mok

For signing Dragon Kernel for EFI Boot with your MOK

$ openssl x509 -in /var/lib/shim-signed/mok/MOK.der -inform DER -outform PEM -out ~/MOK.pem
$ sudo add-apt-repository ppa:wip-kernel/shv5
$ sudo apt-get update
$ sudo apt install linux-headers-5.2.28-dragon linux-headers-5.2.28-dragon-generic linux-image-unsigned-5.2.28-dragon-generic linux-modules-5.2.28-dragon-generic linux-modules-extra-5.2.28-dragon-generic
$ sudo sbsign --key /var/lib/shim-signed/mok/MOK.priv --cert ~/MOK.pem /boot/vmlinuz-5.2.28-dragon-generic --output /boot/vmlinuz-5.2.28-dragon-generic.signed
$ sudo cp /boot/initrd.img-5.2.28-dragon-generic{,.signed}
$ sudo update-grub
$ reboot
$ sudo rm /boot/vmlinuz-5.2.28-dragon-generic
$ sudo rm /boot/initrd.img-5.2.28-dragon-generic
$ sudo update-grub
$ reboot

Thanks Edgard Pineda “epineda”


NVIDIA

Fixes NVIDIA binary driver - version 390.116

Installation instructions for NVIDIA 390.116:

#!/bin/bash
#
sudo apt purge libnvidia-cfg1-390 libnvidia-common-390 libnvidia-compute-390 \
    libnvidia-decode-390 libnvidia-encode-390 libnvidia-fbc1-390 \
    libnvidia-gl-390 libnvidia-ifr1-390 libxnvctrl0 nvidia-compute-utils-390 \
    nvidia-dkms-390 nvidia-driver-390 nvidia-kernel-common-390 \
    nvidia-kernel-source-390 nvidia-prime nvidia-settings nvidia-utils-390 \
    screen-resolution-extra xserver-xorg-video-nvidia-390
#
exit 0

Driver version - nvidia-kernel-source-390 (390.116-0ubuntu1)

# sudo apt install nvidia-kernel-source-390

Download

# cd /usr/src

put a patch here

(there should already be a source folder - nvidia-390.116)

# patch -p1 < nvidia_module-390.116.patch
# rm nvidia_module-390.116.patch
#!/bin/bash
#
sudo apt install libnvidia-cfg1-390 libnvidia-common-390 libnvidia-compute-390 \
    libnvidia-decode-390 libnvidia-encode-390 libnvidia-fbc1-390 \
    libnvidia-gl-390 libnvidia-ifr1-390 libxnvctrl0 nvidia-compute-utils-390 \
    nvidia-dkms-390 nvidia-driver-390 nvidia-kernel-common-390 nvidia-prime \
    nvidia-settings nvidia-utils-390 screen-resolution-extra \
    xserver-xorg-video-nvidia-390
#
exit 0

iptables

Fixes work IPTABLES for Dragon Kernel

It is strongly recommended to use the iptables package only from the PPA Linux WIP-Kernel team:

$ sudo add-apt-repository ppa:wip-kernel/iptables
$ sudo apt update
$ sudo apt dist-upgrade -y

Package version - iptables (1.8.2)


i915

Fixes booting kernel for i915 video chipset

If kernel starting and boot screen black or boot process stop then:

From boot grub menu enter “e” key and edit kernel boot line and press F10 for boot.


haveged

Fixes booting kernel (Not enough entropy in random pool to proceed)

HAVEGED - Generate random numbers and feed linux random device.

The HAVEGE (HArdware Volatile Entropy Gathering and Expansion) algorithum harvests the indirect effects of hardware events on hidden processor state (caches, branch predictors, memory translation tables, etc) to generate a random sequence. The effects of interrupt service on processor state are visible from userland as timing variations in program execution speed. Using a branch-rich calculation that fills the processor instruction and data cache, a high resolution timer source such as the processor time stamp counter can generate a random sequence even on an “idle” system. In Linux, the hardware events that are the ultimate source of any random number sequence are pooled by the /dev/random device for later distribution via the device interface. The standard mechanism of harvesting randomness for the pool may not be sufficient to meet demand, especially on those systems with high needs or limited user interaction. Haveged provides a daemon to fill /dev/random whenever the supply of random bits in /dev/random falls below the low water mark of the device.

