hyperion.config

#
#
#            HYPERION KERNEL  v2.2.4  --  Linux 6.19.6
#    Author: Soumalya Das  |  Year: 2026  |  Arch: x86_64
#
#    Goal: MONOLITHIC BEAST -- Zero modules, all built-in
#           Universal daily-driver - DKMS-safe - Zero OOM
#           God-tier: gamers - devs - modders - hobbyists
#
#    Sources: CachyOS - XanMod - Nobara - Liquorix - Arch -
#             Fedora - Ubuntu - kernel.org - LKML - Phoronix -
#             r/linux_gaming - XDA - ChromeOS/Android kernel teams
#             sched-ext/scx - CachyOS-Settings - RHEL Perf Guide
#             SELinux/NSA - kernel.org/doc/html/latest/security/
#
#
# Compiler: gcc (GCC) 2.2.4
#
CONFIG_CC_VERSION_TEXT="gcc (GCC) 14.2.0"
CONFIG_CC_IS_GCC=y
CONFIG_GCC_VERSION=140200
CONFIG_CLANG_VERSION=0
CONFIG_AS_IS_GNU=y
CONFIG_AS_VERSION=23800
CONFIG_LD_IS_BFD=y
CONFIG_LD_VERSION=23800
CONFIG_LLD_VERSION=0

# RUST: Rust language support in the Linux kernel.
# Required for new Rust-based kernel drivers (Apple Silicon GPU,
# NVMe-rust, network drivers in development). Zero overhead when
# no Rust drivers are loaded. Requires rustc >= 1.78 + bindgen.
# Source: rust-for-linux.com, merged Linux 6.1 (Linus Torvalds)
CONFIG_RUST_IS_AVAILABLE=y
CONFIG_HAVE_RUST=y
CONFIG_RUST=y
CONFIG_RUST_BUILD_ASSERT_ALLOW=n

# ==============================================================
# KERNEL IDENTITY
# uname -r -> 6.19.6-Hyperion-2.2.4
# uname -v -> #1 SMP PREEMPT Linux 6.19.6-Hyperion-2.2.4 (Soumalya Das) 2026
# ==============================================================
CONFIG_VERSION=6
CONFIG_PATCHLEVEL=19
CONFIG_SUBLEVEL=6
CONFIG_EXTRAVERSION=""
CONFIG_LOCALVERSION="-Hyperion-2.2.4"
CONFIG_LOCALVERSION_AUTO=n
CONFIG_BUILD_SALT=""
CONFIG_DEFAULT_HOSTNAME="hyperion"

# ==============================================================
# COMPILER OPTIMISATION
# CC_OPTIMIZE_FOR_PERFORMANCE: -O2 with arch-specific tuning
# Source: Clear Linux, CachyOS, XanMod build configs
# ==============================================================
CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y
# CONFIG_CC_OPTIMIZE_FOR_SIZE is not set
CONFIG_WERROR=n
CONFIG_COMPILE_TEST=n

# ==============================================================
# LINK-TIME OPTIMISATION (LTO) -- GCC build
# With GCC, Thin-LTO is only available via Clang (CONFIG_LTO_CLANG_THIN).
# For GCC builds, link-time optimisation is achieved via -flto=auto
# passed in KCFLAGS/CFLAGS. The Kconfig option below documents this.
# To enable Clang ThinLTO: rebuild with CC=clang LD=ld.lld AR=llvm-ar.
# GCC perf flags (pass via: make KCFLAGS="...")):
#   -fivopts            -- induction variable optimisation (tight loops)
#   -fmodulo-sched      -- software pipelining (audio, codec inner loops)
#   -fno-semantic-interposition -- faster function calls in vmlinux DSO
#   -fgraphite-identity -- Graphite loop transforms (GCC >= 12)
# Source: Clear Linux CFLAGS, CachyOS build system, gentoo/make.conf
# Usage: make -j$(nproc) KCFLAGS="-fivopts -fmodulo-sched -fno-semantic-interposition"
# ==============================================================
CONFIG_LTO_NONE=y

# ZSTD kernel compression: fastest decompression at boot
# Benchmark: ~40% faster than GZIP on NVMe (Phoronix)
CONFIG_HAVE_KERNEL_GZIP=y
CONFIG_HAVE_KERNEL_BZIP2=y
CONFIG_HAVE_KERNEL_LZMA=y
CONFIG_HAVE_KERNEL_XZ=y
CONFIG_HAVE_KERNEL_LZO=y
CONFIG_HAVE_KERNEL_LZ4=y
CONFIG_HAVE_KERNEL_ZSTD=y
# CONFIG_KERNEL_GZIP is not set
# CONFIG_KERNEL_BZIP2 is not set
# CONFIG_KERNEL_LZMA is not set
# CONFIG_KERNEL_XZ is not set
# CONFIG_KERNEL_LZO is not set
# CONFIG_KERNEL_LZ4 is not set
CONFIG_KERNEL_ZSTD=y

# ==============================================================
# GENERAL SETUP
# ==============================================================
CONFIG_INIT_ENV_ARG_LIMIT=32
CONFIG_SWAP=y
CONFIG_SYSVIPC=y
CONFIG_SYSVIPC_SYSCTL=y
CONFIG_POSIX_MQUEUE=y
CONFIG_POSIX_MQUEUE_SYSCTL=y
CONFIG_WATCH_QUEUE=y
CONFIG_CROSS_MEMORY_ATTACH=y
CONFIG_USELIB=n
CONFIG_AUDIT=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_WATCH=y
CONFIG_AUDIT_TREE=y
CONFIG_MULTIUSER=y
CONFIG_SGETMASK_SYSCALL=y
CONFIG_SYSFS_SYSCALL=y
CONFIG_FHANDLE=y
CONFIG_POSIX_TIMERS=y
CONFIG_PRINTK=y
CONFIG_PRINTK_NMI=y
CONFIG_BUG=y
CONFIG_ELF_CORE=y
CONFIG_BASE_FULL=y
CONFIG_FUTEX=y
CONFIG_FUTEX_PI=y
CONFIG_EPOLL=y
CONFIG_SIGNALFD=y
CONFIG_TIMERFD=y
CONFIG_EVENTFD=y
CONFIG_SHMEM=y
CONFIG_AIO=y

# IO_URING: Critical for Proton/Wine, databases, async IO
# Every modern high-performance storage app uses this
CONFIG_IO_URING=y
CONFIG_ADVISE_SYSCALLS=y
CONFIG_MEMBARRIER=y

# KALLSYMS: Required for BPF, perf, crash analysis, DKMS symbol lookups
CONFIG_KALLSYMS=y
# KALLSYMS_ALL: With everything built-in we can afford full symbol table
# Required for sched_ext BPF schedulers and advanced BPF introspection
CONFIG_KALLSYMS_ALL=y


# RSEQ: Restartable sequences -- huge perf win for glibc 2.35+ and jemalloc
# Reference: https://www.efficios.com/blog/2019/02/08/linux-restartable-sequences/
CONFIG_RSEQ=y
CONFIG_EMBEDDED=n
CONFIG_PERF_EVENTS=y

# KPROBES: Dynamic kernel probe points for BPF, perf probe, SystemTap.
# Required for BPF kprobe programs (bcc tools: execsnoop, opensnoop,
# biolatency, etc.) and perf-probe based developer profiling.
# Also required by KRETPROBES for function return tracing.
# Zero overhead when no probes are active -- probed sites are NOPs.
# Source: kernel.org/doc/html/latest/trace/kprobes.html
CONFIG_KPROBES=y
CONFIG_KRETPROBES=y
CONFIG_KPROBE_EVENTS=y
# UPROBE_EVENTS: Userspace probe points for BPF + perf.
# Enables tracing of user-space function entry/exit -- used by
# bpftrace, bcc, and perf probe for application profiling without
# source instrumentation (Java, Go, Rust, C++).
CONFIG_UPROBE_EVENTS=y

# Task accounting: enables PSI, latency tracking -- no more mystery slowdowns
CONFIG_TASKSTATS=y
CONFIG_TASK_DELAY_ACCT=y
CONFIG_TASK_IO_ACCOUNTING=y

CONFIG_VM_EVENT_COUNTERS=y
CONFIG_PROC_FS=y
CONFIG_PROC_KCORE=y
CONFIG_PROC_VMCORE=y
CONFIG_PROC_PAGE_MONITOR=y
CONFIG_PROC_CHILDREN=y
CONFIG_SYSFS=y
CONFIG_TMPFS=y
CONFIG_TMPFS_POSIX_ACL=y
CONFIG_TMPFS_XATTR=y
CONFIG_MEMFD_CREATE=y
CONFIG_CONFIGFS_FS=y
CONFIG_DEVTMPFS=y
CONFIG_DEVTMPFS_MOUNT=y

# DEVTMPFS explanation: automatically creates /dev entries when drivers probe
# Without this, device nodes are missing after module loads -- silent failure
CONFIG_UNIX98_PTYS=y
CONFIG_INOTIFY_USER=y
CONFIG_FANOTIFY=y
CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y

# IKCONFIG: /proc/config.gz always available -- essential for debugging DKMS failures
CONFIG_IKCONFIG=y
CONFIG_IKCONFIG_PROC=y

# IKHEADERS: /sys/kernel/kheaders.tar.xz -- headers available at runtime
# This is the DKMS fallback when /usr/src headers are somehow missing
# Source: DKMS best practices, kernel.org documentation
CONFIG_IKHEADERS=y

# ==============================================================
# MODULE SUPPORT -- kept for DKMS external modules ONLY
# All in-tree drivers/features are built-in (=y). Loadable module
# infrastructure is retained so DKMS (NVIDIA, v4l2loopback, etc.)
# can still insert external .ko files. Every in-kernel feature has
# been compiled directly into the bzImage -- no initramfs module loads
# needed for hardware support.
# ==============================================================
CONFIG_MODULES=y
# Allow forcing load of tainted modules (needed for some vendor modules)
CONFIG_MODULE_FORCE_LOAD=n
# Allow modules to be unloaded -- required for DKMS module reinstall
CONFIG_MODULE_UNLOAD=y
CONFIG_MODULE_FORCE_UNLOAD=n

# MODVERSIONS: Every exported kernel symbol gets a CRC checksum
# ABI mismatch -> clean rejection at insmod, not a kernel panic
# This is THE most important setting for DKMS stability
CONFIG_MODVERSIONS=y

# MODULE_SRCVERSION_ALL: Embeds srcversion hash in every module
# Enables exact module tracing -- know which source built which .ko
CONFIG_MODULE_SRCVERSION_ALL=y

# Module signing: OFF by default -- enables DKMS to sign its own modules
# Enable CONFIG_MODULE_SIG=y only on Secure Boot systems with:
#   scripts/sign-modules.sh
# CONFIG_MODULE_SIG is not set
CONFIG_MODULE_COMPRESS_NONE=y
CONFIG_MODULE_COMPRESS_GZIP=n
CONFIG_MODULE_COMPRESS_XZ=n
CONFIG_MODULE_COMPRESS_ZSTD=n
CONFIG_MODPROBE_PATH="/sbin/modprobe"
CONFIG_TRIM_UNUSED_KSYMS=n

# ==============================================================
# BLOCK LAYER
# ==============================================================
CONFIG_BLOCK=y
# BLK_DEV_INITRD: CRITICAL -- without this, rdinit=/init and initramfs both fail.
# This is what makes the kernel unpack the initramfs and find /init.
# Root cause of: "check access for rdinit=/init failed: -2"
CONFIG_BLK_DEV_INITRD=y
CONFIG_INITRAMFS_SOURCE=""
CONFIG_RD_GZIP=y
CONFIG_RD_BZIP2=y
CONFIG_RD_LZMA=y
CONFIG_RD_XZ=y
CONFIG_RD_LZO=y
CONFIG_RD_LZ4=y
CONFIG_RD_ZSTD=y
CONFIG_BLK_DEV_BSG=y
CONFIG_BLK_DEV_INTEGRITY=y
# BLK_DEV_LOOP: Loop block device driver.
# BOOT-CRITICAL for Arch ISO: archiso mounts airootfs.sfs through a loop
# device. Without this the ISO boot chain fails at:
#   losetup: failed to set up loop device
# Boot chain: ISO -> loop device -> squashfs root -> overlay tmpfs -> systemd
# Must be =y (built-in), not =m. If it is a module it may not be available
# early enough in the initramfs before the squashfs root is mounted.
CONFIG_BLK_DEV_LOOP=y
# Minimum number of pre-allocated loop devices at boot.
# archiso uses at least 1 (airootfs.sfs). 8 leaves headroom for additional
# loop mounts in the live session (AppImage, additional squashfs layers).
CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
CONFIG_BLK_DEV_ZONED=y
CONFIG_BLK_WBT=y
# IO throttling: prevents one process from starving others under disk load
CONFIG_BLK_DEV_THROTTLING=y
CONFIG_BLK_DEV_THROTTLING_LOW=y
CONFIG_BLK_CGROUP_IOLATENCY=y
CONFIG_BLK_CGROUP_IOCOST=y
CONFIG_BLK_CGROUP_IOPRIO=y
CONFIG_BLK_DEBUG_FS=y
CONFIG_BLK_SED_OPAL=y
CONFIG_BLK_INLINE_ENCRYPTION=y
CONFIG_BLK_INLINE_ENCRYPTION_FALLBACK=y

CONFIG_PARTITION_ADVANCED=y
CONFIG_MSDOS_PARTITION=y
CONFIG_EFI_PARTITION=y

# ==============================================================
# EFI / UEFI RUNTIME -- Real hardware boot (was entirely absent)
# Without CONFIG_EFI=y the kernel silently drops all UEFI runtime
# services. efibootmgr, systemd-boot, and GRUB EFI all break silently.
#
# CONFIG_EFI_STUB=y: Makes bzImage a valid .efi executable.
#   Every modern distro (Arch, Fedora, Ubuntu, Debian) enables this.
#   UEFI firmware can then boot the kernel directly without GRUB.
#   Source: kernel.org EFI boot stub docs, ArchWiki EFI boot stub
#
# CONFIG_EFIVAR_FS=m: /sys/firmware/efi/efivars -- exposes UEFI NVRAM
#   to userspace. Required by efibootmgr, systemd, fwupd (LVFS).
#   Source: ArchWiki UEFI, kernel.org efivarfs docs
# ==============================================================
CONFIG_EFI=y
CONFIG_EFI_STUB=y
CONFIG_EFIVAR_FS=y

# ==============================================================
# IO SCHEDULERS
# BFQ: Best for desktop + gaming -- per-process fairness, low latency
#      Default on Fedora, Ubuntu, Linux Mint, openSUSE
#      Source: Paolo Valente (Universita di Modena), Phoronix benchmarks
# Kyber: Best for NVMe -- simple, low-overhead, targets latency targets
# Deadline: Reliable fallback for mixed/server workloads
# ==============================================================
CONFIG_MQ_IOSCHED_DEADLINE=y
CONFIG_MQ_IOSCHED_KYBER=y
CONFIG_IOSCHED_BFQ=y
CONFIG_BFQ_GROUP_IOSCHED=y

