Debian Linux Kernel Handbook / Chapter 4. Common kernel-related tasks
Table of Contents
To get the Debian kernel source, it is sufficient to install the latest
linux-source-version package and unpack
the source, for example:
#apt-get install linux-source-4.3$tar xaf /usr/src/linux-source-4.3.tar.xz
The unpacked source tree then will be available in
linux-source-4.3 directory.
This section describes the simplest possible procedure to build a custom kernel the "Debian way". It is assumed that user is somewhat familiar with kernel configuration and build process. If that's not the case, it is recommended to consult the kernel documentation and many excellent online resources dedicated to it.
The easiest way to build a custom kernel (the kernel with the configuration different from the one used in the official packages) from the Debian kernel source is to use the linux-source package and the make bindeb-pkg target. First, prepare the kernel tree:
#apt-get install linux-source-4.3$tar xaf /usr/src/linux-source-4.3.tar.xz$cd linux-source-4.3
The kernel now needs to be configured, that is you have to set the kernel options and select the drivers which are going to be included, either as built-in, or as external modules.
It is possible to reuse an old configuration file by placing it as a
.config file in the top-level directory.
Alternately, you can use the default configuration for the
architecture (make defconfig) or generate a
configuration based on the running kernel and the currently loaded
modules (make localmodconfig).
If you reuse a Debian kernel config file, you may need to disable module signing (scripts/config --disable MODULE_SIG) or enable signing with an ephemeral key (scripts/config --set-str MODULE_SIG_KEY certs/signing_key.pem). The build will use less time and disk space (see Section 4.5.1.1, “Disk space requirements”) if debug information is disabled. Debuginfo is only needed if you plan to use binary object tools like crash, kgdb, and SystemTap on the kernel. To disable debug information:
$scripts/config --disable DEBUG_INFO$scripts/config --disable DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT
The kernel build infrastructure offers a number of targets, which invoke different configuration frontends. For example, one can use console-based menu configuration by invoking the command
$make nconfig
Instead of nconfig one can use oldconfig
(text-based line-by-line configuration frontend) or xconfig
(graphical configuration frontend). Note that different frontends may require different additional
libraries and utilities to be installed to function properly. For example, the
nconfig frontend requires the ncurses
library, which is provided by the libncurses-dev package.
After the configuration process is finished, the new or updated kernel
configuration will be stored in .config file in the
top-level directory. The build is started using the commands
$make clean$make bindeb-pkg
As a result of the build, a custom kernel package
linux-image-3.2.19_3.2.19-1_i386.deb (name will reflect the
version of the kernel and build number) will be created in the directory one
level above the top of the tree. It may be installed using
dpkg just as any other package:
#dpkg -i ../linux-image-3.2.19_3.2.19-1_i386.deb
This command will unpack the kernel, generate the initrd if necessary (see Chapter 7, Managing the initial ramfs (initramfs) archive for details), and configure the bootloader to make the newly installed kernel the default one. If this command completed without any problems, you can reboot using the
#shutdown -r now
command to boot the new kernel.
For much more information about bootloaders and their configuration please
check their documentation. For GRUB this can be accessed using the command
info grub. You can also look for documentation in the
/usr/share/doc/ directories,
with packagepackage being the name of the
package involved.
Building a kernel from the "pristine" (also sometimes called "vanilla") kernel source, distributed from www.kernel.org and its mirrors, may be occasionally useful for debugging or in the situations when a newer kernel version is desired. The procedure differs only in obtaining the kernel source: instead of unpacking the kernel source from Debian packages, the "pristine" source is downloaded using your favourite browser or using wget, as follows:
$wget https://kernel.org/pub/linux/kernel/v4.x/linux-4.3.tar.xz
The integrity of the downloaded archive may be verified by fetching the corresponding cryptographic signature
$wget https://kernel.org/pub/linux/kernel/v4.x/linux-4.3.tar.sign
and running this command (gnupg package must be installed):
$unxz -c linux-4.3.tar.xz | gpg --verify linux-4.3.tar.sign -
Successful verification results in output similar to the one below:
gpg: Signature made Mon 21 May 2012 01:48:14 AM CEST using RSA key ID 00411886
gpg: Good signature from "Linus Torvalds <torvalds@linux-foundation.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: ABAF 11C6 5A29 70B1 30AB E3C4 79BE 3E43 0041 1886
After that the archive may be unpacked using
$tar xaf linux-4.3.tar.xz$cd linux-4.3
The unpacked kernel tree (in linux-4.3) can now be
configured and built, in the same way described in the previous section.
Some kernel modules are not included in the upstream or Debian kernel source,
but are provided as third-party source packages.
There is a fair chance that the Debian archive contains the
source for the kernel modules, packaged for use
with the Dynamic Kernel Module System (DKMS), with a package name
ending with -dkms. Alternatively, it might be
packaged for use with Debian's module-assistant (m-a), with a package
name ending with -source.
Check the current kernel release by running uname
-r. If it shows, for example,
5.10.0-16-amd64, you need the package
linux-headers-5.10.0-16-amd64. However, usually
you should not install this directly. Instead, note the "flavour"
name that appears after the four numbers, which in this case is
amd64. You can then run:
#apt-get install linux-headers-flavourmodule-name-dkms
The installation of these packages will automatically invoke DKMS to build and install the module(s) for the current kernel release. Future kernel package upgrades will also automatically invoke DKMS to rebuild and install the module(s).
First, install module-assistant:
#apt-get install module-assistant
To build a custom binary module package for the currently running kernel:
#m-a a-imodule-name-source
Check out the module-assistant documentation (man module-assistant) for other options and much more information on how to use it.
