kernel

Below, I discuss a subtractive approach to compiling your own kernel, involving pseudocode for prep work chores after installation of a unified kernel image.


There are two methodological directions toward compiling your own kernel.

                   (begin from zcat /proc/config.gz)
(begin from make                    ┌──────────────┐
 localmodconfig)       ┌────┐       │SUBTRACTIVE   │
┌──────────────┐  ┌────┘    └────┐  │>start with   │
│additive      ├─►│ a kernel     │◄─┤ support flags│
│>start tiny w/│┌─┘ adapted to ┌─┘  │ for like     │
│ guessed flags││   our machine│    │ everything   │
│>add til your │└─┐            └─┐  │>remove flags │
│ system works │  │    ┌────┐    │  │ til no worky │
└──────────────┘  └────┘    └────┘  └──────────────┘

Left to middle is a "bloatless" "don't use XYZ until you need it" philosophy (since make localmodconfig notes down any currently loaded drivers —— example localmodconfig usage ⇗). However it's less pragmatic since the occurrence of an issue, such as some new peripheral you have ten minutes to try out not working, means

  1. You have no working kernel copy.
  2. You must recompile the kernel asap.

Right to middle is lazier, since changing a kernel setting and breaking something is fine since you have a previous working copy.

Curiously, using gentoo-kernel-bin + secure boot will FORCE that out-of-tree kernel modules (read: Nvidia) need to be signed. The irony is that the gentoo-kernel-bin obviously isn't distributed with the private key you need to do so (source ⇗).

This is a Gentoo-specific UX issue.

Therefore, in order to load Nvidia drivers with a Unified Kernel Image and Secure Boot ⟹, I either need to compile my own kernel, use keyctl at every boot, or use Shim (source ⇗).

Thankfully the UX issue only applies to pre-built kernels, so I can simply do the following to set up:

  1. Install the system using gentoo-kernel-bin
  2. After booting, load the current config.gz into /usr/src/linux
  3. Recompile the kernel manually instead (and, in my case, with a Unified Kernel Image efistub setup)

How-to:

Use this:

/etc/portage/package.use/kernel
sys-kernel/gentoo-sources symlink
sys-kernel/linux-firmware compress-zstd savedconfig

And then, with your system booted, copy the config but remove the key that we don't have. Then compile.

cd /usr/src/linux
zcat /proc/config.gz | tee .config
sed -i 's/CONFIG_MODULE_SIG_KEY.*//g' .config
sed -i 's/CONFIG_LOCALVERSION.*//g' .config
make -j8
# Follow your own judgment on the prompts
make modules_install -j$(nproc)
make install

(Above, I removed CONFIG_MODULE_SIG_KEY because /var/tmp/wherever-Gentoo-devs-stored-their-key doesn't exist. I also removed CONFIG_LOCALVERSION just for aesthetics.)

Don't forget to do normal boot prep stuff like such. If you were using gentoo-kernel-bin this was likely automated.

cd /efi/EFI/Linux
mv $old_kernel $somewhere_else
uefi-mkconfig # or whatever you use e.g. efibootmgr
sbctl sign -s $new_kernel # i.e. secure boot

Then sign the Nvidia drivers ⟹ using the kernel's autogenerated key (you may need to reinstall said drivers).

(Unfortunately, this leads to a bad habit of leaving the signing key in the /usr/src/linux directory.)

See also