# ADIOS: Adaptive Deadline I/O Scheduler (CachyOS 2025).
# Predicts I/O request latency using per-queue historical data and
# dynamically adjusts deadlines to prevent starvation while keeping
# interactive I/O fast. Combines the best of deadline and BFQ:
#   - Deadline's simplicity and determinism for NVMe
#   - BFQ's per-process fairness for desktop mixed workloads
# Measurably beats Kyber and BFQ on game-loading + background
# compile mixed workloads (CachyOS internal benchmarks, 2025).
# Source: github.com/CachyOS/linux-cachyos, ADIOS patchset
# Default: set ADIOS as the default scheduler for NVMe devices.
CONFIG_IOSCHED_ADIOS=y
CONFIG_DEFAULT_IOSCHED="adios"

# ==============================================================
# PROCESSOR FEATURES
# ==============================================================
CONFIG_SMP=y
CONFIG_X86_64=y
CONFIG_64BIT=y
CONFIG_X86=y
CONFIG_X86_X2APIC=y
CONFIG_X86_MPPARSE=y
CONFIG_X86_CPU_RESCTRL=y
CONFIG_X86_EXTENDED_PLATFORM=y
CONFIG_X86_INTEL_LPSS=y
CONFIG_X86_AMD_PLATFORM_DEVICE=y
CONFIG_IOSF_MBI=y
CONFIG_SCHED_OMIT_FRAME_POINTER=y
CONFIG_HYPERVISOR_GUEST=y
CONFIG_PARAVIRT=y
CONFIG_PARAVIRT_XXL=y
CONFIG_PARAVIRT_SPINLOCKS=y
CONFIG_KVM_GUEST=y
CONFIG_PVH=y
CONFIG_GENERIC_CPU=y
CONFIG_X86_TSC=y
CONFIG_X86_CMOV=y
CONFIG_X86_MINIMUM_CPU_FAMILY=64
CONFIG_IA32_FEAT_CTL=y
CONFIG_CPU_SUP_INTEL=y
CONFIG_CPU_SUP_AMD=y
CONFIG_CPU_SUP_HYGON=y
CONFIG_CPU_SUP_CENTAUR=y
CONFIG_CPU_SUP_ZHAOXIN=y
CONFIG_HPET_TIMER=y
CONFIG_HPET_EMULATE_RTC=y
CONFIG_DMI=y
CONFIG_NR_CPUS=512
CONFIG_SCHED_SMT=y
CONFIG_SCHED_MC=y
CONFIG_SCHED_MC_PRIO=y
CONFIG_SCHED_CLUSTER=y
# SCHED_CORE: Prevents SMT sibling starvation -- measurable win on HyperThreaded CPUs
CONFIG_SCHED_CORE=y

# SCHED_AUTOGROUP: Groups interactive tasks by session
# Shell/GUI feel much more responsive under compilation load
# Source: Con Kolivas, merged mainline, default in Ubuntu/Fedora
CONFIG_SCHED_AUTOGROUP=y

# SCHED_HRTICK: High-resolution scheduler ticks via hrtimers.
# Allows the scheduler to preempt at sub-millisecond boundaries --
# critical for PipeWire quantum timing (64-frame @ 48 kHz = 1.3 ms)
# and game frame pacing at >120 FPS. Without this, CFS only fires at
# the coarse HZ=1000 tick even with HIGH_RES_TIMERS=y.
# Source: Ingo Molnar, CachyOS, Nobara (enabled by default in both)
CONFIG_SCHED_HRTICK=y

# HIGH_RES_TIMERS: Sub-millisecond timer precision
# Required for: audio at low latency, smooth game frame pacing, HPET
CONFIG_HIGH_RES_TIMERS=y

# IRQ_TIME_ACCOUNTING: More accurate CPU time stats in /proc
CONFIG_IRQ_TIME_ACCOUNTING=y
CONFIG_BSD_PROCESS_ACCT=y
CONFIG_BSD_PROCESS_ACCT_V3=y

CONFIG_X86_LOCAL_APIC=y
CONFIG_X86_IO_APIC=y
CONFIG_X86_MCE=y
CONFIG_X86_MCE_INTEL=y
CONFIG_X86_MCE_AMD=y
CONFIG_X86_MCE_THRESHOLD=y
CONFIG_X86_THERMAL_VECTOR=y
CONFIG_MICROCODE=y
CONFIG_MICROCODE_INTEL=y
CONFIG_MICROCODE_AMD=y
CONFIG_MICROCODE_INITRD_EARLY=y
CONFIG_X86_MSR=y
CONFIG_X86_CPUID=y

# ==============================================================
# TICKLESS / HZ
# NO_HZ_FULL: Fully adaptive ticks -- CPUs running single threads
#             get NO timer interrupts (huge win for ML, video encode)
# HZ_1000: 1ms scheduler tick granularity
#          Liquorix/CachyOS/Nobara all use HZ=1000
# Source: https://www.kernel.org/doc/html/latest/timers/no_hz.html
# ==============================================================
CONFIG_NO_HZ_FULL=y
CONFIG_NO_HZ=y
CONFIG_HZ_1000=y
CONFIG_HZ=1000

CONFIG_KEXEC=y
CONFIG_KEXEC_FILE=y
CONFIG_PHYSICAL_START=0x1000000
CONFIG_RELOCATABLE=y
CONFIG_RANDOMIZE_BASE=y
CONFIG_PHYSICAL_ALIGN=0x200000
CONFIG_DYNAMIC_MEMORY_LAYOUT=y
CONFIG_RANDOMIZE_MEMORY=y
CONFIG_HOTPLUG_CPU=y
CONFIG_MODIFY_LDT_SYSCALL=y
CONFIG_NUMA=y
CONFIG_AMD_NUMA=y
CONFIG_X86_64_ACPI_NUMA=y
# CONFIG_NUMA_EMU is not set
CONFIG_NODES_SHIFT=6
CONFIG_SPARSEMEM=y
CONFIG_SPARSEMEM_EXTREME=y
CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y
CONFIG_SPARSEMEM_VMEMMAP=y
CONFIG_MEMORY_ISOLATION=y
CONFIG_MEMORY_HOTPLUG=y
CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE=y
CONFIG_MEMORY_HOTREMOVE=y
CONFIG_COMPACTION=y
CONFIG_MIGRATION=y
CONFIG_ZONE_DMA=y
CONFIG_ZONE_DMA32=y
CONFIG_BOUNCE=y
CONFIG_MMU_NOTIFIER=y

# KSM: Kernel Same-page Merging -- saves RAM for VMs running same OS
CONFIG_KSM=y
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
CONFIG_MEMORY_FAILURE=y

# THP MADVISE: Apps/games that know they benefit can opt in
# ALWAYS wastes memory on small allocations -- MADVISE is the correct choice
CONFIG_TRANSPARENT_HUGEPAGE=y
# CONFIG_TRANSPARENT_HUGEPAGE_ALWAYS is not set
CONFIG_TRANSPARENT_HUGEPAGE_MADVISE=y
CONFIG_THP_SWAP=y
CONFIG_READ_ONLY_THP_FOR_FS=y
CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y

# Stronger ASLR entropy -- 32-bit randomisation space
CONFIG_ARCH_MMAP_RND_BITS=32
CONFIG_ARCH_MMAP_RND_COMPAT_BITS=16

CONFIG_SECCOMP=y
CONFIG_SECCOMP_FILTER=y
CONFIG_STACKPROTECTOR=y
CONFIG_STACKPROTECTOR_STRONG=y
CONFIG_STRICT_KERNEL_RWX=y
CONFIG_STRICT_MODULE_RWX=y
# CONFIG_PAGE_TABLE_CHECK is not set

# Spectre/Meltdown -- keep mitigations ON
# Gaming perf loss is <3% on modern hardware (Phoronix 2023)
CONFIG_PAGE_TABLE_ISOLATION=y
CONFIG_RETPOLINE=y

# ==============================================================
# IOMMU
# ==============================================================
CONFIG_IOMMU_SUPPORT=y
CONFIG_INTEL_IOMMU=y
# Leave IOMMU default OFF -- enable via boot param intel_iommu=on
# Forced ON breaks some hardware; opt-in is safer
CONFIG_INTEL_IOMMU_DEFAULT_ON=n
CONFIG_INTEL_IOMMU_SVM=y
CONFIG_IRQ_REMAP=y
CONFIG_AMD_IOMMU=y
CONFIG_AMD_IOMMU_V2=y

# IOMMU_SVA: Shared Virtual Addressing -- allows VFIO devices and
# GPU compute contexts to share address space with the CPU process.
# Required for: heterogeneous compute (OpenCL, SYCL), RDMA over VFIO,
# DMA-BUF sharing between GPU and NVMe (P2PDMA + IOMMU SVA).
# Source: Jacob Pan (Intel), merged Linux 5.14
CONFIG_IOMMU_SVA=y

# INTEL_IOMMU_PERF_EVENTS: VT-d IOMMU performance counters.
# Exposes IOMMU cache hit rates, fault counts, and queue depths
# to perf. Zero overhead when not sampling; critical for VFIO profiling.
CONFIG_INTEL_IOMMU_PERF_EVENTS=y

# X86_MEM_ENCRYPT: Umbrella Kconfig for all x86 transparent memory
# encryption (AMD SME/SEV, Intel TME/TDX). Required for KVM_AMD_SEV
# to actually encrypt guest pages; without this the SEV ioctl returns ENODEV.
# Source: AMD APM Vol 2, Intel TME spec, kernel.org/doc/html/latest/x86/
CONFIG_X86_MEM_ENCRYPT=y

# AMD_MEM_ENCRYPT: AMD Secure Memory Encryption driver.
#   SME  -- transparently encrypts all DRAM with one ephemeral key.
#          Enable at boot with: mem_encrypt=on
#   SEV  -- per-VM encryption; hypervisor cannot read guest RAM.
#   SEV-ES -- also encrypts guest CPU register state on every VM exit.
# Active-by-default=n keeps opt-in via cmdline (avoids breaking non-EPYC hw).
# Source: Brijesh Singh / Tom Lendacky (AMD), linux-kernel.org/doc/virt/kvm
CONFIG_AMD_MEM_ENCRYPT=y
CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT=n

# INTEL_TDX_GUEST: Enable this kernel to boot as a TDX (Trust Domain
# Extensions) guest inside an Intel TDX-capable hypervisor/VMM.
# Zero overhead on non-TDX platforms -- early detection via CPUID.
# Source: Intel TDX Architecture Spec 1.5, merged Linux 6.7
CONFIG_INTEL_TDX_GUEST=y

# ==============================================================
# PREEMPTION
# CONFIG_PREEMPT: Full preemption -- lowest scheduling latency
# CONFIG_PREEMPT_DYNAMIC: Switch model at boot via preempt= param
#   preempt=none   -> server/throughput
#   preempt=voluntary -> balanced
#   preempt=full   -> gaming/desktop (default for Hyperion)
# Source: Liquorix (full preempt), CachyOS (dynamic preempt)
# ==============================================================
CONFIG_PREEMPT=y
CONFIG_PREEMPT_BUILD=y
CONFIG_PREEMPT_COUNT=y
CONFIG_PREEMPTION=y
CONFIG_PREEMPT_RCU=y
CONFIG_PREEMPT_DYNAMIC=y
# PREEMPT_LAZY: Linux 6.12+ "lazy preemption" mode -- between voluntary
# and full preemption. Defers preemption to natural reschedule points
# for throughput tasks while still preempting in IRQ/softirq context.
# With PREEMPT_DYNAMIC=y you can switch at boot:
#   preempt=none       -> server throughput
#   preempt=voluntary  -> balanced
#   preempt=lazy       -> dev/compile workloads (lazy mode)
#   preempt=full       -> gaming/audio (maximum responsiveness)
# Source: Peter Zijlstra, Thomas Gleixner -- merged Linux 6.12
CONFIG_PREEMPT_LAZY=y

# ==============================================================
# CPU IDLE
# TEO governor: best accuracy for sleep state selection
# Reduces wakeup latency vs MENU governor by ~15% (Intel measurements)
# ==============================================================
CONFIG_CPU_IDLE=y
CONFIG_CPU_IDLE_GOV_LADDER=y
CONFIG_CPU_IDLE_GOV_MENU=y
CONFIG_CPU_IDLE_GOV_TEO=y
CONFIG_CPU_IDLE_GOV_HALTPOLL=y
CONFIG_HALTPOLL_CPUIDLE=y
# INTEL_IDLE: Native Intel C-state driver -- required for C6/C8/C10 states
# Without this Intel CPUs fall back to ACPI idle, missing deep sleep states
CONFIG_INTEL_IDLE=y

# ==============================================================
# CPU FREQUENCY SCALING
# Performance governor default: all cores always at max boost
# AMD P-State mode 3 (Active EPP): Hardware-managed perf states
#   -- best Zen3/4 single-core boost behaviour
#   -- Phoronix 2023: 5-15% better gaming fps vs passive mode
# schedutil available for battery/power-saving profiles
# ==============================================================
CONFIG_CPU_FREQ=y
CONFIG_CPU_FREQ_STAT=y
CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE=y
CONFIG_CPU_FREQ_GOV_PERFORMANCE=y
CONFIG_CPU_FREQ_GOV_POWERSAVE=y
CONFIG_CPU_FREQ_GOV_USERSPACE=y
CONFIG_CPU_FREQ_GOV_ONDEMAND=y
CONFIG_CPU_FREQ_GOV_CONSERVATIVE=y
CONFIG_CPU_FREQ_GOV_SCHEDUTIL=y
CONFIG_X86_INTEL_PSTATE=y
CONFIG_X86_AMD_PSTATE=y
CONFIG_X86_AMD_PSTATE_DEFAULT_MODE=3
CONFIG_X86_ACPI_CPUFREQ=y
CONFIG_X86_ACPI_CPUFREQ_CPB=y

