rvf_kernel/

config.rs

//! Real Linux kernel configuration for microVM boot.
//!
//! This module provides a minimal, valid Linux kernel `.config` suitable for
//! building a microVM kernel (Firecracker / QEMU microvm). The config enables
//! only what is needed: VirtIO drivers, networking, BPF, security hardening,
//! and a minimal filesystem. Everything else (sound, USB, DRM, wireless,
//! loadable modules) is disabled to keep the image small.

/// Minimal Linux kernel configuration for RVF microVM boot.
///
/// This is a valid Linux kernel `.config` file content. Key design decisions:
/// - No loadable modules (CONFIG_MODULES is not set) for security
/// - VirtIO PCI/block/net/vsock for Firecracker/QEMU compatibility
/// - BPF + JIT for eBPF programs embedded in RVF
/// - Security hardening (KASLR, stack protector, lockdown LSM)
/// - PREEMPT_NONE + NO_HZ_FULL for low-latency microVM
/// - Minimal filesystem support (ext4 + tmpfs + proc/sys/devtmpfs)
/// - No sound, USB, DRM, wireless, or other desktop hardware
pub const MICROVM_KERNEL_CONFIG: &str = r#"#
# RVF MicroVM Kernel Configuration
# Target: Linux 6.8.x for Firecracker / QEMU microvm
# Generated by rvf-kernel for RuVector Format computational containers
#

#
# General setup
#
CONFIG_LOCALVERSION="-rvf"
CONFIG_DEFAULT_HOSTNAME="rvf"
CONFIG_SWAP=y
CONFIG_SYSVIPC=y
CONFIG_POSIX_MQUEUE=y
CONFIG_AUDIT=y
CONFIG_NO_HZ_FULL=y
CONFIG_HIGH_RES_TIMERS=y
CONFIG_PREEMPT_NONE=y
CONFIG_TICK_CPU_ACCOUNTING=y
CONFIG_IKCONFIG=y
CONFIG_IKCONFIG_PROC=y
CONFIG_LOG_BUF_SHIFT=14
CONFIG_CGROUPS=y
CONFIG_CGROUP_SCHED=y
CONFIG_CGROUP_PIDS=y
CONFIG_CGROUP_CPUACCT=y
CONFIG_MEMCG=y
CONFIG_NAMESPACES=y
CONFIG_UTS_NS=y
CONFIG_IPC_NS=y
CONFIG_PID_NS=y
CONFIG_NET_NS=y
CONFIG_USER_NS=y
# CONFIG_MODULES is not set
CONFIG_CC_OPTIMIZE_FOR_SIZE=y
CONFIG_EXPERT=y
CONFIG_MULTIUSER=y
CONFIG_SYSFS_SYSCALL=y
CONFIG_FHANDLE=y
CONFIG_POSIX_TIMERS=y
CONFIG_PRINTK=y
CONFIG_BUG=y
CONFIG_ELF_CORE=y
CONFIG_BASE_FULL=y
CONFIG_FUTEX=y
CONFIG_EPOLL=y
CONFIG_SIGNALFD=y
CONFIG_TIMERFD=y
CONFIG_EVENTFD=y
CONFIG_AIO=y
CONFIG_IO_URING=y
CONFIG_ADVISE_SYSCALLS=y
CONFIG_KALLSYMS=y
CONFIG_EMBEDDED=y

#
# Processor type and features
#
CONFIG_64BIT=y
CONFIG_SMP=y
CONFIG_NR_CPUS=64
CONFIG_SCHED_SMT=y
CONFIG_X86_X2APIC=y
CONFIG_X86_LOCAL_APIC=y
CONFIG_X86_IO_APIC=y
CONFIG_X86_TSC=y
CONFIG_MICROCODE=y
CONFIG_X86_MSR=y
CONFIG_X86_CPUID=y
CONFIG_PARAVIRT=y
CONFIG_PARAVIRT_SPINLOCKS=y
CONFIG_KVM_GUEST=y
CONFIG_HYPERVISOR_GUEST=y
CONFIG_RANDOMIZE_BASE=y
CONFIG_X86_DIRECT_GBPAGES=y
CONFIG_NUMA=y
CONFIG_MTRR=y
CONFIG_X86_PAT=y

#
# Memory management
#
CONFIG_SPARSEMEM_VMEMMAP=y
CONFIG_MEMORY_HOTPLUG=y
CONFIG_TRANSPARENT_HUGEPAGE=y
CONFIG_COMPACTION=y
CONFIG_KSM=y

#
# Networking
#
CONFIG_NET=y
CONFIG_PACKET=y
CONFIG_UNIX=y
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_PNP=y
CONFIG_IP_PNP_DHCP=y
CONFIG_TCP_CONG_CUBIC=y
CONFIG_TCP_CONG_BBR=y
CONFIG_DEFAULT_BBR=y
CONFIG_IPV6=y
CONFIG_NETFILTER=y
CONFIG_NF_CONNTRACK=y
CONFIG_NF_TABLES=y
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_MANGLE=y
CONFIG_VSOCKETS=y
CONFIG_VIRTIO_VSOCKETS=y
CONFIG_BRIDGE=y
CONFIG_VLAN_8021Q=y

