So I've been playing around with kernels in Qubes and successfully run kernel 4.10 in dom0 and any domUs where grsecurity-based kernels create too many issues. My next goal is to try and see if I can get coldkernel running in dom0 alongside the Qubes-specific kernel patches. I had tried a couple of months ago, but my machine kernel panicked and I ran out of time before I had to get back to work on other things so I stopped my trials.
I realized that the grsecurity patches can be configured for either a VM host or a guest, and I had previously only been compiling guest kernels and used that kernel.config to build my dom0 test kernel. I've been trying to avoid having to compile things twice, but if it not being a host kernel was why I was having issues, then maybe there is no choice but to have two separate kernel configs. So if that's the case and I have to compile a separate dom0 kernel with its own configuration anyway, I might as well go all the way. I already customize my kernels for my specific hardware (for example, I strip away all of the AMD CPU specific stuff because I only run Intel hardware, and take out some drivers for hardware that I don't have or will never use, etc), but I'm thinking I can go much further for a dom0 kernel. I'm talking about stripping away things like the TCP/IP stack, netfilter, every single hardware driver outside of disk, graphics, and keyboard/mouse, and maybe a few other things too. The question I had was about Xen since I'm not as familiar with it as I am with building kernels in general: How much does Xen need in dom0 in order to work with the hardware? For example, since sys-net has my wifi drivers, can I remove wifi driver support in the dom0 kernel? Or does Xen need a driver for it in order to pass it along to sys-net? Same kind of question for keyboard/mouse; if I have a sys-usb VM, could I theoretically strip away all USB drivers from the dom0 kernel? I'm thinking I'd at least need USB keyboard in order to input the disk passphrase on boot and could probably ditch everything else, but maybe not? I'll probably start playing around with seeing how far I can cut down the dom0 kernel this weekend, but figured in the meantime I'd ask the list if they have any advice or tips if they've tried something like this in the past. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ocjlbv%24std%241%40blaine.gmane.org. For more options, visit https://groups.google.com/d/optout.
