Chapter 4. Common kernel-related tasks

Table of Contents

4.1. Obtaining the Debian kernel source
4.2. Building a custom kernel from Debian kernel source
4.3. Building a custom kernel from the "pristine" kernel source
4.4. Out-of-tree kernel modules
4.4.1. Building modules with DKMS
4.4.2. Building modules with module-assistant
4.4.3. Building unpackaged modules
4.4.4. Out-of-tree modules and Secure Boot
4.5. Rebuilding official Debian kernel packages
4.5.1. Preparation
4.5.2. Simple patching and building
4.5.3. Applying patches or configuration changes
4.5.4. Building many packages
4.5.5. Building packages for one flavour
4.6. Building a development version of the Debian kernel package
4.7. Generating orig tarball from newer upstream

4.1. Obtaining the Debian kernel source

To get the Debian kernel source, it is sufficient to install the latest linux-source-version package and unpack the source, for example:

# apt-get install linux-source-4.3
$ tar xaf /usr/src/linux-source-4.3.tar.xz

The unpacked source tree then will be available in linux-source-4.3 directory.

4.2. Building a custom kernel from Debian kernel source

This section describes the simplest possible procedure to build a custom kernel the "Debian way". It is assumed that user is somewhat familiar with kernel configuration and build process. If that's not the case, it is recommended to consult the kernel documentation and many excellent online resources dedicated to it.

The easiest way to build a custom kernel (the kernel with the configuration different from the one used in the official packages) from the Debian kernel source is to use the linux-source package and the make bindeb-pkg target. First, prepare the kernel tree:

# apt-get install linux-source-4.3
$ tar xaf /usr/src/linux-source-4.3.tar.xz
$ cd linux-source-4.3

The kernel now needs to be configured, that is you have to set the kernel options and select the drivers which are going to be included, either as built-in, or as external modules.

It is possible to reuse an old configuration file by placing it as a .config file in the top-level directory. Alternately, you can use the default configuration for the architecture (make defconfig) or generate a configuration based on the running kernel and the currently loaded modules (make localmodconfig).

If you reuse a Debian kernel config file, you may need to disable module signing (scripts/config --disable MODULE_SIG) or enable signing with an ephemeral key (scripts/config --set-str MODULE_SIG_KEY certs/signing_key.pem). The build will use less time and disk space (see Section, “Disk space requirements”) if debug information is disabled (scripts/config --disable DEBUG_INFO). Debuginfo is only needed if you plan to use binary object tools like crash, kgdb, and SystemTap on the kernel.

The kernel build infrastructure offers a number of targets, which invoke different configuration frontends. For example, one can use console-based menu configuration by invoking the command

$ make nconfig

Instead of nconfig one can use oldconfig (text-based line-by-line configuration frontend) or xconfig (graphical configuration frontend). Note that different frontends may require different additional libraries and utilities to be installed to function properly. For example, the nconfig frontend requires the ncurses library, which is provided by the libncurses-dev package.

After the configuration process is finished, the new or updated kernel configuration will be stored in .config file in the top-level directory. The build is started using the commands

$ make clean
$ make bindeb-pkg

As a result of the build, a custom kernel package linux-image-3.2.19_3.2.19-1_i386.deb (name will reflect the version of the kernel and build number) will be created in the directory one level above the top of the tree. It may be installed using dpkg just as any other package:

# dpkg -i ../linux-image-3.2.19_3.2.19-1_i386.deb

This command will unpack the kernel, generate the initrd if necessary (see Chapter 7, Managing the initial ramfs (initramfs) archive for details), and configure the bootloader to make the newly installed kernel the default one. If this command completed without any problems, you can reboot using the

# shutdown -r now

command to boot the new kernel.

For much more information about bootloaders and their configuration please check their documentation. For GRUB this can be accessed using the command info grub. You can also look for documentation in the /usr/share/doc/package directories, with package being the name of the package involved.