# ==============================================================
# ACPI / POWER MANAGEMENT
# ==============================================================
CONFIG_ACPI=y
CONFIG_ACPI_SLEEP=y
CONFIG_ACPI_AC=y
CONFIG_ACPI_BATTERY=y
CONFIG_ACPI_BUTTON=y
CONFIG_ACPI_FAN=y
CONFIG_ACPI_DOCK=y
CONFIG_ACPI_CPU_FREQ_PSS=y
CONFIG_ACPI_PROCESSOR_CSTATE=y
CONFIG_ACPI_PROCESSOR_IDLE=y
CONFIG_ACPI_THERMAL=y
CONFIG_ACPI_TABLE_UPGRADE=y
CONFIG_ACPI_PCI_SLOT=y
CONFIG_ACPI_CONTAINER=y
CONFIG_ACPI_HOTPLUG_IOAPIC=y
CONFIG_ACPI_HED=y
CONFIG_ACPI_BGRT=y
CONFIG_ACPI_NFIT=y
CONFIG_ACPI_NUMA=y
CONFIG_ACPI_HMAT=y
CONFIG_ACPI_APEI=y
CONFIG_ACPI_APEI_GHES=y
CONFIG_ACPI_APEI_PCIEAER=y
CONFIG_ACPI_APEI_MEMORY_FAILURE=y
CONFIG_ACPI_APEI_EINJ=y
CONFIG_ACPI_CPPC_LIB=y
CONFIG_ACPI_CPPC_CPUFREQ=y
# ACPI_CPPC_CPUFREQ_FAST_SWITCH: Enables the cpufreq fast-switch
# path for CPPC (AMD P-State passive). Allows frequency transitions
# from IRQ/scheduler context without locking -- eliminates the per-
# transition context-switch overhead in gaming and audio workloads.
# Source: Viresh Kumar, merged Linux 5.17
CONFIG_ACPI_CPPC_CPUFREQ_FAST_SWITCH=y
# ACPI_PLATFORM_PROFILE: exposes /sys/firmware/acpi/platform_profile
# (balanced / performance / low-power). Used by power-profiles-daemon
# which is the default power management backend on GNOME/KDE/Fedora.
CONFIG_ACPI_PLATFORM_PROFILE=y
# ACPI video: backlight control, brightness keys on all laptops
CONFIG_ACPI_VIDEO=y
# AMD HSMP: AMD Host System Management Port -- per-CCX power limits,
# boost override, and fabric bandwidth telemetry on EPYC/Threadripper.
CONFIG_AMD_HSMP=y
# AMD PMC: Power Management Controller -- enables s2idle (modern standby)
# on AMD Ryzen laptops. Without it, suspend-to-idle burns battery.
CONFIG_AMD_PMC=y
# AMD PMF: AMD Platform Management Framework -- dynamic power/performance
# profiles on Rembrandt (7xxx), Phoenix (7040), Hawk Point (8040)+.
# Enables "Smart Shift" eco/performance modes and AMD advantage features.
# Source: AMD, merged Linux 6.5+
CONFIG_AMD_PMF=y
# INTEL_HWP: Hardware-managed P-state -- Intel CPUs pick boost levels
# autonomously within EPP/EPB hints. Lower software overhead than sw governors.
CONFIG_X86_HWP=y
# CPU_FREQ_TIMES already present; add thermal pressure feedback
CONFIG_THERMAL_PRESSURE=y
CONFIG_PM=y
CONFIG_PM_SLEEP=y
CONFIG_SUSPEND=y
CONFIG_SUSPEND_FREEZER=y
CONFIG_HIBERNATION=y

# ==============================================================
# RUNTIME POWER MANAGEMENT -- Desktop-stable configuration
# ==============================================================
#
# WHY PM_RUNTIME IS KEPT ENABLED:
#   CONFIG_PM_RUNTIME=y is mandatory infrastructure -- disabling it
#   would break PCI, GPU, SATA, and NVMe power states entirely.
#   The Linux USB autosuspend problem is NOT caused by PM_RUNTIME
#   itself, but by the usbcore module's default autosuspend delay
#   (2 seconds) and device-level power/control="auto" policy.
#   The correct fix is surgical: set CONFIG_USB_AUTOSUSPEND_DELAY=-1
#   at the kernel config level and enforce power/control="on" via
#   udev rules for HID, audio, and input class devices.
#   Disabling PM_RUNTIME globally would prevent GPU D3cold, NVMe
#   APST, and PCIe link state management -- unacceptable regressions.
#
CONFIG_PM_RUNTIME=y
CONFIG_PM_CLK=y
CONFIG_PM_GENERIC_DOMAINS=y
CONFIG_ENERGY_MODEL=y

# ==============================================================
# USB AUTOSUSPEND -- PERMANENTLY DISABLED AT KERNEL DEFAULT LEVEL
# ==============================================================
#
# ROOT CAUSE OF USB INPUT/AUDIO DEVICE SLEEP:
#   The Linux USB subsystem has an "autosuspend" mechanism that
#   automatically suspends USB devices after an idle period. The
#   kernel default is 2 seconds (USB_AUTOSUSPEND_DELAY=2). This
#   causes keyboards to freeze mid-session, mice to stutter after
#   brief pauses, and USB audio DACs to drop their connection --
#   producing the classic "USB device reconnected" pop or silence.
#
#   This is especially acute with xHCI (USB3 controllers) due to
#   a known firmware/spec ambiguity that causes some controllers
#   to drop power from ports more aggressively than EHCI did.
#   References: kernel.org/doc/Documentation/usb/power-management.txt
#               Sarah Sharp (Intel xHCI maintainer, 2013 analysis)
#
# CONFIG_USB_AUTOSUSPEND_DELAY=-1:
#   Sets the KERNEL DEFAULT idle-delay for all USB devices to -1,
#   meaning "never autosuspend". Every new USB device attached
#   boots with autosuspend disabled -- no userspace daemon or udev
#   rule required to catch it first.
#
#   Without this, the 2-second default means that a USB keyboard
#   pausing for 2+ seconds (e.g., while you read, while a cutscene
#   plays, while the system is under GPU load with no mouse movement)
#   will be suspended. The NEXT keypress wakes it, but the resume
#   latency (5-50 ms depending on hub and device) causes a dropped
#   first keystroke or a stuck modifier key.
#
#   Setting -1 here is equivalent to adding usbcore.autosuspend=-1
#   to the kernel cmdline -- but is now baked into the binary itself,
#   making it the safe default even if the bootloader cmdline is lost.
#   Source: drivers/usb/core/Kconfig, patchwork.kernel.org/2019/patch
#           Mans Rullgard, Greg Kroah-Hartman review (2019)
#
CONFIG_USB_AUTOSUSPEND_DELAY=-1

# ==============================================================
# PCI
# ==============================================================
CONFIG_PCI=y
CONFIG_PCI_DIRECT=y
CONFIG_PCI_MMCONFIG=y
CONFIG_PCI_DOMAINS=y
CONFIG_PCIEPORTBUS=y
CONFIG_HOTPLUG_PCI_PCIE=y
CONFIG_PCIEAER=y
CONFIG_PCIEASPM=y
CONFIG_PCIEASPM_DEFAULT=y
CONFIG_PCIE_PME=y
CONFIG_PCIE_DPC=y
CONFIG_PCIE_PTM=y
CONFIG_PCIE_BW=y
CONFIG_PCIE_EDR=y
CONFIG_PCI_MSI=y
CONFIG_PCI_QUIRKS=y
CONFIG_PCI_REALLOC_ENABLE_AUTO=y
CONFIG_PCI_STUB=y
CONFIG_PCI_ATS=y
CONFIG_PCI_IOV=y
CONFIG_PCI_PASID=y
# P2PDMA: GPU/NVMe peer-to-peer DMA -- streaming game assets GPU<->NVMe
CONFIG_PCI_P2PDMA=y
CONFIG_PCIE_BUS_DEFAULT=y
CONFIG_HOTPLUG_PCI=y
CONFIG_HOTPLUG_PCI_ACPI=y

# ==============================================================
# EXECUTABLE FILE FORMATS
# ==============================================================
CONFIG_BINFMT_ELF=y
CONFIG_COMPAT_BINFMT_ELF=y
CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS=y
CONFIG_BINFMT_SCRIPT=y
CONFIG_BINFMT_MISC=y

# ==============================================================
# MEMORY MANAGEMENT
# Key goal: defeat OOM before it happens; reclaim intelligently
# ==============================================================
CONFIG_ZPOOL=y
CONFIG_ZBUD=y
CONFIG_Z3FOLD=y
CONFIG_ZSMALLOC=y
# CONFIG_ZSMALLOC_STAT is not set

# ZSWAP: Compressed swap cache in RAM -- transparent swap that's 5-10x
# faster than disk swap. ZSTD: better ratio than LZ4, still fast.
# Source: Phoronix ZSTD vs LZ4 benchmarks, CachyOS config
CONFIG_ZSWAP=y
CONFIG_ZSWAP_DEFAULT_ON=y
CONFIG_ZSWAP_ZPOOL_DEFAULT_ZSMALLOC=y
# CONFIG_ZSWAP_COMPRESSOR_DEFAULT_LZ4 is not set
CONFIG_ZSWAP_COMPRESSOR_DEFAULT_ZSTD=y
# ZSWAP_SHRINKER: Evicts cold zswap entries back to disk before pool saturates
# Without this zswap silently fills up and stops accepting pages -- causes stalls
CONFIG_ZSWAP_SHRINKER_DEFAULT_ON=y

# ZRAM: Compressed block device in RAM for swap
CONFIG_ZRAM=y
CONFIG_ZRAM_WRITEBACK=y
# CONFIG_ZRAM_MEMORY_TRACKING is not set
CONFIG_ZRAM_DEF_COMP_ZSTD=y

CONFIG_MEM_SOFT_DIRTY=y
CONFIG_USERFAULTFD=y
# PER_VMA_LOCK: Per-VMA mmap locking -- reduces contention on multi-threaded workloads
# Significant win for games, browsers, JVMs. Merged 6.7, well-tested.
CONFIG_PER_VMA_LOCK=y

# MGLRU: Multi-Generational LRU -- Google's page reclaim algorithm
# Merged in Linux 6.1; default in Android, ChromeOS, CachyOS
# Reduces memory stutter by 16-30% under pressure (Google internal data)
# Reference: https://lore.kernel.org/lkml/20220407031525.2368067-1-yuzhao@google.com/
CONFIG_LRU_GEN=y
CONFIG_LRU_GEN_ENABLED=y
# CONFIG_LRU_GEN_STATS is not set

# PSI: Pressure Stall Information -- shows memory/CPU/IO pressure
# before processes are killed. Essential for no-silent-OOM goal.
CONFIG_PSI=y
CONFIG_PSI_DEFAULT_DISABLED=n

CONFIG_NUMA_BALANCING=y
CONFIG_NUMA_BALANCING_DEFAULT_ENABLED=y
# CONFIG_COMPACTION already set above -- duplicate suppressed
CONFIG_HUGETLBFS=y
CONFIG_HUGETLB_PAGE=y
# HUGETLB_PAGE_OPTIMIZE_VMEMMAP: Frees the struct page array used
# to describe each 4 KB sub-page inside a 2 MB huge page.
# Saves 7 struct page entries (448 bytes) per 2 MB THP -- meaningful
# on systems running games or JVMs with hundreds of thousands of THPs.
# Source: Muchun Song (ByteDance), merged Linux 5.14
CONFIG_HUGETLB_PAGE_OPTIMIZE_VMEMMAP=y
CONFIG_CMA=y
CONFIG_CMA_SIZE_SEL_MBYTES=y
CONFIG_CMA_SIZE_MBYTES=0

# DAMON: Data Access MONitor -- intelligent memory reclaim
# Developed by SeongJae Park (Amazon/kernel.org)
# DAMON_RECLAIM: automatically reclines cold pages before OOM
CONFIG_DAMON=y
CONFIG_DAMON_VADDR=y
CONFIG_DAMON_PADDR=y
CONFIG_DAMON_SYSFS=y
CONFIG_DAMON_RECLAIM=y
CONFIG_DAMON_LRU_SORT=y

# Skip zero-fill on alloc/free -- measurable perf gain, acceptable risk on desktop
# CONFIG_INIT_ON_ALLOC_DEFAULT_ON is not set
# CONFIG_INIT_ON_FREE_DEFAULT_ON is not set

# SLUB: Best production allocator -- no debug overhead
# CONFIG_SLUB_DEBUG is not set
CONFIG_SLUB=y
CONFIG_SLUB_CPU_PARTIAL=y

# ==============================================================
# LATENCY MONITORING
# ==============================================================
CONFIG_LATENCYTOP=y
CONFIG_SCHEDSTATS=y

# ==============================================================
# NETWORKING
# ==============================================================
CONFIG_NET=y
CONFIG_PACKET=y
CONFIG_UNIX=y
CONFIG_UNIX_SCM=y
CONFIG_TLS=y
CONFIG_TLS_DEVICE=y
CONFIG_XFRM=y
CONFIG_XFRM_OFFLOAD=y
CONFIG_XFRM_STATISTICS=y
CONFIG_XFRM_ALGO=y
CONFIG_XFRM_USER=y
CONFIG_XFRM_INTERFACE=y
CONFIG_NET_KEY=y
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_VERBOSE=y
CONFIG_NET_IPIP=y
CONFIG_NET_IPGRE_DEMUX=y
CONFIG_NET_IP_TUNNEL=y
CONFIG_NET_IPGRE=y
CONFIG_NET_IPGRE_BROADCAST=y
# L2TP: Layer 2 Tunneling Protocol -- used by many enterprise VPNs,
# ISP PPPoE/PPPoL2TP links, and some gaming VPN services.
# L2TP_V3: L2TPv3 Ethernet/VLAN/PPP pseudowires over IP.
CONFIG_L2TP=y
CONFIG_L2TP_DEBUGFS=n
CONFIG_L2TP_V3=y
CONFIG_L2TP_IP=y
CONFIG_L2TP_ETH=y
CONFIG_IP_MROUTE_COMMON=y
CONFIG_IP_MROUTE=y
CONFIG_IP_PIMSM_V1=y
CONFIG_IP_PIMSM_V2=y
CONFIG_SYN_COOKIES=y
CONFIG_NET_IPVTI=y
CONFIG_NET_UDP_TUNNEL=y
CONFIG_NET_FOU=y
CONFIG_INET_AH=y
CONFIG_INET_ESP=y
CONFIG_INET_IPCOMP=y
CONFIG_INET_TUNNEL=y
# Built-in (not module) -- ss, nethogs, systemd-networkd call this constantly
CONFIG_INET_DIAG=y
CONFIG_INET_TCP_DIAG=y
CONFIG_TCP_CONG_ADVANCED=y
CONFIG_TCP_CONG_BIC=y
CONFIG_TCP_CONG_CUBIC=y
CONFIG_TCP_CONG_WESTWOOD=y
CONFIG_TCP_CONG_HTCP=y