#
# Device drivers — VirtIO (Firecracker/QEMU)
#
CONFIG_VIRTIO_PCI=y
CONFIG_VIRTIO_BLK=y
CONFIG_VIRTIO_NET=y
CONFIG_VIRTIO_BALLOON=y
CONFIG_VIRTIO_CONSOLE=y
CONFIG_VIRTIO_MMIO=y
CONFIG_VIRTIO_INPUT=y
CONFIG_HW_RANDOM_VIRTIO=y

#
# Block devices
#
CONFIG_BLK_DEV=y
CONFIG_BLK_DEV_LOOP=y
CONFIG_BLK_DEV_RAM=y
CONFIG_BLK_DEV_RAM_SIZE=65536

#
# SCSI (for virtio-scsi)
#
CONFIG_SCSI=y
CONFIG_BLK_DEV_SD=y
CONFIG_SCSI_VIRTIO=y

#
# Serial / console
#
CONFIG_SERIAL_8250=y
CONFIG_SERIAL_8250_CONSOLE=y
CONFIG_HW_RANDOM=y
CONFIG_TTY=y
CONFIG_VT=y
CONFIG_VT_CONSOLE=y

#
# Filesystems
#
CONFIG_EXT4_FS=y
CONFIG_EXT4_FS_POSIX_ACL=y
CONFIG_EXT4_FS_SECURITY=y
CONFIG_TMPFS=y
CONFIG_TMPFS_POSIX_ACL=y
CONFIG_PROC_FS=y
CONFIG_PROC_SYSCTL=y
CONFIG_SYSFS=y
CONFIG_DEVTMPFS=y
CONFIG_DEVTMPFS_MOUNT=y
# CONFIG_FUSE_FS is not set
# CONFIG_NFS_FS is not set
# CONFIG_CIFS is not set

#
# BPF subsystem
#
CONFIG_BPF=y
CONFIG_BPF_SYSCALL=y
CONFIG_BPF_JIT=y
CONFIG_BPF_JIT_ALWAYS_ON=y
CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
CONFIG_CGROUP_BPF=y
CONFIG_BPF_LSM=y
CONFIG_BPF_STREAM_PARSER=y

#
# Security
#
CONFIG_SECURITY=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
CONFIG_SECURITY_YAMA=y
CONFIG_SECURITY_LANDLOCK=y
CONFIG_SECCOMP=y
CONFIG_SECCOMP_FILTER=y
CONFIG_STACKPROTECTOR=y
CONFIG_STACKPROTECTOR_STRONG=y
CONFIG_FORTIFY_SOURCE=y
CONFIG_HARDENED_USERCOPY=y
CONFIG_STATIC_USERMODEHELPER=y
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
# CONFIG_SECURITY_SELINUX is not set
# CONFIG_SECURITY_APPARMOR is not set

#
# Crypto
#
CONFIG_CRYPTO=y
CONFIG_CRYPTO_SHA256=y
CONFIG_CRYPTO_SHA512=y
CONFIG_CRYPTO_AES=y
CONFIG_CRYPTO_GCM=y
CONFIG_CRYPTO_CHACHA20POLY1305=y
CONFIG_CRYPTO_ECDH=y
CONFIG_CRYPTO_CURVE25519=y

#
# Disabled subsystems (keep image small)
#
# CONFIG_SOUND is not set
# CONFIG_USB_SUPPORT is not set
# CONFIG_DRM is not set
# CONFIG_WIRELESS is not set
# CONFIG_WLAN is not set
# CONFIG_BLUETOOTH is not set
# CONFIG_INPUT_JOYSTICK is not set
# CONFIG_INPUT_TABLET is not set
# CONFIG_INPUT_TOUCHSCREEN is not set
# CONFIG_MEDIA_SUPPORT is not set
# CONFIG_AGP is not set
# CONFIG_PCMCIA is not set
# CONFIG_INFINIBAND is not set
# CONFIG_ISDN is not set
# CONFIG_PARPORT is not set
# CONFIG_PHONE is not set
# CONFIG_ACCESSIBILITY is not set
# CONFIG_FIRMWARE_EDID is not set
# CONFIG_LOGO is not set
# CONFIG_FB is not set
# CONFIG_BACKLIGHT_CLASS_DEVICE is not set

#
# Debugging (minimal for production)
#
CONFIG_PRINTK_TIME=y
CONFIG_MAGIC_SYSRQ=y
CONFIG_DEBUG_KERNEL=y
# CONFIG_DEBUG_INFO_DWARF5 is not set
# CONFIG_KPROBES is not set
# CONFIG_FTRACE is not set
"#;