4.3. Building a custom kernel from the "pristine" kernel source

Building a kernel from the "pristine" (also sometimes called "vanilla") kernel source, distributed from and its mirrors, may be occasionally useful for debugging or in the situations when a newer kernel version is desired. The procedure differs only in obtaining the kernel source: instead of unpacking the kernel source from Debian packages, the "pristine" source is downloaded using your favourite browser or using wget, as follows:

$ wget

The integrity of the downloaded archive may be verified by fetching the corresponding cryptographic signature

$ wget

and running this command (gnupg package must be installed):

$ unxz -c linux-4.3.tar.xz | gpg --verify linux-4.3.tar.sign -

Successful verification results in output similar to the one below:

gpg: Signature made Mon 21 May 2012 01:48:14 AM CEST using RSA key ID 00411886
gpg: Good signature from "Linus Torvalds <>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: ABAF 11C6 5A29 70B1 30AB  E3C4 79BE 3E43 0041 1886

After that the archive may be unpacked using

$ tar xaf linux-4.3.tar.xz
$ cd linux-4.3

The unpacked kernel tree (in linux-4.3) can now be configured and built, in the same way described in the previous section.

4.4. Out-of-tree kernel modules

Some kernel modules are not included in the upstream or Debian kernel source, but are provided as third-party source packages. There is a fair chance that the Debian archive contains the source for the kernel modules, packaged for use with the Dynamic Kernel Module System (DKMS), with a package name ending with -dkms. Alternatively, it might be packaged for use with Debian's module-assistant (m-a), with a package name ending with -source.

4.4.1. Building modules with DKMS

Check the current kernel release by running uname -r. If it shows, for example, 5.10.0-16-amd64, you need the package linux-headers-5.10.0-16-amd64. However, usually you should not install this directly. Instead, note the "flavour" name that appears after the four numbers, which in this case is amd64. You can then run:

# apt-get install linux-headers-flavour module-name-dkms

The installation of these packages will automatically invoke DKMS to build and install the module(s) for the current kernel release. Future kernel package upgrades will also automatically invoke DKMS to rebuild and install the module(s).

4.4.2. Building modules with module-assistant

First, install module-assistant:

# apt-get install module-assistant

To build a custom binary module package for the currently running kernel:

# m-a a-i module-name-source

Check out the module-assistant documentation (man module-assistant) for other options and much more information on how to use it.

4.4.3. Building unpackaged modules

In some rare circumstances, you might need to build the kernel modules from the upstream source packages. In that case, follow the documentation included with the package to build the modules. If the build process will require you to specify the directory with the kernel headers, matching the currently running kernel, for stock Debian kernels this directory is /usr/src/linux-headers-uname, provided by the linux-headers-uname package. Here uname is the output of the uname -r command. If you are building and running your own custom kernels, it is a good idea to keep the original build tree around, as it also can be used for out-of-tree module building.

4.4.4. Out-of-tree modules and Secure Boot

In case your computer has UEFI Secure Boot enabled, the Debian packaged kernel will normally only allow modules signed by a trusted key to be loaded. In order to load the modules you build, you need to either:

  • Generate a signing key, add it to the trust list of your computer, and use it to sign all out-of-tree modules; or

  • Disable Secure Boot enforcement

Both options are documented on the Debian wiki's SecureBoot page, under "MOK - Machine Owner Key".

4.5. Rebuilding official Debian kernel packages

You can build all or selected kernel packages by following these instructions. You may be asked to do this in order to test a potential bug fix.

4.5.1. Preparation

Run the following commands:

# apt-get install build-essential
# apt-get build-dep linux

This will install the packages required by the kernel build process.

$ apt-get source linux

This will download and unpack the linux source package, making the tree available in the linux-version directory.

$ cd linux-version

Enter the source directory.

$ export MAKEFLAGS=-j$(nproc)

Enable parallel builds using one job per CPU by default. Disk space requirements

Building binary packages for a single kernel flavour requires up to 15 GB space in the package directory and 300 MB in /tmp (or $TMPDIR).

Building with debug info disabled requires about 2 GB and 25 MB respectively. In packages of kernel version 5.17 or later, you can disable building debug info through build profiles:

$ export DEB_BUILD_PROFILES='pkg.linux.nokerneldbg pkg.linux.nokerneldbginfo'

In older package versions, you must change the value of debug-info to false in debian/config/arch/defines, if it's set there, or in debian/config/defines otherwise.

