # Compatible with FreeBSD11 67options COMPAT_FREEBSD12 # Compatible with FreeBSD12 68options COMPAT_FREEBSD13 # Compatible with FreeBSD13 69options SCSI_DELAY=5000 # Delay (in ms) before probing SCSI 70options KTRACE # ktrace(1) support 71options STACK # stack(9) support 72options SYSVSHM # SYSV-style shared memory 73options SYSVMSG # SYSV-style message queues 74options SYSVSEM # SYSV-style semaphores 75options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions 76options PRINTF_BUFR_SIZE=128 # Prevent printf output being interspersed. 77options KBD_INSTALL_CDEV # install a CDEV entry in /dev 78options HWPMC_HOOKS # Necessary kernel hooks for hwpmc(4) 79options AUDIT # Security event auditing 80options CAPABILITY_MODE # Capsicum capability mode 81options CAPABILITIES # Capsicum capabilities 82options MAC # TrustedBSD MAC Framework 83options KDTRACE_FRAME # Ensure frames are compiled in 84options KDTRACE_HOOKS # Kernel DTrace hooks 85options DDB_CTF # Kernel ELF linker loads CTF data 86options INCLUDE_CONFIG_FILE # Include this file in kernel 87options RACCT # Resource accounting framework 88options RACCT_DEFAULT_TO_DISABLED # Set kern.racct.enable=0 by default 89options RCTL # Resource limits 90 91# Debugging support. Always need this: 92options KDB # Enable kernel debugger support. 93options KDB_TRACE # Print a stack trace for a panic. 94# For full debugger support use (turn off in stable branch): 95options BUF_TRACKING # Track buffer history 96options DDB # Support DDB. 97options FULL_BUF_TRACKING # Track more buffer history 98options GDB # Support remote GDB. 99options DEADLKRES # Enable the deadlock resolver 100options INVARIANTS # Enable calls of extra sanity checking 101options INVARIANT_SUPPORT # Extra sanity checks of internal structures, required by INVARIANTS 102options QUEUE_MACRO_DEBUG_TRASH # Trash queue(2) internal pointers on invalidation 103options WITNESS # Enable checks to detect deadlocks and cycles 104options WITNESS_SKIPSPIN # Don't run witness on spinlocks for speed 105options MALLOC_DEBUG_MAXZONES=8 # Separate malloc(9) zones 106options VERBOSE_SYSINIT=0 # Support debug.verbose_sysinit, off by default 107 108# Kernel dump features. 109options EKCD # Support for encrypted kernel dumps 110options GZIO # gzip-compressed kernel and user dumps 111options ZSTDIO # zstd-compressed kernel and user dumps 112options DEBUGNET # debugnet networking 113options NETDUMP # netdump(4) client support 114options NETGDB # netgdb(4) client support 115 116# Make an SMP-capable kernel by default 117options SMP # Symmetric MultiProcessor Kernel 118 119# Pseudo devices. 120device crypto # core crypto support 121device aesni # AES-NI OpenCrypto module 122device loop # Network loopback 123device rdrand_rng # Intel Bull Mountain RNG 124device ether # Ethernet support 125device vlan # 802.1Q VLAN support 126device tuntap # Packet tunnel. 127device md # Memory "disks" 128device gif # IPv6 and IPv4 tunneling 129device firmware # firmware assist module 130device xz # lzma decompression 131device bpf # Berkeley packet filter 132 133# Serial (COM) ports 134device uart # Generic UART driver 135 136# VirtIO support 137device virtio # Generic VirtIO bus (required) 138device virtio_mmio # VirtIO MMIO bus 139device vtnet # VirtIO Ethernet device 140device virtio_blk # VirtIO Block device 141 142# Linux KVM paravirtualization support 143device kvm_clock # KVM paravirtual clock driver 144 145# Netmap provides direct access to TX/RX rings on supported NICs 146device netmap # netmap(4) support 147 148# Firecracker exposes information via the legacy MP Table mechanism 149# rather than via ACPI (which it does not implement). 150device mptable 151 152# Firecracker launches the FreeBSD kernel directly, via the PVH boot 153# protocol, rather than via the boot loader; as such, we need to bake 154# device hints into the kernel configuration rather than relying on 155# device.hints being loaded, and likewise have no loader.conf to place 156# other settings into. 157envvar hint.uart.0.at="isa" 158envvar hint.uart.0.port="0x3F8" 159envvar hint.uart.0.flags="0x10" 160envvar hint.uart.0.irq="0x4" 161envvar hint.acpi.0.disabled="1" 162 163# Inside a VM, "power off" doesn't really yank the AC power, so there's 164# no need to worry about disks flushing caches before losing power. 165envvar kern.shutdown.poweroff_delay="0" 166 167# Firecracker seems to have a bug in its UART emulation. This works 168# around the problem. 169envvar hw.broken_txfifo="1" 170 171# We don't have an early timecounter to calibrate the TSC against, so 172# skip that; later in the boot process we have other timecounters. 173envvar machdep.disable_tsc_calibration="1" 174 175# Provide bug-for-bug compatibility with Linux in MP Table searching 176# and parsing. Firecracker relies on these bugs. 177options MPTABLE_LINUX_BUG_COMPAT 178 179# Disable the automatic registration of a PCI bridge; we do in fact 180# not have one. 181options NO_LEGACY_PCIB 182 183# Bus support. 184# Note that Firecracker provides neither ACPI nor PCI; but removing these 185# devices currently (2022-07-09) prevents the kernel from building. 186device acpi 187device pci 188 189# Xen HVM Guest Optimizations 190# NOTE: XENHVM depends on xenpci and xentimer. 191# They must be added or removed together. 192# NOTE: These are present in FIRECRACKER because the PVH boot method 193# originates from Xen; once that code is untangled these can be removed. 194options XENHVM # Xen HVM kernel infrastructure 195device xenpci # Xen HVM Hypervisor services driver 196device xentimer # Xen x86 PV timer device 197