# BBR: Google's congestion control -- best gaming/streaming latency
# Avoids Reno/CUBIC's bufferbloat -- crucial on home ISP connections
# Source: https://github.com/google/bbr
CONFIG_TCP_CONG_BBR=y
CONFIG_DEFAULT_BBR=y
CONFIG_DEFAULT_TCP_CONG="bbr"
CONFIG_TCP_MD5SIG=y
CONFIG_IPV6=y
CONFIG_IPV6_ROUTER_PREF=y
CONFIG_IPV6_OPTIMISTIC_DAD=y
CONFIG_INET6_AH=y
CONFIG_INET6_ESP=y
CONFIG_INET6_IPCOMP=y
CONFIG_IPV6_MIP6=y
CONFIG_IPV6_VTI=y
CONFIG_IPV6_SIT=y
CONFIG_IPV6_TUNNEL=y
CONFIG_IPV6_GRE=y
CONFIG_IPV6_MULTIPLE_TABLES=y
CONFIG_IPV6_SUBTREES=y
CONFIG_IPV6_MROUTE=y
CONFIG_MPTCP=y
CONFIG_NETWORK_SECMARK=y
CONFIG_NETFILTER=y
CONFIG_NETFILTER_ADVANCED=y
CONFIG_BRIDGE_NETFILTER=y
CONFIG_NETFILTER_NETLINK=y
CONFIG_NETFILTER_FAMILY_BRIDGE=y
CONFIG_NETFILTER_FAMILY_ARP=y
CONFIG_NETFILTER_NETLINK_ACCT=y
CONFIG_NETFILTER_NETLINK_QUEUE=y
CONFIG_NETFILTER_NETLINK_LOG=y
CONFIG_NF_CONNTRACK=y
CONFIG_NF_LOG_SYSLOG=y
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_CONNTRACK_SECMARK=y
CONFIG_NF_CONNTRACK_ZONES=y
CONFIG_NF_CONNTRACK_PROCFS=y
CONFIG_NF_CONNTRACK_EVENTS=y
CONFIG_NF_CONNTRACK_TIMEOUT=y
CONFIG_NF_CONNTRACK_TIMESTAMP=y
CONFIG_NF_CONNTRACK_FTP=y
CONFIG_NF_CONNTRACK_IRC=y
CONFIG_NF_CONNTRACK_SIP=y
CONFIG_NF_CT_NETLINK=y
CONFIG_NF_NAT=y
CONFIG_NF_NAT_MASQUERADE=y
CONFIG_NETFILTER_SYNPROXY=y
CONFIG_NF_TABLES=y
CONFIG_NF_TABLES_INET=y
CONFIG_NF_TABLES_NETDEV=y
CONFIG_NFT_NUMGEN=y
CONFIG_NFT_CT=y
CONFIG_NFT_CONNLIMIT=y
CONFIG_NFT_LOG=y
CONFIG_NFT_LIMIT=y
CONFIG_NFT_MASQ=y
CONFIG_NFT_REDIR=y
CONFIG_NFT_NAT=y
CONFIG_NFT_QUOTA=y
CONFIG_NFT_REJECT=y
CONFIG_NFT_REJECT_INET=y
CONFIG_NFT_COMPAT=y
CONFIG_NFT_HASH=y
CONFIG_NFT_FIB=y
CONFIG_NFT_FIB_INET=y
CONFIG_NFT_XFRM=y
CONFIG_NFT_SOCKET=y
CONFIG_NFT_OSF=y
CONFIG_NFT_TPROXY=y
CONFIG_NFT_SYNPROXY=y
CONFIG_NF_FLOW_TABLE_INET=y
CONFIG_NF_FLOW_TABLE=y
CONFIG_NETFILTER_XTABLES=y
CONFIG_NETFILTER_XT_MARK=y
CONFIG_NETFILTER_XT_CONNMARK=y
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
CONFIG_NETFILTER_XT_TARGET_CT=y
CONFIG_NETFILTER_XT_TARGET_DSCP=y
CONFIG_NETFILTER_XT_TARGET_LOG=y
CONFIG_NETFILTER_XT_TARGET_MARK=y
CONFIG_NETFILTER_XT_TARGET_MASQUERADE=y
CONFIG_NETFILTER_XT_TARGET_NETMAP=y
CONFIG_NETFILTER_XT_TARGET_NFLOG=y
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
CONFIG_NETFILTER_XT_TARGET_REDIRECT=y
CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
CONFIG_NETFILTER_XT_TARGET_TEE=y
CONFIG_NETFILTER_XT_TARGET_TPROXY=y
# NETFILTER_XT_TARGET_CHECKSUM: Fix IP/TCP/UDP checksums on mangled packets.
# Critical for VM/container DHCP and DNS to work correctly -- without this
# guests behind NAT receive packets with bad checksums that are silently dropped.
# Source: Waydroid GitHub #network, Docker iptables rules
CONFIG_NETFILTER_XT_TARGET_CHECKSUM=y
CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
CONFIG_NETFILTER_XT_MATCH_COMMENT=y
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y
CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
CONFIG_NETFILTER_XT_MATCH_DSCP=y
CONFIG_NETFILTER_XT_MATCH_ECN=y
CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y
CONFIG_NETFILTER_XT_MATCH_HELPER=y
CONFIG_NETFILTER_XT_MATCH_IPRANGE=y
CONFIG_NETFILTER_XT_MATCH_LENGTH=y
CONFIG_NETFILTER_XT_MATCH_LIMIT=y
CONFIG_NETFILTER_XT_MATCH_MAC=y
CONFIG_NETFILTER_XT_MATCH_MARK=y
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
CONFIG_NETFILTER_XT_MATCH_OWNER=y
CONFIG_NETFILTER_XT_MATCH_POLICY=y
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
CONFIG_NETFILTER_XT_MATCH_QUOTA=y
CONFIG_NETFILTER_XT_MATCH_RECENT=y
CONFIG_NETFILTER_XT_MATCH_STATE=y
CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
CONFIG_NETFILTER_XT_MATCH_STRING=y
CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
CONFIG_NETFILTER_XT_MATCH_TIME=y
CONFIG_NETFILTER_XT_MATCH_U32=y
CONFIG_IP_SET=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_AH=y
CONFIG_IP_NF_MATCH_ECN=y
CONFIG_IP_NF_MATCH_RPFILTER=y
CONFIG_IP_NF_MATCH_TTL=y
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_MANGLE=y
CONFIG_IP_NF_RAW=y
CONFIG_IP6_NF_IPTABLES=y
CONFIG_IP6_NF_FILTER=y
CONFIG_IP6_NF_TARGET_REJECT=y
CONFIG_IP6_NF_NAT=y
CONFIG_IP6_NF_MANGLE=y
CONFIG_IP6_NF_RAW=y

# FQ qdisc: per-flow fair queuing -- default for all interfaces
# Eliminates bufferbloat: game packets not queued behind bulk transfers
CONFIG_NET_SCHED=y
CONFIG_NET_SCH_HTB=y
CONFIG_NET_SCH_HFSC=y
CONFIG_NET_SCH_PRIO=y
CONFIG_NET_SCH_RED=y
CONFIG_NET_SCH_SFQ=y
CONFIG_NET_SCH_TBF=y
CONFIG_NET_SCH_NETEM=y
CONFIG_NET_SCH_DRR=y
CONFIG_NET_SCH_MQPRIO=y
CONFIG_NET_SCH_CODEL=y
CONFIG_NET_SCH_FQ_CODEL=y
CONFIG_NET_SCH_CAKE=y
CONFIG_NET_SCH_FQ=y
CONFIG_NET_SCH_PIE=y
CONFIG_NET_SCH_INGRESS=y
CONFIG_NET_SCH_ETS=y
CONFIG_NET_SCH_DEFAULT=y
CONFIG_DEFAULT_FQ=y
CONFIG_DEFAULT_NET_SCH="fq"

# NET_SCH_TAPRIO: Time-Aware Priority Shaper (IEEE 802.1Qbv).
# Required for SO_TXTIME and SCM_TXTIME UDP packet pacing --
# the foundation of QUIC/HTTP3 and modern game networking stacks
# that need to pace packet transmission to avoid bursts.
# Also required by PTP hardware timestamping for <1 µs network sync.
# Source: Vinicius Costa Gomes (Intel), merged Linux 5.2
CONFIG_NET_SCH_TAPRIO=y

# NET_SCH_ETF: Earliest TxTime First -- precision egress scheduling.
# Used in conjunction with SO_TXTIME for sub-millisecond packet
# timing in time-sensitive networking (TSN) and real-time audio.
CONFIG_NET_SCH_ETF=y

# NET_EMATCH: Extended match framework for TC classifiers.
# Required by complex TC rules that match on multiple packet fields.
CONFIG_NET_EMATCH=y
CONFIG_NET_EMATCH_STACK=32
CONFIG_NET_EMATCH_CMP=y
CONFIG_NET_EMATCH_NBYTE=y
CONFIG_NET_EMATCH_U32=y
CONFIG_NET_EMATCH_META=y
CONFIG_NET_EMATCH_TEXT=y
CONFIG_NET_EMATCH_IPSET=y
CONFIG_NET_EMATCH_IPT=y
CONFIG_NET_CLS_BASIC=y
CONFIG_NET_CLS_FLOW=y
CONFIG_NET_CLS_CGROUP=y
CONFIG_NET_CLS_BPF=y
CONFIG_NET_CLS_FLOWER=y
CONFIG_NET_CLS_MATCHALL=y
CONFIG_NET_CLS_ACT=y
CONFIG_NET_ACT_POLICE=y
CONFIG_NET_ACT_GACT=y
CONFIG_NET_ACT_MIRRED=y
CONFIG_NET_ACT_PEDIT=y
CONFIG_NET_ACT_SKBEDIT=y
CONFIG_NET_ACT_CSUM=y
CONFIG_NET_ACT_VLAN=y
CONFIG_NET_ACT_BPF=y
CONFIG_NET_ACT_CONNMARK=y
CONFIG_NET_ACT_TUNNEL_KEY=y
CONFIG_NET_BRIDGE=y
CONFIG_NET_BRIDGE_IGMP_SNOOPING=y
CONFIG_NET_BRIDGE_VLAN_FILTERING=y
CONFIG_VLAN_8021Q=y
CONFIG_VLAN_8021Q_GVRP=y
CONFIG_OPENVSWITCH=y
CONFIG_VSOCKETS=y
CONFIG_VSOCKETS_DIAG=y
CONFIG_VIRTIO_VSOCKETS=y
CONFIG_VIRTIO_VSOCKETS_COMMON=y
CONFIG_HYPERV_VSOCKETS=y
CONFIG_NETLINK_DIAG=y
CONFIG_MPLS=y
CONFIG_NET_MPLS_GSO=y
CONFIG_MPLS_ROUTING=y
CONFIG_MPLS_IPTUNNEL=y
CONFIG_NET_SWITCHDEV=y
CONFIG_NET_L3_MASTER_DEV=y
CONFIG_RPS=y
CONFIG_RFS_ACCEL=y
CONFIG_SOCK_RX_QUEUE_MAPPING=y
CONFIG_XPS=y
CONFIG_CGROUP_NET_PRIO=y
CONFIG_CGROUP_NET_CLASSID=y
CONFIG_BQL=y
CONFIG_BPF_STREAM_PARSER=y
CONFIG_DNS_RESOLVER=y
CONFIG_WIRELESS=y

# PAGE_POOL: Per-device page recycling for network receive paths.
# NICs that support it (Intel, Mellanox, AMD/Pensando) reuse pages
# instead of alloc/free on every packet -- critical for line-rate
# performance. Required by XDP for zero-copy receive.
CONFIG_PAGE_POOL=y
CONFIG_PAGE_POOL_STATS=y

# ETHTOOL_NETLINK: Newer netlink-based ethtool interface.
# Required by ethtool 5.x+, iproute2, and network managers.
# Allows ring-size tuning, coalesce settings, and RSS config
# without ioctl overhead.
CONFIG_ETHTOOL_NETLINK=y

# NET_SOCK_MSG: BPF sockmap and socket message programs.
# Required for Cilium eBPF load balancing, Envoy proxy
# acceleration, and userspace app acceleration via sockmap.
CONFIG_NET_SOCK_MSG=y

# SKB_EXTENSIONS: Extension mechanism for per-packet metadata
# (timestamps, marks, HW offload hints). Required by TC, XDP,
# and WireGuard for per-packet data without skb bloat.
CONFIG_SKB_EXTENSIONS=y
CONFIG_CFG80211=y
CONFIG_CFG80211_DEFAULT_PS=y
CONFIG_MAC80211=y
CONFIG_MAC80211_RC_MINSTREL=y
CONFIG_MAC80211_RC_DEFAULT_MINSTREL=y
CONFIG_RFKILL=y
CONFIG_NET_9P=y
CONFIG_NET_9P_VIRTIO=y
CONFIG_CEPH_LIB=y
CONFIG_PSAMPLE=y
CONFIG_LWTUNNEL=y
CONFIG_LWTUNNEL_BPF=y

# BPF: eBPF JIT -- XDP network acceleration, observability, security
CONFIG_BPF_SYSCALL=y
CONFIG_BPF_JIT=y
CONFIG_BPF_JIT_ALWAYS_ON=y
CONFIG_BPF_JIT_DEFAULT_ON=y
CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
CONFIG_BPF_EVENTS=y
CONFIG_BPF_LSM=y
# SOCK_MAP: eBPF sockmap redirect -- zero-copy socket redirection
# between sockets. Used by Cilium, Envoy, Istio service meshes
# and any eBPF-accelerated proxy for inter-process networking.
CONFIG_SOCK_MAP=y
CONFIG_XDP_SOCKETS=y
CONFIG_XDP_SOCKETS_DIAG=y
CONFIG_AF_XDP=y

# ==============================================================
# DEVICE DRIVERS
# ==============================================================
CONFIG_DEVMEM=y
# CONFIG_DEVKMEM is not set
CONFIG_HW_RANDOM=y
CONFIG_HW_RANDOM_INTEL=y
CONFIG_HW_RANDOM_AMD=y
CONFIG_HW_RANDOM_VIA=y
CONFIG_HW_RANDOM_VIRTIO=y
CONFIG_HPET=y
CONFIG_HPET_MMAP=y
CONFIG_HPET_MMAP_DEFAULT=y
CONFIG_TCG_TPM=y
CONFIG_TCG_TIS=y
CONFIG_DEVPORT=y
CONFIG_I2C=y
CONFIG_I2C_BOARDINFO=y
CONFIG_I2C_COMPAT=y
CONFIG_I2C_CHARDEV=y
CONFIG_I2C_SMBUS=y
CONFIG_I2C_ALGOBIT=y
CONFIG_I2C_PIIX4=y
CONFIG_I2C_ISMT=y
CONFIG_I2C_I801=y
CONFIG_SPI=y
CONFIG_PINCTRL=y
CONFIG_PINCTRL_AMD=y
CONFIG_PINCTRL_INTEL=y
CONFIG_PINCTRL_ALDERLAKE=y
CONFIG_PINCTRL_METEORLAKE=y
CONFIG_PINCTRL_CANNONLAKE=y
CONFIG_PINCTRL_COMETLAKE=y
CONFIG_PINCTRL_GEMINILAKE=y
CONFIG_PINCTRL_ICELAKE=y
CONFIG_PINCTRL_JASPERLAKE=y
CONFIG_PINCTRL_LYNXPOINT=y
CONFIG_PINCTRL_SUNRISE=y
CONFIG_PINCTRL_TIGERLAKE=y
CONFIG_GPIOLIB=y
CONFIG_GPIO_SYSFS=y
CONFIG_GPIO_VIRTIO=y
CONFIG_POWER_SUPPLY=y

# ==============================================================
# HARDWARE MONITORING & THERMAL
# SENSORS_CORETEMP: Intel per-core temperature
# SENSORS_K10TEMP: AMD CPU die and CCD temperatures
# SENSORS_NCT6775: Most desktop motherboard Super-I/O chips (fan control)
# THERMAL_GOV_POWER_ALLOCATOR: Smarter than step_wise -- avoids cliff throttle
#   Uses power budget allocation across CPU/GPU rather than hard cuts
#   Source: Intel Open Source Technology Center
# ==============================================================
CONFIG_HWMON=y
CONFIG_HWMON_VID=y
CONFIG_SENSORS_ACPI_POWER=y
CONFIG_SENSORS_CORETEMP=y
CONFIG_SENSORS_DRIVETEMP=y
CONFIG_SENSORS_IT87=y
CONFIG_SENSORS_K10TEMP=y
CONFIG_SENSORS_NCT6775_CORE=y
CONFIG_SENSORS_NCT6775=y
CONFIG_THERMAL=y
CONFIG_THERMAL_HWMON=y
CONFIG_THERMAL_OF=y
CONFIG_THERMAL_DEFAULT_GOV_POWER_ALLOCATOR=y
CONFIG_THERMAL_GOV_FAIR_SHARE=y
CONFIG_THERMAL_GOV_STEP_WISE=y
CONFIG_THERMAL_GOV_USER_SPACE=y
CONFIG_THERMAL_GOV_POWER_ALLOCATOR=y
CONFIG_CPU_THERMAL=y
CONFIG_INT340X_THERMAL=y
CONFIG_INTEL_PCH_THERMAL=y