Building all binary packages for i386 or amd64 currently requires about 50 GB space in the package directory. Other architectures with fewer drivers will require less space.

4.5.2. Simple patching and building

The source package includes a script to simplify the process of building with extra patches. You can use this by running commands such as:

# apt-get install devscripts
$ debian/bin/test-patches ../fix-bug123456.patch ../add-foo-driver.patch

This script has options to control the flavour, featureset, etc. For a summary of the options, run:

$ debian/bin/test-patches

However, if you need to change the configuration or make other changes, you should not use this script and should follow the instructions below.


Older versions of the test-patches script (before package version 6.1.27-1), have some important bugs and limitations:

  • The linux-image package it builds will usually replace or conflict with the currently installed kernel package.

  • The linux-headers package it builds won't be installable.

  • In package versions from 5.17 onward, it is not possible to disable building debug info.

To avoid these bugs in older versions of the source package, follow the instructions below.

4.5.3. Applying patches or configuration changes

It is possible to apply extra patches to the source before starting the build. In the linux source package, the default (non-featureset) patches are automatically applied in the top level directory.

The patched source appears in the following directories.

default source:

top level

source with featureset:


You should apply the extra patches in the appropriate directory. In the linux source package you can use the quilt utility to do this.

You should also change the ABI name so that the resulting packages are co-installable with the current kernel packages; see Section 5.2.1, “The ABI name”.

To change the configuration before building, for example for the 686-pae flavour on i386, run the commands:

$ make -f debian/rules.gen setup_i386_none_686-pae
$ make -C debian/build/build_i386_none_686-pae nconfig

4.5.4. Building many packages

To build all possible packages for this architecture, run:

$ dpkg-buildpackage -b -nc -uc

To build all architecture-dependent packages, run:

$ dpkg-buildpackage -B -nc -uc

To build all architecture-independent packages, run:

$ dpkg-buildpackage -A -nc -uc

4.5.5. Building packages for one flavour

For example, to build only the binary packages for 686-pae flavour on i386 architecture, use the following commands:

$ debian/rules source
$ DEB_RULES_REQUIRES_ROOT=no make -f debian/rules.gen binary-arch_i386_none_686-pae

The target in this command has the general form of target_arch_featureset_flavour. Replace the featureset with none if you do not want any of the extra featuresets. This command will build the linux image and kernel headers packages. You may also need the linux-headers-version-common binary package, which can be built using the commands:

$ debian/rules source
$ DEB_RULES_REQUIRES_ROOT=no make -f debian/rules.gen binary-indep_none_real

The target in this command has the general form of binary-indep_featureset_real

4.6. Building a development version of the Debian kernel package

To build a kernel image based on the kernel team's unreleased development version:

# apt-get install build-essential rsync git
# apt-get build-dep linux

The last two commands will install the build dependencies required by the kernel build process.

$ git clone -b dist --single-branch

This will check out the Debian packaging. dist is normally the distribution codename such as wheezy or sid (unstable). For the very latest version, usually based on an upstream release candidate, use master. Note that this will download several hundred megabytes of data.

$ apt-get source -d linux

This will download the linux upstream source (and the last released Debian patches). Depending on which version you are trying to build, you might need to override APT's version selection or download a tarball from instead.

$ cd linux
$ debian/rules orig

This unpacks the upstream source and merges it with the Debian packaging.

$ debian/rules debian/control

This generates a Debian package control file based on the current definitions of the various kernel flavours which can be built.

$ DEB_RULES_REQUIRES_ROOT=no debian/rules target

Finally, build binary packages as explained in Section 4.5, “Rebuilding official Debian kernel packages”.

4.7. Generating orig tarball from newer upstream

First you must add a changelog entry for the new upstream version. If the new version is a release candidate, change the string -rc to ~rc. (In Debian package versions, a suffix beginning with ~ indicates a pre-release.)

The 'orig' tarball is generated by the script, which requires an upstream Git repository. For Debian 12 "bookworm" onward, this can be a remote repository; for older stable branches it must be local. Run:

$ debian/bin/ repository

This will generate a file such as ../orig/linux_5.19~rc6.orig.tar.xz. You can then combine this tarball with the Debian packaging by running:

$ debian/rules orig