/// Required config options that MUST be present for a valid RVF microVM kernel.
///
/// These are checked by `validate_config()` to ensure the config wasn't
/// accidentally stripped of critical options.
pub const REQUIRED_OPTIONS: &[&str] = &[
    "CONFIG_64BIT=y",
    "CONFIG_SMP=y",
    "CONFIG_VIRTIO_PCI=y",
    "CONFIG_VIRTIO_BLK=y",
    "CONFIG_VIRTIO_NET=y",
    "CONFIG_BPF=y",
    "CONFIG_BPF_JIT=y",
    "CONFIG_BPF_SYSCALL=y",
    "CONFIG_VSOCKETS=y",
    "CONFIG_VIRTIO_VSOCKETS=y",
    "CONFIG_EXT4_FS=y",
    "CONFIG_SECURITY_LOCKDOWN_LSM=y",
    "CONFIG_STACKPROTECTOR_STRONG=y",
    "CONFIG_RANDOMIZE_BASE=y",
    "CONFIG_PREEMPT_NONE=y",
    "CONFIG_NO_HZ_FULL=y",
    "# CONFIG_MODULES is not set",
    "# CONFIG_SOUND is not set",
    "# CONFIG_USB_SUPPORT is not set",
    "# CONFIG_DRM is not set",
    "# CONFIG_WIRELESS is not set",
];

/// Validate that a kernel config string contains all required options.
///
/// Returns `Ok(())` if all required options are present, or `Err` with
/// a list of missing options.
pub fn validate_config(config: &str) -> Result<(), Vec<&'static str>> {
    let missing: Vec<&str> = REQUIRED_OPTIONS
        .iter()
        .filter(|&&opt| !config.lines().any(|line| line.trim() == opt))
        .copied()
        .collect();

    if missing.is_empty() {
        Ok(())
    } else {
        Err(missing)
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn microvm_config_has_all_required_options() {
        let result = validate_config(MICROVM_KERNEL_CONFIG);
        assert!(
            result.is_ok(),
            "missing required options: {:?}",
            result.unwrap_err()
        );
    }

    #[test]
    fn config_disables_modules() {
        assert!(MICROVM_KERNEL_CONFIG.contains("# CONFIG_MODULES is not set"));
    }

    #[test]
    fn config_enables_virtio() {
        assert!(MICROVM_KERNEL_CONFIG.contains("CONFIG_VIRTIO_PCI=y"));
        assert!(MICROVM_KERNEL_CONFIG.contains("CONFIG_VIRTIO_BLK=y"));
        assert!(MICROVM_KERNEL_CONFIG.contains("CONFIG_VIRTIO_NET=y"));
        assert!(MICROVM_KERNEL_CONFIG.contains("CONFIG_VIRTIO_VSOCKETS=y"));
    }

    #[test]
    fn config_enables_bpf() {
        assert!(MICROVM_KERNEL_CONFIG.contains("CONFIG_BPF=y"));
        assert!(MICROVM_KERNEL_CONFIG.contains("CONFIG_BPF_JIT=y"));
        assert!(MICROVM_KERNEL_CONFIG.contains("CONFIG_BPF_SYSCALL=y"));
        assert!(MICROVM_KERNEL_CONFIG.contains("CONFIG_BPF_JIT_ALWAYS_ON=y"));
    }

    #[test]
    fn config_enables_security_hardening() {
        assert!(MICROVM_KERNEL_CONFIG.contains("CONFIG_SECURITY_LOCKDOWN_LSM=y"));
        assert!(MICROVM_KERNEL_CONFIG.contains("CONFIG_STACKPROTECTOR_STRONG=y"));
        assert!(MICROVM_KERNEL_CONFIG.contains("CONFIG_RANDOMIZE_BASE=y"));
        assert!(MICROVM_KERNEL_CONFIG.contains("CONFIG_SECCOMP=y"));
        assert!(MICROVM_KERNEL_CONFIG.contains("CONFIG_SECCOMP_FILTER=y"));
        assert!(MICROVM_KERNEL_CONFIG.contains("CONFIG_FORTIFY_SOURCE=y"));
    }

    #[test]
    fn config_disables_desktop_hardware() {
        assert!(MICROVM_KERNEL_CONFIG.contains("# CONFIG_SOUND is not set"));
        assert!(MICROVM_KERNEL_CONFIG.contains("# CONFIG_USB_SUPPORT is not set"));
        assert!(MICROVM_KERNEL_CONFIG.contains("# CONFIG_DRM is not set"));
        assert!(MICROVM_KERNEL_CONFIG.contains("# CONFIG_WIRELESS is not set"));
        assert!(MICROVM_KERNEL_CONFIG.contains("# CONFIG_BLUETOOTH is not set"));
    }

    #[test]
    fn validate_catches_missing_options() {
        let incomplete = "CONFIG_64BIT=y\nCONFIG_SMP=y\n";
        let result = validate_config(incomplete);
        assert!(result.is_err());
        let missing = result.unwrap_err();
        assert!(missing.contains(&"CONFIG_VIRTIO_PCI=y"));
    }

    #[test]
    fn config_sets_localversion() {
        assert!(MICROVM_KERNEL_CONFIG.contains("CONFIG_LOCALVERSION=\"-rvf\""));
    }

    #[test]
    fn config_is_nonzero_length() {
        assert!(MICROVM_KERNEL_CONFIG.len() > 1000);
    }
}