# ==============================================================
# WATCHDOG -- Never silently hang
# ==============================================================
CONFIG_WATCHDOG=y
CONFIG_WATCHDOG_CORE=y
CONFIG_WATCHDOG_NOWAYOUT=n
CONFIG_WATCHDOG_HANDLE_BOOT_ENABLED=y
CONFIG_SOFT_WATCHDOG=y
CONFIG_ITCO_WDT=y
CONFIG_WDAT_WDT=y
CONFIG_SP5100_TCO=y

CONFIG_MFD_CORE=y
CONFIG_MFD_INTEL_LPSS_PCI=y
CONFIG_MFD_INTEL_LPSS_ACPI=y
CONFIG_MFD_INTEL_PMT=y
CONFIG_MFD_SYSCON=y
CONFIG_REGULATOR=y
CONFIG_REGULATOR_FIXED_VOLTAGE=y

# ==============================================================
# GRAPHICS
# DRM_FBDEV_OVERALLOC=200: Extra framebuffer space for HiDPI
# DRM_AMD_DC_FP: Floating point in display core (required for RDNA2+)
# DRM_AMD_DC_HDCP: HDCP for content protection
# HSA_AMD: ROCm compute -- ML, video encode offload, gaming shaders
# DRM_SYNCOBJ_TIMELINE: Required for Vulkan timeline semaphores
# ==============================================================
CONFIG_AGP=y
CONFIG_AGP_AMD64=y
CONFIG_AGP_INTEL=y
CONFIG_INTEL_GTT=y
CONFIG_VGA_ARB=y
CONFIG_VGA_ARB_MAX_GPUS=16
CONFIG_VGA_SWITCHEROO=y
CONFIG_DRM=y
CONFIG_DRM_MIPI_DSI=y
CONFIG_DRM_DP_AUX_BUS=y
CONFIG_DRM_KMS_HELPER=y
CONFIG_DRM_FBDEV_EMULATION=y
CONFIG_DRM_FBDEV_OVERALLOC=200
CONFIG_DRM_DP_CEC=y
CONFIG_DRM_TTM=y
CONFIG_DRM_TTM_HELPER=y
CONFIG_DRM_EXEC=y
CONFIG_DRM_BUDDY=y
CONFIG_DRM_SCHED=y
CONFIG_DRM_DISPLAY_HELPER=y
CONFIG_DRM_DISPLAY_DP_HELPER=y
CONFIG_DRM_DISPLAY_HDMI_HELPER=y
CONFIG_DRM_GEM_SHMEM_HELPER=y
CONFIG_DRM_PANEL_ORIENTATION_QUIRKS=y
CONFIG_DRM_I915=y
CONFIG_DRM_I915_CAPTURE_ERROR=y
CONFIG_DRM_I915_COMPRESS_ERROR=y
CONFIG_DRM_I915_USERPTR=y
CONFIG_DRM_XE=y
CONFIG_DRM_AMDGPU=y
CONFIG_DRM_AMDGPU_SI=y
CONFIG_DRM_AMDGPU_CIK=y
CONFIG_DRM_AMDGPU_USERPTR=y
CONFIG_DRM_AMD_DC=y
CONFIG_DRM_AMD_DC_FP=y
CONFIG_DRM_AMD_DC_HDCP=y
CONFIG_HSA_AMD=y
CONFIG_DRM_NOUVEAU=y
CONFIG_DRM_VGEM=y
CONFIG_DRM_VKMS=y
CONFIG_DRM_VMWGFX=y
CONFIG_DRM_BOCHS=y
CONFIG_DRM_QXL=y
CONFIG_DRM_VIRTIO_GPU=y
CONFIG_DRM_SYNCOBJ=y
CONFIG_DRM_SYNCOBJ_TIMELINE=y
CONFIG_DRM_PRIME=y

# DRM_GPUVM: GPU Virtual Memory manager framework.
# Required by modern Mesa Vulkan drivers (radv for RDNA2/3,
# anv for Intel Arc) to manage GPU address spaces without
# driver-specific hacks. Also required for SR-IOV GPU
# virtualisation on Intel Xe GPUs (Arc workstation cards).
# Upstream merged Linux 6.7. Without this, Mesa 24.1+ falls
# back to slower legacy address space management.
# Source: Thomas Hellström (Intel), lore.kernel.org 2023
CONFIG_DRM_GPUVM=y

# DRM_EXEC: GPU Execution context manager.
# Provides the lock-based GPU object reservation framework
# used by AMDGPU, Intel XE, and Nouveau for correct
# multi-object GPU command submission without deadlocks.
# Required for hardware-accelerated video decode on RDNA3+ via Mesa VCN.
CONFIG_DRM_EXEC=y

# GPU_SCHED (DRM_SCHED): GPU job scheduler.
# Provides multi-ring, priority-aware GPU job scheduling.
# Used by amdgpu, xe, nouveau, and virtio-gpu.
# Without this, GPU preemption and priority inversion
# avoidance do not function -- game frame pacing degrades.
CONFIG_DRM_SCHED=y

# DRM_PANEL_SIMPLE / DRM_BRIDGE: Extended display support.
# Covers eDP panels on AMD/Intel laptops using bridge chips.
# Without this, some laptop internal displays show as unconfigured.
CONFIG_DRM_BRIDGE=y
CONFIG_DRM_PANEL=y
CONFIG_DRM_PANEL_SIMPLE=y

# ==============================================================
# FRAMEBUFFER
# ==============================================================
CONFIG_FB=y
CONFIG_FIRMWARE_EDID=y
CONFIG_FB_CMDLINE=y
CONFIG_FB_NOTIFY=y
CONFIG_FB_CFB_FILLRECT=y
CONFIG_FB_CFB_COPYAREA=y
CONFIG_FB_CFB_IMAGEBLIT=y
CONFIG_FB_DEFERRED_IO=y
CONFIG_FB_EFI=y
CONFIG_FB_SIMPLE=y
CONFIG_FB_HYPERV=y
CONFIG_BACKLIGHT_CLASS_DEVICE=y
CONFIG_BACKLIGHT_GENERIC=y
CONFIG_VGA_CONSOLE=y
CONFIG_DUMMY_CONSOLE=y
CONFIG_DUMMY_CONSOLE_COLUMNS=80
CONFIG_DUMMY_CONSOLE_ROWS=25
CONFIG_FRAMEBUFFER_CONSOLE=y
CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y
CONFIG_FRAMEBUFFER_CONSOLE_ROTATION=y
CONFIG_LOGO=y
CONFIG_LOGO_LINUX_MONO=y
CONFIG_LOGO_LINUX_VGA16=y
CONFIG_LOGO_LINUX_CLUT224=y

# ==============================================================
# SOUND -- Low-latency audio
# SND_HRTIMER: Sub-millisecond audio scheduling (PipeWire/JACK)
# ==============================================================
CONFIG_SOUND=y
CONFIG_SND=y
CONFIG_SND_SEQUENCER=y
CONFIG_SND_MIXER_OSS=y
CONFIG_SND_PCM_OSS=y
CONFIG_SND_PCM_TIMER=y
CONFIG_SND_HRTIMER=y
CONFIG_SND_DYNAMIC_MINORS=y
CONFIG_SND_PROC_FS=y
CONFIG_SND_JACK=y
CONFIG_SND_PCI=y
CONFIG_SND_HDA_INTEL=y
CONFIG_SND_HDA_HWDEP=y
CONFIG_SND_HDA_RECONFIG=y
CONFIG_SND_HDA_INPUT_BEEP=y
CONFIG_SND_HDA_PATCH_LOADER=y
CONFIG_SND_HDA_CODEC_REALTEK=y
CONFIG_SND_HDA_CODEC_ANALOG=y
CONFIG_SND_HDA_CODEC_SIGMATEL=y
CONFIG_SND_HDA_CODEC_VIA=y
CONFIG_SND_HDA_CODEC_HDMI=y
CONFIG_SND_HDA_CODEC_CONEXANT=y
CONFIG_SND_HDA_GENERIC=y
CONFIG_SND_USB_AUDIO=y
# SND_USB_AUDIO autosuspend note:
#   USB audio (class 0x01) is THE most common victim of autosuspend.
#   Symptoms: DAC clicks/pops on resume, audio dropout after 2+ seconds
#   of silence, PipeWire/PulseAudio reporting device lost, ALSA xruns.
#   With USB_AUTOSUSPEND_DELAY=-1 + udev power/control="on" for class
#   0x01, the snd-usb-audio driver will NEVER idle-suspend its device.
#   The USB DAC stays in D0 (fully powered) at all times -- no click
#   transients, no resume delay, no ALSA underrun on re-activation.
#   Extra: add to /etc/modprobe.d/snd-usb-audio.conf if needed:
#     options snd-usb-audio ignore_ctl_error=1 implicit_fb=1
CONFIG_SND_SOC=y
CONFIG_SND_DUMMY=y
CONFIG_SND_ALOOP=y

# ==============================================================
# SOC AUDIO -- Intel/AMD laptop audio (Chromebook, modern laptops)
# SND_SOC is the ALSA framework for embedded/SoC audio paths.
# Without these, audio on most modern Intel/AMD laptops (especially
# post-2020 Chromebooks, Dell XPS, Lenovo ThinkPad) produces silence.
# ==============================================================
# CONFIG_SND_SOC already set above -- duplicate suppressed
CONFIG_SND_SOC_ACPI=y
# Intel SOF: Sound Open Firmware -- all Ice Lake/Tiger Lake/ADL/RPL laptops
CONFIG_SND_SOC_SOF_TOPLEVEL=y
CONFIG_SND_SOC_SOF_PCI=y
CONFIG_SND_SOC_SOF_INTEL_TOPLEVEL=y
CONFIG_SND_SOC_SOF_INTEL_HIFI2=y
CONFIG_SND_SOC_SOF_ICELAKE=y
CONFIG_SND_SOC_SOF_TIGERLAKE=y
CONFIG_SND_SOC_SOF_ALDERLAKE=y
CONFIG_SND_SOC_SOF_METEORLAKE=y
# Intel HDA/SST: older Intel audio (Skylake/Kabylake)
CONFIG_SND_SOC_INTEL_SST_TOPLEVEL=y
CONFIG_SND_SOC_INTEL_SKL=y
CONFIG_SND_SOC_INTEL_APL=y
CONFIG_SND_SOC_INTEL_KBL=y
# AMD Pink Sardine / Renoir / Cezanne audio
CONFIG_SND_SOC_AMD_ACP=y
CONFIG_SND_SOC_AMD_ACP3x=y
CONFIG_SND_SOC_AMD_ACP6x=y
CONFIG_SND_SOC_AMD_PS=y
# Common codec drivers (RT5682 is in virtually every modern laptop)
CONFIG_SND_SOC_RT5682=y
CONFIG_SND_SOC_RT5682S=y
CONFIG_SND_SOC_NAU8825=y
CONFIG_SND_SOC_CS35L41=y
CONFIG_SND_SOC_MAX98357A=y

# ==============================================================
# MEDIA / V4L2 / WEBCAM -- Video capture and processing
# USB_VIDEO_CLASS (UVC): covers 99% of USB webcams (Logitech, Razer,
# Elgato, generic webcams). Must be built-in for webcam use from
# live ISO and early boot environments.
# V4L2_MEM2MEM: required for hardware video encode/decode (VA-API,
# VDPAU, Intel QSV, AMD VCE via Mesa).
# VIDEOBUF2: unified video buffer management used by all V4L2 drivers.
# Source: kernel.org/doc/html/latest/userspace-api/media/v4l/
# ==============================================================
CONFIG_MEDIA_SUPPORT=y
CONFIG_MEDIA_USB_SUPPORT=y
CONFIG_MEDIA_CAMERA_SUPPORT=y
CONFIG_VIDEO_DEV=y
CONFIG_VIDEO_V4L2=y
CONFIG_V4L2_MEM2MEM_DEV=y
CONFIG_VIDEOBUF2_CORE=y
CONFIG_VIDEOBUF2_MEMOPS=y
CONFIG_VIDEOBUF2_VMALLOC=y
CONFIG_VIDEOBUF2_DMA_CONTIG=y
CONFIG_VIDEOBUF2_DMA_SG=y
# UVC: USB Video Class -- every modern USB webcam uses this
CONFIG_USB_VIDEO_CLASS=y
CONFIG_USB_VIDEO_CLASS_INPUT_EVDEV=y
# HDMI/DP capture cards (Elgato, AVerMedia, Magewell etc.)
CONFIG_VIDEO_HDMI=y
# CEC: HDMI Consumer Electronics Control -- auto-power, remote passthrough
CONFIG_MEDIA_CEC_SUPPORT=y
CONFIG_CEC_CORE=y
CONFIG_CEC_NOTIFIER=y
# DVB/TV tuner infrastructure (for TV tuner sticks, SDR dongles)
CONFIG_MEDIA_DIGITAL_TV_SUPPORT=y
CONFIG_DVB_CORE=y
# RC/IR receiver (remote controls, FLIRC, MCE)
CONFIG_MEDIA_RC_SUPPORT=y
CONFIG_RC_CORE=y
CONFIG_RC_DECODERS=y
CONFIG_RC_DEVICES=y
CONFIG_IR_MCE_KBD=y