Haveged also provides a direct file system interface to the collection mechanism that is also useful in other circumstances where access to the dev/random interface is either not available or inappropriate.

It is strongly recommended to use the haveged package only from the PPA Linux WIP-Kernel team:

$ sudo add-apt-repository ppa:wip-kernel/hvgd
$ sudo apt update
$ sudo apt install haveged

Package version - haveged (1.9.4)


Example config files for Intel i5 Westmere, 4Gb RAM

GRUB_CMDLINE_LINUX_DEFAULT="noresume elevator=bfq mds=full psi=1 acpi_serialize acpi_osi=Linux acpi_backlight=vendor intel_iommu=on swiotlb=32768 apparmor=0 net.ifnames=0 biosdevname=0"
GRUB_CMDLINE_LINUX="systemd.gpt_auto=0 zswap.enabled=1 zswap.compressor=lz4 zswap.max_pool_percent=15 pcie_acs_override=downstream"

Enable ZSWAP

Zswap is a kernel feature that provides a compressed RAM cache for swap pages

  • Add to grub.cfg
GRUB_CMDLINE_LINUX="zswap.compressor=lz4 zswap.max_pool_percent=15"
  • Add to /etc/initramfs-tools/modules
lz4
lz4_compress
  • Run command
$ sudo update-grub && update-initramfs -u

Tune IO scheduler

For now, add file /etc/udev/rules.d/60-ssd-scheduler.rules.

You can also add this to file 60-ssd-scheduler.rules:

# Non-rotational disks
ACTION=="add|change", KERNEL=="sd[a-z]", ATTR{queue/rotational}=="0", ATTR{queue/scheduler}="bfq"
# Rotational disks
ACTION=="add|change", KERNEL=="sd[a-z]", ATTR{queue/rotational}=="1", ATTR{queue/scheduler}="bfq"

and run a command:

# sudo udevadm control --reload && sudo udevadm trigger

  • /etc/sysctl.conf
vm.laptop_mode = 0

vm.overcommit_ratio = 200 
vm.overcommit_memory = 2

# Core dump suidsafe
kernel.core_uses_pid = 1
kernel.core_pattern = /tmp/core-%e-%s-%u-%g-%p-%t
fs.suid_dumpable = 2

kernel.printk = 4 4 1 7
kernel.sysrq = 0

# Network
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.tcp_max_orphans = 65536
net.ipv4.tcp_fin_timeout = 10
net.ipv4.tcp_keepalive_time = 1800
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_syn_retries = 3
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_mem = 50576   64768   98152
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
net.ipv4.tcp_orphan_retries = 0
net.ipv4.tcp_syncookies = 1
net.netfilter.nf_conntrack_max = 16777216
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_sack = 1
net.ipv4.tcp_congestion_control = yeah
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.route.flush = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.wlan0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.wlan0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rfc1337 = 1
net.ipv4.ip_forward = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.core.somaxconn = 65535
net.core.netdev_max_backlog = 4096
net.core.rmem_default = 65536
net.core.wmem_default = 65536
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
fs.inotify.max_user_watches = 16777216
#
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.ip_default_ttl = 63
#
net.ipv4.tcp_ecn = 1
net.core.default_qdisc = cake
#
kernel.perf_cpu_time_max_percent = 100
#
# IO shedulers
vm.dirty_background_bytes = 67108864
vm.dirty_bytes = 134217728
#
# Huge Page
vm.nr_hugepages = 16
vm.nr_overcommit_hugepages = 16
vm.hugetlb_shm_group = 1001
#
kernel.yama.ptrace_scope = 2
#
net.netfilter.nf_conntrack_helper = 1
#
# For Chromium sandbox use!
kernel.unprivileged_userns_clone = 0

  • /etc/network/interfaces
wireless-power off

  • /etc/NetworkManager/conf.d/default-wifi-powersave-on.conf
[connection]
wifi.powersave = 2

  • /etc/NetworkManager/NetworkManager.conf
[connection]
wifi.powersave = 2

[device]
wifi.scan-rand-mac-address=no

Copyright © 2019 AndyLavr All rights reserved.