In some rare circumstances, you might need to build the kernel modules
from the upstream source packages. In that case, follow the documentation
included with the package to build the modules. If the build process will
require you to specify the directory with the kernel headers, matching the
currently running kernel, for stock Debian kernels this directory is
/usr/src/linux-headers-, provided
by the linux-headers-unameuname package.
Here uname is the output of the
uname -r command. If you are building and running your own
custom kernels, it is a good idea to keep the original build tree around, as it
also can be used for out-of-tree module building.
In case your computer has UEFI Secure Boot enabled, the Debian packaged kernel will normally only allow modules signed by a trusted key to be loaded. In order to load the modules you build, you need to either:
Generate a signing key, add it to the trust list of your computer, and use it to sign all out-of-tree modules; or
Disable Secure Boot enforcement
Both options are documented on the Debian wiki's SecureBoot page, under "MOK - Machine Owner Key".
You can build all or selected kernel packages by following these instructions. You may be asked to do this in order to test a potential bug fix.
Run the following commands:
# apt-get install build-essential# apt-get build-dep linuxThis will install the packages required by the kernel build process.
$ apt-get source linux
This will download and unpack the linux source package,
making the tree available in the
linux- directory.
version
$ cd linux-versionEnter the source directory.
$ export MAKEFLAGS=-j$(nproc)Enable parallel builds using one job per CPU by default.
Building binary packages for a single kernel flavour requires up to
15 GB space in the package directory and 300 MB in
/tmp (or $TMPDIR).
Building with debug info disabled requires about 2 GB and 25 MB respectively. In packages of kernel version 5.17 or later, you can disable building debug info through build profiles:
$export DEB_BUILD_PROFILES='pkg.linux.nokerneldbg pkg.linux.nokerneldbginfo'
In older package versions, you must change the value of
debug-info to false in
debian/config/,
if it's set there, or in
arch/definesdebian/config/defines otherwise.
Building all binary packages for i386 or amd64 currently requires about 50 GB space in the package directory. Other architectures with fewer drivers will require less space.
The source package includes a script to simplify the process of building with extra patches. You can use this by running commands such as:
#apt-get install devscripts$debian/bin/test-patches ../fix-bug123456.patch ../add-foo-driver.patch
This script has options to control the flavour, featureset, etc. For a summary of the options, run:
$debian/bin/test-patches
However, if you need to change the configuration or make other changes, you should not use this script and should follow the instructions below.
Older versions of the test-patches script (before package version 6.1.27-1), have some important bugs and limitations:
The linux-image package it builds will usually replace or conflict with the currently installed kernel package.
The linux-headers package it builds won't be installable.
In package versions from 5.17 onward, it is not possible to disable building debug info.
To avoid these bugs in older versions of the source package, follow the instructions below.
It is possible to apply extra patches to the source before starting the build. In the linux source package, the default (non-featureset) patches are automatically applied in the top level directory.
The patched source appears in the following directories.
top level
debian/build/source_
featureset
You should apply the extra patches in the appropriate directory. In the linux source package you can use the quilt utility to do this.
You should also change the ABI name so that the resulting packages are co-installable with the current kernel packages; see Section 5.2.1, “The ABI name”.
To change the configuration before building, for example for the 686-pae flavour on i386, run the commands:
$make -f debian/rules.gen setup_i386_none_686-pae$make -C debian/build/build_i386_none_686-pae nconfig
To build all possible packages for this architecture, run:
$dpkg-buildpackage -b -nc -uc
To build all architecture-dependent packages, run:
$dpkg-buildpackage -B -nc -uc
To build all architecture-independent packages, run:
$dpkg-buildpackage -A -nc -uc
For example, to build only the binary packages for 686-pae flavour on i386 architecture, use the following commands:
$debian/rules source$DEB_RULES_REQUIRES_ROOT=no make -f debian/rules.gen binary-arch_i386_none_686-pae
The target in this command has the general form of
target_arch_featureset_flavourfeaturesetnone if you do not want any of the extra featuresets. This
command will build the linux image and kernel headers packages. You may also
need the linux-headers-version-common
binary package, which can be built using the commands:
$debian/rules source$DEB_RULES_REQUIRES_ROOT=no make -f debian/rules.gen binary-indep_none_real
The target in this command has the general form of
binary-indep_
featureset_real
To build a kernel image based on the kernel team's unreleased development version:
# apt-get install build-essential rsync git# apt-get build-dep linuxThe last two commands will install the build dependencies required by the kernel build process.
$ git clone -b dist --single-branch https://salsa.debian.org/kernel-team/linux.git
This will check out the Debian packaging. dist is
normally the distribution codename such as wheezy or
sid (unstable). For the very latest version, usually based
on an upstream release candidate, use master. Note that
this will download several hundred megabytes of data.
$ apt-get source -d linuxThis will download the linux upstream source (and the last released Debian patches). Depending on which version you are trying to build, you might need to override APT's version selection or download a tarball from people.debian.org instead.
$ cd linux$ debian/rules origThis unpacks the upstream source and merges it with the Debian packaging.
$ debian/rules debian/controlThis generates a Debian package control file based on the current definitions of the various kernel flavours which can be built.
$ DEB_RULES_REQUIRES_ROOT=no debian/rules targetFinally, build binary packages as explained in Section 4.5, “Rebuilding official Debian kernel packages”.
First you must add a changelog entry for the new upstream version. If the new
version is a release candidate, change the string -rc to
~rc. (In Debian package versions, a suffix beginning with
~ indicates a pre-release.)
The 'orig' tarball is generated by the genorig.py script, which requires an upstream Git repository. For Debian 12 "bookworm" onward, this can be a remote repository; for older stable branches it must be local. Run:
$debian/bin/genorig.pyrepository
This will generate a file such as
../orig/linux_5.19~rc6.orig.tar.xz. You can then combine
this tarball with the Debian packaging by running:
$debian/rules orig