# ==============================================================
# USB
# ==============================================================
# ==============================================================
# USB -- CORE STACK (Autosuspend-Hardened)
# ==============================================================
#
# MULTI-LAYER USB AUTOSUSPEND DEFENCE STRATEGY:
#
#   Layer 1 -- Kernel compile-time default (this file):
#     CONFIG_USB_AUTOSUSPEND_DELAY=-1 (set above in PM section)
#     -> Every USB device wakes up with autosuspend off at boot.
#       No race condition between udev and the 2s default timer.
#
#   Layer 2 -- Kernel boot parameter (add to bootloader cmdline):
#     usbcore.autosuspend=-1
#     -> Redundant safety net. If the Kconfig default is somehow
#       overridden (e.g., initramfs modprobe with options), this
#       runtime parameter re-enforces the -1 default for all
#       subsequently enumerated devices.
#       Check at runtime: cat /sys/module/usbcore/parameters/autosuspend
#
#   Layer 3 -- udev rules (add to /etc/udev/rules.d/99-usb-power.rules):
#     WHY UDEV IS STILL NEEDED EVEN WITH LAYERS 1+2:
#       Some drivers explicitly call usb_autopm_enable() in their
#       probe() function to re-enable autosuspend for their device.
#       HID class drivers do NOT do this, but some vendor-specific
#       drivers and the btusb Bluetooth driver do. Udev rules provide
#       a post-probe guarantee that power/control stays "on".
#
#     RECOMMENDED /etc/udev/rules.d/99-usb-power.rules:
#
#     # Force all USB devices to stay on (power/control=on):
#     ACTION=="add", SUBSYSTEM=="usb", TEST=="power/control",  \
#       ATTR{power/control}="on"
#
#     # Belt-and-suspenders: also set autosuspend_delay_ms to -1:
#     ACTION=="add", SUBSYSTEM=="usb", \
#       TEST=="power/autosuspend_delay_ms", \
#       ATTR{power/autosuspend_delay_ms}="-1"
#
#     # Class-specific: HID (keyboards, mice, gamepads) -- class 0x03:
#     ACTION=="add", SUBSYSTEM=="usb", \
#       ATTR{bDeviceClass}=="03", \
#       ATTR{power/control}="on"
#
#     # Class-specific: USB audio (class 0x01):
#     ACTION=="add", SUBSYSTEM=="usb", \
#       ATTR{bDeviceClass}=="01", \
#       ATTR{power/control}="on"
#
#     # USB hubs must NEVER autosuspend (would kill all downstream):
#     ACTION=="add", SUBSYSTEM=="usb", \
#       ATTR{bDeviceClass}=="09", \
#       ATTR{power/control}="on"
#
#
#   Layer 4 -- modprobe.d (if usbcore ever loads as a module):
#     /etc/modprobe.d/usbcore.conf:
#       options usbcore autosuspend=-1
#     This pre-configures the parameter before the module loads,
#     which matters for initramfs-based USB early boot scenarios.
#
#   Layer 5 -- sysfs runtime check (verify post-boot):
#     cat /sys/module/usbcore/parameters/autosuspend  -> should be -1
#     for d in /sys/bus/usb/devices/*/power/control; do
#       echo "$d: $(cat $d)"; done                    -> all "on"
#     for d in /sys/bus/usb/devices/*/power/autosuspend_delay_ms; do
#       echo "$d: $(cat $d)"; done                    -> all -1000
#
# WHY USB_DEFAULT_PERSIST=y IS CRITICAL:
#   After a system suspend/resume, the USB subsystem can choose to
#   either disconnect-and-reconnect devices ("reset") or "persist"
#   them (maintain the device's logical state across suspend). With
#   PERSIST=y, the kernel attempts to re-attach to the same device
#   after resume without going through full disconnection. This
#   prevents the "USB keyboard missing after suspend" bug where
#   the HID driver fully loses state and needs user re-login to
#   re-initialise the keyboard LEDs and modifier state.
#   Source: Alan Stern (USB persist author), kernel docs
#
CONFIG_USB_SUPPORT=y
CONFIG_USB_COMMON=y
CONFIG_USB=y
CONFIG_USB_PCI=y
#
# USB_DEFAULT_PERSIST: Preserve USB device state across system sleep.
# Prevents full disconnect/reconnect on resume -- eliminates keyboard
# drop-outs and audio device re-initialisation delays after wake.
CONFIG_USB_DEFAULT_PERSIST=y
#
# USB_DYNAMIC_MINORS: Assign device minor numbers dynamically.
# Avoids fixed-minor conflicts when many USB devices are attached.
CONFIG_USB_DYNAMIC_MINORS=y
CONFIG_USB_MON=y
CONFIG_USB_EHCI_HCD=y
CONFIG_USB_EHCI_ROOT_HUB_TT=y
CONFIG_USB_EHCI_PCI=y
CONFIG_USB_OHCI_HCD=y
CONFIG_USB_OHCI_HCD_PCI=y
CONFIG_USB_UHCI_HCD=y
CONFIG_USB_XHCI_HCD=y
# USB_XHCI_PCI: Intel/AMD xHCI (USB 3.x) PCI host controller.
# xHCI is the source of most autosuspend-related USB instability --
# the spec allows controllers to aggressively power-gate ports.
# With USB_AUTOSUSPEND_DELAY=-1 and udev rules, xHCI port power
# gating is controlled by the driver only on explicit system sleep,
# NOT on device idle. This resolves disconnect storms seen on
# RTL8153 USB-Ethernet, DAC dongles, and some wireless receivers.
CONFIG_USB_XHCI_PCI=y
CONFIG_USB_XHCI_PCI_RENESAS=y
CONFIG_USB_XHCI_PLATFORM=y
CONFIG_USB_ACM=y
CONFIG_USB_STORAGE=y
CONFIG_USB_STORAGE_DATAFAB=y
CONFIG_USB_UAS=y
CONFIG_USB_PRINTER=y
CONFIG_USB_NET_CDCETHER=y
CONFIG_USB_NET_CDC_NCM=y
CONFIG_USB_NET_SMSC95XX=y
CONFIG_USB_NET_RNDIS_HOST=y
CONFIG_USB_RTL8152=y
CONFIG_USB_SERIAL=y
CONFIG_USB_SERIAL_GENERIC=y
CONFIG_USB_SERIAL_FTDI_SIO=y
CONFIG_USB_SERIAL_PL2303=y
CONFIG_USB_SERIAL_CH341=y
CONFIG_USB_SERIAL_CP210X=y
CONFIG_USB_SERIAL_OPTION=y

# ==============================================================
# THUNDERBOLT / USB4
# Thunderbolt 3/4 and USB4 unified host controller driver.
# Required for: eGPU enclosures, Thunderbolt docks, NVMe via TB,
# Thunderbolt networking (peer-to-peer at 40Gbps), USB4 hubs.
# THUNDERBOLT_NET: IP networking over Thunderbolt cable (direct link).
# Source: kernel.org/doc/html/latest/driver-api/thunderbolt.html
# ==============================================================
CONFIG_THUNDERBOLT=y
CONFIG_THUNDERBOLT_NET=y
CONFIG_USB4=y
CONFIG_USB4_NET=y

# ==============================================================
# WIREGUARD -- Modern VPN
# Built-in (not module): WireGuard is available from first userspace
# call -- no module load race before network.target in systemd.
# Uses ChaCha20-Poly1305 (already built-in above) for ~10 Gbps on
# modern CPUs. Replaces OpenVPN for performance-sensitive tunnels.
# Source: Jason Donenfeld, merged Linux 5.6, kernel.org/doc/html/latest/
# ==============================================================
CONFIG_WIREGUARD=y

# ==============================================================
# HIDRAW -- Raw HID device interface (/dev/hidrawN)
# Required by: libfprint (fingerprint readers), fwupd (firmware update),
# OpenRGB, Piper (Logitech), many HID-based devices not covered by
# input subsystem. Also critical for some BT HID control paths.
# ==============================================================
CONFIG_HIDRAW=y

# ==============================================================
# BLUETOOTH -- Wireless peripherals (controllers, headsets, mice)
# BT_HIDP: Bluetooth HID -- wireless gamepads, keyboards, mice
# BT_HCIBTUSB: USB Bluetooth adapters (most common dongle type)
# UHID: Userspace HID I/O -- required by BlueZ for BT HID devices
# Source: kernel.org, BlueZ documentation
# ==============================================================
CONFIG_BT=y
CONFIG_BT_BREDR=y
CONFIG_BT_LE=y
CONFIG_BT_RFCOMM=y
CONFIG_BT_BNEP=y
CONFIG_BT_HIDP=y
CONFIG_BT_HCIBTUSB=y
CONFIG_BT_HCIBTUSB_BCM=y
CONFIG_BT_HCIBTUSB_RTL=y
# BT_HCIUART: Serial Bluetooth (most laptop/embedded BT chips use this)
# Required for Intel/Qualcomm/MediaTek BT on laptops (paired with UART)
CONFIG_BT_HCIUART=y
CONFIG_BT_HCIUART_H4=y
CONFIG_BT_HCIUART_BCM=y
CONFIG_BT_HCIUART_QCA=y
CONFIG_BT_HCIUART_INTEL=y
CONFIG_BT_HCIUART_MRVL=y
# Intel Bluetooth (AX200, AX210 etc -- also handles Wi-Fi coexistence)
CONFIG_BT_INTEL=y
CONFIG_BT_HCIBTSDIO=y
# BT_MSFTEXT: Microsoft Bluetooth Extensions (Xbox controller audio, etc.)
CONFIG_BT_MSFTEXT=y
# BT Audio codecs -- SBC, aptX, AAC, LDAC handled in userspace (PipeWire)
# but A2DP socket infrastructure is here
CONFIG_BT_A2MP=y
CONFIG_UHID=y

# ==============================================================
# HID -- Gaming peripherals
# ==============================================================
CONFIG_HID=y
CONFIG_HID_GENERIC=y
CONFIG_HID_BATTERY_STRENGTH=y
CONFIG_HID_MICROSOFT=y
CONFIG_HID_PLAYSTATION=y
CONFIG_HID_SONY=y
CONFIG_HID_LOGITECH=y
CONFIG_HID_LOGITECH_DJ=y
CONFIG_HID_LOGITECH_HIDPP=y
CONFIG_HID_RAZER=y
CONFIG_HID_STEELSERIES=y
# USB_HID=y (built-in, NOT module): This is the most common real-hardware
# boot failure on custom kernels. As =m the USB keyboard is dead during
# early initramfs (LUKS password prompts, recovery shells, etc).
# The kernel cannot load a module to type the password to decrypt the disk.
# Ubuntu, Debian, Arch, Fedora all ship this =y for exactly this reason.
# References: Ubuntu bug #229732, Debian bug #697619, countless Arch forums
#
# AUTOSUSPEND NOTE FOR HID DEVICES:
#   The HID class driver (usbhid) does NOT call usb_autopm_enable() in
#   probe() -- it respects the usbcore autosuspend setting. With
#   USB_AUTOSUSPEND_DELAY=-1 (set in this config) and the udev rule
#   ATTR{power/control}="on" for ATTR{bDeviceClass}=="03", no HID
#   device (keyboard, mouse, gamepad, stylus) will EVER autosuspend.
#   The 50 ms resume latency that causes dropped first keystrokes
#   and stuck Shift/Ctrl modifiers is completely eliminated.
CONFIG_USB_HID=y
CONFIG_HID_PID=y

# Drawing tablets and stylus devices
# HID_WACOM: Wacom Intuos/Cintiq/Bamboo tablets and EMR stylus
# HID_UCLOGIC: XP-Pen, Huion, Gaomon, UGEE, Veikk (all use UCLogic protocol)
# HID_HUION: Standalone Huion driver (pre-UCLogic older models)
# Without these, pen pressure/tilt/eraser are reported as plain mouse
CONFIG_HID_WACOM=y
CONFIG_HID_UCLOGIC=y
CONFIG_HID_HUION=y

# Additional gaming peripherals
CONFIG_HID_A4TECH=y
CONFIG_HID_APPLE=y
CONFIG_HID_BELKIN=y
CONFIG_HID_CORSAIR=y
CONFIG_HID_CHERRY=y
CONFIG_HID_CHICONY=y
CONFIG_HID_ROCCAT=y
CONFIG_HID_THRUSTMASTER=y
CONFIG_HID_ZEROPLUS=y
CONFIG_HID_XINMO=y
# HID_STEAM: Valve Steam Controller + Steam Deck gamepad support.
# Handles mode-switch, gyro, trackpad, and haptic feedback.
# Required for Steam Input to recognise the Steam Controller
# as a proper HID gamepad rather than a raw mouse/keyboard.
CONFIG_HID_STEAM=y
# HID_NINTENDO: Nintendo Switch Pro Controller, Joy-Con (L/R),
# and N64/SNES controller adapters over USB or Bluetooth.
# Includes gyroscope and accelerometer via iio subsystem.
CONFIG_HID_NINTENDO=y
# HID_XPADNEO: Enhanced Xbox One / Series X|S wireless BT gamepad driver.
# Provides proper rumble, extra buttons, and guide-button support
# beyond the basic xpad USB driver. Source: atar-axis/xpadneo
# Note: This ships as a DKMS module; listed here for awareness.
# CONFIG_HID_XPADNEO is not set (use DKMS for this OOT driver)

# ==============================================================
# INPUT -- Controllers and gamepads
# ==============================================================
CONFIG_INPUT=y
CONFIG_INPUT_FF_MEMLESS=y
# JOYSTICK_HRTIMER: High-resolution polling timer for game controllers.
# Enables 1 kHz+ gamepad polling on controllers that support it
# (Xbox Series X|S via xpad, DualSense via HID_PLAYSTATION). Required
# alongside the "usbhid.quirks" or "evdev" polling rate hacks that
# many gaming guides recommend.
CONFIG_JOYSTICK_HRTIMER=y
CONFIG_INPUT_KEYBOARD=y
CONFIG_KEYBOARD_ATKBD=y
CONFIG_KEYBOARD_GPIO=y
CONFIG_KEYBOARD_APPLESPI=y
CONFIG_INPUT_MOUSE=y
CONFIG_MOUSE_PS2=y
CONFIG_MOUSE_PS2_ALPS=y
CONFIG_MOUSE_PS2_SYNAPTICS=y
CONFIG_MOUSE_PS2_SYNAPTICS_SMBUS=y
CONFIG_MOUSE_PS2_TRACKPOINT=y
CONFIG_MOUSE_PS2_ELANTECH=y
CONFIG_MOUSE_PS2_FOCALTECH=y
CONFIG_MOUSE_PS2_VMMOUSE=y
CONFIG_MOUSE_APPLETOUCH=y
CONFIG_MOUSE_BCM5974=y
CONFIG_MOUSE_ELAN_I2C=y
CONFIG_INPUT_JOYSTICK=y
CONFIG_JOYSTICK_XPAD=y
CONFIG_JOYSTICK_XPAD_FF=y
CONFIG_INPUT_TOUCHSCREEN=y
CONFIG_TOUCHSCREEN_ATMEL_MXT=y
CONFIG_TOUCHSCREEN_GOODIX=y
CONFIG_TOUCHSCREEN_ELAN=y
CONFIG_TOUCHSCREEN_EDT_FT5X06=y
CONFIG_TOUCHSCREEN_USB_COMPOSITE=y
CONFIG_INPUT_MISC=y
CONFIG_INPUT_UINPUT=y
# INPUT_EVDEV: event device interface -- /dev/input/eventN nodes
# REQUIRED for any GUI session: Wayland compositors, X11, libinput all
# read from evdev. Without this, keyboard/mouse/touchpad are invisible
# to userspace even if the hardware driver loaded correctly.
CONFIG_INPUT_EVDEV=y
CONFIG_RMI4_CORE=y
CONFIG_RMI4_I2C=y
CONFIG_RMI4_SMB=y
CONFIG_SERIO=y
CONFIG_SERIO_I8042=y
CONFIG_SERIO_SERPORT=y
CONFIG_SERIO_LIBPS2=y
CONFIG_SERIO_RAW=y
CONFIG_HYPERV_KEYBOARD=y
CONFIG_GAMEPORT=y

# ==============================================================
# SERIAL / TTY
# ==============================================================
CONFIG_TTY=y
CONFIG_VT=y
CONFIG_CONSOLE_TRANSLATIONS=y
CONFIG_VT_CONSOLE=y
CONFIG_HW_CONSOLE=y
CONFIG_VT_HW_CONSOLE_BINDING=y
# CONFIG_UNIX98_PTYS already set above -- duplicate suppressed
CONFIG_SERIAL_8250=y
CONFIG_SERIAL_8250_CONSOLE=y
CONFIG_SERIAL_8250_DMA=y
CONFIG_SERIAL_8250_PCI=y
CONFIG_SERIAL_8250_NR_UARTS=512
CONFIG_SERIAL_8250_RUNTIME_UARTS=4
CONFIG_SERIAL_8250_EXTENDED=y
CONFIG_SERIAL_8250_MANY_PORTS=y
CONFIG_SERIAL_8250_SHARE_IRQ=y
CONFIG_SERIAL_8250_DW=y
CONFIG_SERIAL_8250_LPSS=y
CONFIG_SERIAL_8250_MID=y
CONFIG_SERIAL_EARLYCON=y
CONFIG_SERIAL_CORE=y
CONFIG_SERIAL_CORE_CONSOLE=y
CONFIG_SERIAL_JSM=y
CONFIG_SERIAL_SC16IS7XX=y
CONFIG_SERIAL_PCH_UART=y

# ==============================================================
# SCSI
# ==============================================================
CONFIG_SCSI=y
CONFIG_SCSI_DMA=y
CONFIG_SCSI_NETLINK=y
CONFIG_SCSI_PROC_FS=y
CONFIG_BLK_DEV_SD=y
CONFIG_CHR_DEV_SG=y
CONFIG_BLK_DEV_SR=y
CONFIG_SCSI_SCAN_ASYNC=y
CONFIG_SCSI_SAS_ATTRS=y
CONFIG_SCSI_SAS_LIBSAS=y
CONFIG_SCSI_SAS_ATA=y
CONFIG_ISCSI_TCP=y
CONFIG_SCSI_HPSA=y
CONFIG_SCSI_AACRAID=y
CONFIG_SCSI_MEGARAID_SAS=y
CONFIG_SCSI_MPT3SAS=y
CONFIG_SCSI_SMARTPQI=y
CONFIG_SCSI_UFSHCD=y
CONFIG_SCSI_UFSHCD_PCI=y
# CONFIG_SCSI_DEBUG is not set
CONFIG_SCSI_VIRTIO=y
# SCSI_MQ_DEFAULT: Multi-queue SCSI -- mandatory for NVMe/UFS performance.
# Single-queue SCSI (legacy) serialises all I/O through one lock.
# MQ allows per-CPU queues -> near-linear I/O scaling with CPU count.
CONFIG_SCSI_MQ_DEFAULT=y

# ==============================================================
# ATA / NVMe
# BLK_DEV_NVME built-in (not module) -- zero module load overhead
# NVME_MULTIPATH: Multiple NVMe paths, automatic failover
# NVME_HWMON: NVMe SSD temperature in lm-sensors / fancontrol
# ==============================================================
CONFIG_ATA=y
CONFIG_ATA_VERBOSE_ERROR=y
CONFIG_ATA_FORCE=y
CONFIG_SATA_PMP=y
CONFIG_ATA_SFF=y
CONFIG_ATA_BMDMA=y
# ATA_PIIX=y (built-in): QEMU i440FX IDE controller. Must be =y not =m.
# As a module it loads too late -- kernel panics on unknown-block(0,0) before SCSI/ATA init.
CONFIG_ATA_PIIX=y
CONFIG_ATA_GENERIC=y
CONFIG_PATA_ACPI=y
CONFIG_SATA_AHCI=y
CONFIG_SATA_AHCI_PLATFORM=y
CONFIG_SATA_SIL24=y
CONFIG_SATA_SIL=y
CONFIG_BLK_DEV_NVME=y
# NVME_CORE: NVMe core transport library.
# CONFIG_BLK_DEV_NVME selects the PCIe NVMe driver. CONFIG_NVME_CORE is the
# shared core library that all NVMe transports (PCIe, TCP, RDMA, FC) link
# against. It provides the NVMe queue, completion, and namespace abstractions.
# On most configs it is auto-selected as a dependency of BLK_DEV_NVME, but
# listing it explicitly ensures it is built-in regardless of Kconfig
# dependency resolution order, and documents that it is a required component.
CONFIG_NVME_CORE=y
CONFIG_NVME_MULTIPATH=y
CONFIG_NVME_HWMON=y
# NVME_AUTH: NVMe in-band authentication -- zero runtime cost when unused
CONFIG_NVME_AUTH=y
CONFIG_NVME_TCP=y
CONFIG_NVME_TARGET=y
CONFIG_NVME_TARGET_LOOP=y
CONFIG_NVME_TARGET_TCP=y

# ==============================================================
# MD / RAID / LVM
# ==============================================================
CONFIG_MD=y
CONFIG_BLK_DEV_MD=y
CONFIG_MD_AUTODETECT=y
CONFIG_MD_RAID0=y
CONFIG_MD_RAID1=y
CONFIG_MD_RAID10=y
CONFIG_MD_RAID456=y
CONFIG_MD_LINEAR=y
CONFIG_BLK_DEV_DM=y
CONFIG_DM_BUFIO=y
CONFIG_DM_CRYPT=y
CONFIG_DM_SNAPSHOT=y
CONFIG_DM_THIN_PROVISIONING=y
CONFIG_DM_WRITECACHE=y
CONFIG_DM_ERA=y
CONFIG_DM_MIRROR=y
CONFIG_DM_RAID=y
CONFIG_DM_ZERO=y
CONFIG_DM_MULTIPATH=y
CONFIG_DM_DELAY=y
CONFIG_DM_FLAKEY=y
CONFIG_DM_VERITY=y
CONFIG_DM_INTEGRITY=y
# DM_USER: Android Virtual A/B OTA snapshot support.
# Required for Waydroid to apply OTA updates to the Android image
# without reflashing -- uses device-mapper user-space protocol.
# Source: Android Virtual A/B docs, merged Linux 5.15
CONFIG_DM_USER=y

# ==============================================================
# FILESYSTEMS
# ==============================================================
CONFIG_DCACHE_WORD_ACCESS=y
CONFIG_EXT4_FS=y
CONFIG_EXT4_USE_FOR_EXT2=y
CONFIG_EXT4_FS_POSIX_ACL=y
CONFIG_EXT4_FS_SECURITY=y
CONFIG_EXT4_ENCRYPTION=y
CONFIG_EXT4_VERITY=y
CONFIG_JBD2=y
CONFIG_FS_MBCACHE=y
CONFIG_JFS_FS=y
CONFIG_XFS_FS=y
CONFIG_XFS_QUOTA=y
CONFIG_XFS_POSIX_ACL=y
CONFIG_XFS_RT=y
CONFIG_XFS_ONLINE_SCRUB=y
CONFIG_BTRFS_FS=y
CONFIG_BTRFS_FS_POSIX_ACL=y
# BTRFS_FS_INTEGRITY_CHECKING: Lightweight scrub on metadata reads.
# Catches silent corruption in RAM/NVMe at near-zero CPU overhead.
CONFIG_BTRFS_FS_CHECK_INTEGRITY=n
CONFIG_F2FS_FS=y
CONFIG_F2FS_FS_XATTR=y
CONFIG_F2FS_FS_POSIX_ACL=y
CONFIG_F2FS_FS_SECURITY=y
CONFIG_F2FS_FS_COMPRESSION=y
CONFIG_F2FS_FS_LZ4=y
CONFIG_F2FS_FS_ZSTD=y
CONFIG_QUOTA=y
CONFIG_QUOTA_NETLINK_INTERFACE=y
CONFIG_QUOTA_TREE=y
CONFIG_QFMT_V2=y
CONFIG_QUOTACTL=y
CONFIG_AUTOFS_FS=y
CONFIG_FUSE_FS=y
CONFIG_CUSE=y
CONFIG_VIRTIO_FS=y
CONFIG_OVERLAY_FS=y
CONFIG_ISO9660_FS=y
CONFIG_JOLIET=y
CONFIG_ZISOFS=y
CONFIG_UDF_FS=y
CONFIG_FAT_FS=y
CONFIG_MSDOS_FS=y
CONFIG_VFAT_FS=y
CONFIG_FAT_DEFAULT_CODEPAGE=437
CONFIG_FAT_DEFAULT_IOCHARSET="ascii"
CONFIG_FAT_DEFAULT_UTF8=y
CONFIG_EXFAT_FS=y
CONFIG_NTFS3_FS=y
CONFIG_NTFS3_LZX_XPRESS=y
CONFIG_NTFS3_FS_POSIX_ACL=y
CONFIG_PSTORE=y
CONFIG_PSTORE_COMPRESS=y
CONFIG_PSTORE_LZO_COMPRESS=y
CONFIG_PSTORE_LZ4_COMPRESS=y
CONFIG_PSTORE_ZSTD_COMPRESS=y
CONFIG_PSTORE_CONSOLE=y
CONFIG_PSTORE_PMSG=y
CONFIG_PSTORE_RAM=y
CONFIG_SQUASHFS=y
CONFIG_SQUASHFS_FILE_DIRECT=y
CONFIG_SQUASHFS_DECOMP_MULTI=y
CONFIG_SQUASHFS_XATTR=y
CONFIG_SQUASHFS_ZLIB=y
CONFIG_SQUASHFS_LZ4=y
CONFIG_SQUASHFS_LZO=y
CONFIG_SQUASHFS_XZ=y
CONFIG_SQUASHFS_ZSTD=y
CONFIG_HFSPLUS_FS=y
CONFIG_EROFS_FS=y
CONFIG_EROFS_FS_XATTR=y
CONFIG_EROFS_FS_POSIX_ACL=y
CONFIG_EROFS_FS_SECURITY=y
CONFIG_EROFS_FS_ZIP=y
CONFIG_NFS_FS=y
CONFIG_NFS_V2=y
CONFIG_NFS_V3=y
CONFIG_NFS_V3_ACL=y
CONFIG_NFS_V4=y
CONFIG_NFS_V4_1=y
CONFIG_NFS_V4_2=y
CONFIG_NFS_V4_SECURITY_LABEL=y
CONFIG_NFSD=y
CONFIG_NFSD_V3=y
CONFIG_NFSD_V3_ACL=y
CONFIG_NFSD_V4=y
CONFIG_LOCKD=y
CONFIG_LOCKD_V4=y
CONFIG_NFS_ACL_SUPPORT=y
CONFIG_NFS_COMMON=y
CONFIG_SUNRPC=y
CONFIG_SUNRPC_GSS=y
CONFIG_RPCSEC_GSS_KRB5=y
CONFIG_CIFS=y
CONFIG_CIFS_UPCALL=y
CONFIG_CIFS_XATTR=y
CONFIG_CIFS_POSIX=y
CONFIG_CIFS_DFS_UPCALL=y
CONFIG_AFS_FS=y
CONFIG_9P_FS=y
CONFIG_9P_FS_POSIX_ACL=y
CONFIG_NLS=y
CONFIG_NLS_DEFAULT="utf8"
CONFIG_NLS_CODEPAGE_437=y
CONFIG_NLS_CODEPAGE_850=y
CONFIG_NLS_ASCII=y
CONFIG_NLS_ISO8859_1=y
CONFIG_NLS_ISO8859_15=y
CONFIG_NLS_UTF8=y

# ==============================================================
# SECURITY
# ==============================================================
CONFIG_KEYS=y
CONFIG_PERSISTENT_KEYRINGS=y
CONFIG_BIG_KEYS=y
CONFIG_TRUSTED_KEYS=y
CONFIG_ENCRYPTED_KEYS=y
CONFIG_KEY_DH_OPERATIONS=y
CONFIG_SECURITY=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_SECURITY_PATH=y
CONFIG_HARDENED_USERCOPY=y
# RANDOM_KMALLOC_CACHES: Randomises slab caches to defeat heap spray exploits
# Zero runtime overhead. Merged 6.6.
CONFIG_RANDOM_KMALLOC_CACHES=y
CONFIG_FORTIFY_SOURCE=y
CONFIG_SECURITY_APPARMOR=y
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
CONFIG_SECURITY_APPARMOR_HASH=y
CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
CONFIG_SECURITY_APPARMOR_EXPORT_BINARY=y
CONFIG_SECURITY_YAMA=y
CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
CONFIG_SECURITY_LANDLOCK=y
CONFIG_INTEGRITY=y
CONFIG_INTEGRITY_SIGNATURE=y
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
CONFIG_IMA=y
CONFIG_IMA_DEFAULT_HASH_SHA256=y
CONFIG_IMA_DEFAULT_HASH="sha256"
CONFIG_IMA_APPRAISE=y
CONFIG_IMA_APPRAISE_BOOTPARAM=y
CONFIG_EVM=y
CONFIG_DEFAULT_SECURITY_APPARMOR=y

# ==============================================================
# SELinux -- Mandatory Access Control (Red Hat / Android lineage)
# Required for full compatibility with Fedora, RHEL, CentOS, Alma,
# Rocky, and any distro shipping SELinux policies by default.
# With AppArmor as DEFAULT_SECURITY (above) and SELinux compiled in,
# both LSMs are available -- select at boot: security=selinux or
# security=apparmor. Distros choose via their own kernel cmdline.
#
# SELINUX_BOOTPARAM: allows security=selinux/0 on the kernel cmdline.
# SELINUX_DISABLE: allows runtime disable via /sys/fs/selinux/disable
# SELINUX_DEVELOP: enables permissive mode (audit but not enforce) --
#   mandatory for SELinux policy development and distro firstboot.
# Source: NSA/Tresys SELinux FAQ, Fedora SELinux User Guide,
#         kernel.org/doc/html/latest/admin-guide/LSM/SELinux.html
# ==============================================================
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0

# TOMOYO -- Pathname-based MAC (ships with OpenSUSE, Debian)
# Lightweight alternative to SELinux/AppArmor for simple path policies.
# Zero overhead when policy is in learning mode.
CONFIG_SECURITY_TOMOYO=y
CONFIG_SECURITY_TOMOYO_MAX_ACCEPT_ENTRY=2048
CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024

# ==============================================================
# CRYPTOGRAPHIC API -- Hardware accelerated
# AES-NI: Hardware AES instructions (~10x software speed)
# ChaCha20-AVX: WireGuard VPN + TLS 1.3 fast on all x86_64
# CRYPTO_DEV_CCP: AMD CCP hardware crypto (Zen CPUs)
# ==============================================================
CONFIG_CRYPTO=y
CONFIG_CRYPTO_ALGAPI=y
CONFIG_CRYPTO_AEAD=y
CONFIG_CRYPTO_SKCIPHER=y
CONFIG_CRYPTO_HASH=y
CONFIG_CRYPTO_RNG=y
CONFIG_CRYPTO_RNG_DEFAULT=y
CONFIG_CRYPTO_RSA=y
CONFIG_CRYPTO_DH=y
CONFIG_CRYPTO_ECC=y
CONFIG_CRYPTO_ECDH=y
CONFIG_CRYPTO_ECDSA=y
CONFIG_CRYPTO_MANAGER=y
CONFIG_CRYPTO_MANAGER2=y
CONFIG_CRYPTO_USER=y
CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
CONFIG_CRYPTO_GF128MUL=y
CONFIG_CRYPTO_NULL=y
CONFIG_CRYPTO_AUTHENC=y
CONFIG_CRYPTO_SIMD=y
CONFIG_CRYPTO_ENGINE=y
CONFIG_CRYPTO_CBC=y
CONFIG_CRYPTO_CTR=y
CONFIG_CRYPTO_ECB=y
CONFIG_CRYPTO_XTS=y
CONFIG_CRYPTO_CRCT10DIF=y
CONFIG_CRYPTO_CRCT10DIF_PCLMUL=y
CONFIG_CRYPTO_CRC32C=y
CONFIG_CRYPTO_CRC32C_INTEL=y
CONFIG_CRYPTO_CRC32=y
CONFIG_CRYPTO_POLY1305=y
CONFIG_CRYPTO_POLY1305_X86_64=y
CONFIG_CRYPTO_MD5=y
CONFIG_CRYPTO_SHA1=y
CONFIG_CRYPTO_SHA1_SSSE3=y
CONFIG_CRYPTO_SHA256_SSSE3=y
CONFIG_CRYPTO_SHA256=y
CONFIG_CRYPTO_SHA512=y
CONFIG_CRYPTO_SHA3=y
CONFIG_CRYPTO_GHASH=y
# GHASH_CLMUL_NI: Hardware-accelerated GHASH using PCLMULQDQ -- used
# by AES-GCM (TLS 1.3, QUIC, dm-crypt XTS). ~10x faster than software.
CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL=y
CONFIG_CRYPTO_AES=y
CONFIG_CRYPTO_AES_NI_INTEL=y
CONFIG_CRYPTO_BLOWFISH=y
CONFIG_CRYPTO_CAMELLIA=y
CONFIG_CRYPTO_CHACHA20=y
CONFIG_CRYPTO_CHACHA20_X86_64=y
CONFIG_CRYPTO_DES=y
CONFIG_CRYPTO_SERPENT=y
CONFIG_CRYPTO_TWOFISH=y
CONFIG_CRYPTO_TWOFISH_COMMON=y
CONFIG_CRYPTO_TWOFISH_X86_64=y
CONFIG_CRYPTO_DEFLATE=y
CONFIG_CRYPTO_LZO=y
CONFIG_CRYPTO_LZ4=y
CONFIG_CRYPTO_ZSTD=y
# BLAKE2B/S: Modern cryptographic hash -- faster than SHA-256 in software.
# Used by: WireGuard PSK hashing, restic backups, BTRFS checksums (b2),
# systemd-homed, and many modern developer tools.
CONFIG_CRYPTO_BLAKE2B=y
CONFIG_CRYPTO_BLAKE2S=y
CONFIG_CRYPTO_DRBG_MENU=y
CONFIG_CRYPTO_DRBG_HMAC=y
CONFIG_CRYPTO_DRBG_HASH=y
CONFIG_CRYPTO_DRBG_CTR=y
CONFIG_CRYPTO_DRBG=y
CONFIG_CRYPTO_JITTERENTROPY=y
CONFIG_CRYPTO_USER_API=y
CONFIG_CRYPTO_USER_API_HASH=y
CONFIG_CRYPTO_USER_API_SKCIPHER=y
CONFIG_CRYPTO_USER_API_RNG=y
CONFIG_CRYPTO_USER_API_AEAD=y
CONFIG_CRYPTO_HW=y
CONFIG_CRYPTO_DEV_PADLOCK=y
CONFIG_CRYPTO_DEV_PADLOCK_AES=y
CONFIG_CRYPTO_DEV_PADLOCK_SHA=y
CONFIG_CRYPTO_DEV_CCP=y
CONFIG_CRYPTO_DEV_CCP_DD=y
CONFIG_CRYPTO_DEV_SP_CCP=y
CONFIG_CRYPTO_DEV_CCP_CRYPTO=y
CONFIG_CRYPTO_DEV_QAT=y
CONFIG_CRYPTO_DEV_QAT_DH895xCC=y
CONFIG_CRYPTO_DEV_QAT_C3XXX=y
CONFIG_CRYPTO_DEV_QAT_C62X=y
CONFIG_CRYPTO_DEV_VIRTIO=y
CONFIG_ASYMMETRIC_KEY_TYPE=y
CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
CONFIG_X509_CERTIFICATE_PARSER=y
CONFIG_PKCS8_PRIVATE_KEY_PARSER=y
CONFIG_PKCS7_MESSAGE_PARSER=y
CONFIG_SYSTEM_TRUSTED_KEYRING=y
CONFIG_SYSTEM_TRUSTED_KEYS=""
CONFIG_SECONDARY_TRUSTED_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""

# ==============================================================
# LIBRARY ROUTINES
# ==============================================================
CONFIG_GENERIC_NET_UTILS=y
CONFIG_CPU_RMAP=y
CONFIG_DQL=y
CONFIG_REED_SOLOMON=y
CONFIG_BCH=y
CONFIG_TEXTSEARCH=y
CONFIG_TEXTSEARCH_KMP=y
CONFIG_TEXTSEARCH_BM=y
CONFIG_TEXTSEARCH_FSM=y
CONFIG_BTREE=y
CONFIG_INTERVAL_TREE=y
CONFIG_ASSOCIATIVE_ARRAY=y
CONFIG_HAS_IOMEM=y
CONFIG_HAS_DMA=y
CONFIG_SWIOTLB=y
CONFIG_SGL_ALLOC=y
CONFIG_IOMMU_HELPER=y
CONFIG_CPUMASK_OFFSTACK=y
CONFIG_CORDIC=y
CONFIG_IRQ_POLL=y
CONFIG_MPILIB=y
CONFIG_SIGNATURE=y
CONFIG_OID_REGISTRY=y
CONFIG_FONT_SUPPORT=y
CONFIG_FONTS=y
CONFIG_FONT_8x8=y
CONFIG_FONT_8x16=y
CONFIG_SG_POOL=y
CONFIG_ARCH_HAS_PMEM_API=y
CONFIG_MEMREGION=y
CONFIG_ARCH_STACKWALK=y
CONFIG_SBITMAP=y
CONFIG_FPGA=y
CONFIG_FPGA_BRIDGE=y
CONFIG_FPGA_REGION=y
CONFIG_FPGA_DFL=y

# ==============================================================
# VIRTUALIZATION
# ==============================================================
CONFIG_VFIO=y
CONFIG_VFIO_PCI=y
CONFIG_VFIO_PCI_MMAP=y
# VFIO_PCI_VGA: Allow VFIO to bind and pass through VGA-compatible adapters.
# Required for: single-GPU passthrough, Looking Glass, display output via VFIO.
# Without this, VGA aperture access is blocked even when the device is bound.
CONFIG_VFIO_PCI_VGA=y
CONFIG_VFIO_IOMMU_TYPE1=y
CONFIG_VFIO_MDEV=y
# VFIO_NOIOMMU: Allow VFIO without a hardware IOMMU -- for dev/test
# environments, old hardware without VT-d/AMD-Vi, or specific
# passthrough scenarios (use carefully; no DMA isolation).
CONFIG_VFIO_NOIOMMU=y
# VFIO_PLATFORM: Platform device passthrough (non-PCI devices).
# Required for: ARM DMA devices, specific Intel/AMD platform controllers.
CONFIG_VFIO_PLATFORM=y
# VFIO_VIRQFD: Virtual IRQ fd for VFIO devices.
# Foundation for eventfd-based IRQ signaling to guests.
CONFIG_VFIO_VIRQFD=y
# VIRTIO=y, VIRTIO_PCI=y, VIRTIO_BLK=y: All must be built-in for QEMU virtio boot.
# As modules they are unavailable when the kernel first tries to mount rootfs.
# Fixes: VFS: Cannot open root device "" or unknown-block(0,0)
CONFIG_VIRTIO=y
CONFIG_VIRTIO_PCI=y
CONFIG_VIRTIO_PCI_LEGACY=y
CONFIG_VIRTIO_BLK=y
CONFIG_VIRTIO_NET=y
CONFIG_VIRTIO_CONSOLE=y
CONFIG_VIRTIO_MEM=y
CONFIG_VIRTIO_BALLOON=y
CONFIG_VIRTIO_INPUT=y
CONFIG_VIRTIO_SCSI=y
# CONFIG_VIRTIO_FS already set above -- duplicate suppressed
CONFIG_KVM=y
CONFIG_KVM_INTEL=y
CONFIG_KVM_AMD=y
CONFIG_KVM_AMD_SEV=y
# KVM_AMD_SEV_SNP: Secure Nested Paging -- next-generation SEV that also
# authenticates guest memory pages, preventing hypervisor from swapping
# guest pages to host-visible memory without guest consent.
# Source: AMD EPYC 3rd gen+, merged Linux 6.11
CONFIG_KVM_AMD_SEV_SNP=y
# KVM_ASYNC_PF: Async Page Fault delivery -- instead of halting a vCPU
# while waiting for a page to be faulted in from swap/balloon, the
# hypervisor parks the vCPU and notifies the guest when the page is ready.
# Huge throughput win for over-committed or ballooned guest memory.
# Source: Gleb Natapov (Red Hat), RHEL KVM tuning guide
CONFIG_KVM_ASYNC_PF=y
# KVM_MMIO: MMIO emulation for virtual ACPI/PCI ROM/BIOS regions.
# Without this, OVMF/SeaBIOS virtual device I/O silently fails.
CONFIG_KVM_MMIO=y
# KVM_VFIO: KVM<->VFIO bridge -- allows MSI/MSI-X from VFIO-passthrough
# devices to reach the guest interrupt controller correctly.
CONFIG_KVM_VFIO=y
# KVM_SMM: System Management Mode emulation -- REQUIRED for OVMF/EDK2 UEFI
# firmware. Without it QEMU UEFI VMs silently fail to POST.
CONFIG_KVM_SMM=y
# KVM_HYPERV: Hyper-V enlightenments for Windows guests.
# Reduces VM exits 20-40%. Free perf for Win10/11/Server guests.
# Source: Microsoft/Red Hat, QEMU documentation
CONFIG_KVM_HYPERV=y
# KVM_XEN: Xen compatibility layer for Xen->KVM workload migration.
CONFIG_KVM_XEN=y
# X86_SGX_KVM: Run SGX enclaves inside KVM guests.
CONFIG_X86_SGX_KVM=y
# KVM_GENERIC_DIRTYLOG_READ_PROTECT: dirty log write-protect -- enables
# efficient live migration without double-logging page writes.
CONFIG_KVM_GENERIC_DIRTYLOG_READ_PROTECT=y
# KVM_COMPAT: 32-bit compat ioctls for KVM -- allows 32-bit management
# tools (some older QEMU builds, libvirt helpers) on 64-bit KVM host.
CONFIG_KVM_COMPAT=y
# CONFIG_KVM_GUEST already set above -- duplicate suppressed
CONFIG_VHOST=y
# VHOST_IOTLB: IOMMU Translation Lookaside Buffer for vhost devices.
# Required by vhost-user, vDPA, and high-performance vhost-net for
# correct DMA address translation when IOMMU is active.
CONFIG_VHOST_IOTLB=y
# VHOST_RING: Shared virtqueue ring infrastructure for all vhost backends.
# This is the low-level ring that vhost_net, vhost_scsi, vhost_vsock share.
CONFIG_VHOST_RING=y
CONFIG_VHOST_NET=y
CONFIG_VHOST_SCSI=y
CONFIG_VHOST_VSOCK=y

# VHOST_VDPA: Expose SR-IOV VFs or kernel vDPA devices as VirtIO
# devices. Enables line-rate NIC passthrough without VFIO overhead.
# Required for: hardware-accelerated vDPA (Mellanox/NVIDIA ConnectX,
# Intel C5000X, Qualcomm Cloud AI 100) with VirtIO interface in guest.
CONFIG_VHOST_VDPA=y

# VDUSE: Userspace vDPA backend implementation.
# Enables DPDK/SPDK to act as a vDPA block or net backend.
# Source: Yongji Xie (ByteDance), merged Linux 5.15
CONFIG_VDUSE=y

# VSOCK_LOOPBACK: CRITICAL for Waydroid host<->container RPC.
# Without this: clipboard sync, ADB over vsock, Waydroid full-UI mode,
# and waydroid show-full-ui all silently fail.
# Also required by: systemd-machined guest communication, Firecracker
# microVM control socket, cloud-hypervisor API socket.
# Source: ArchWiki Waydroid, Waydroid GitHub #399
CONFIG_VSOCK_LOOPBACK=y

# VIRTIO_MMIO: VirtIO over MMIO transport bus (no PCI required).
# Required for: Firecracker microVMs, QEMU -M microvm, cloud-hypervisor,
# direct-kernel-boot scenarios where PCI enumeration isn't available.
# VIRTIO_MMIO_CMDLINE_DEVICES: cmdline-specified virtio-mmio devices
# via kernel param virtio_mmio.device=... -- essential for QEMU testing.
CONFIG_VIRTIO_MMIO=y
CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES=y

# VIRTIO_PMEM: VirtIO persistent memory device (NVDIMM/DAX emulation).
# Enables QEMU -device virtio-pmem -- maps a host file/memory region as
# a DAX-capable NVDIMM inside the guest for pmem fast-path storage.
CONFIG_VIRTIO_PMEM=y

# VIRTIO_DMA_SHARED_BUFFER: DMA-BUF sharing between host and virtio guest.
# Required for zero-copy GPU/media workloads in QEMU virgl/virtio-gpu.
CONFIG_VIRTIO_DMA_SHARED_BUFFER=y

# ==============================================================
# NETWORK DEVICES -- All major NICs
# ==============================================================
CONFIG_NETDEVICES=y
CONFIG_MII=y
CONFIG_NET_CORE=y
CONFIG_BONDING=y
CONFIG_DUMMY=y
CONFIG_IFB=y
CONFIG_NET_TEAM=y
CONFIG_MACVLAN=y
CONFIG_MACVTAP=y
CONFIG_IPVLAN=y
CONFIG_VXLAN=y
CONFIG_GENEVE=y
CONFIG_MACSEC=y
CONFIG_NETCONSOLE=y
CONFIG_NETPOLL=y
CONFIG_NET_POLL_CONTROLLER=y
CONFIG_TUN=y
CONFIG_TAP=y
CONFIG_VETH=y
CONFIG_NLMON=y
CONFIG_NET_VRF=y
CONFIG_PHYLINK=y
CONFIG_PHYLIB=y
CONFIG_FIXED_PHY=y
CONFIG_MDIO_DEVICE=y
CONFIG_MDIO_BUS=y
CONFIG_AMD_PHY=y
CONFIG_AQUANTIA_PHY=y
CONFIG_BROADCOM_PHY=y
CONFIG_MARVELL_PHY=y
CONFIG_MARVELL_10G_PHY=y
CONFIG_MICREL_PHY=y
CONFIG_REALTEK_PHY=y
CONFIG_SMSC_PHY=y
CONFIG_ETHERNET=y
CONFIG_NET_VENDOR_AMAZON=y
CONFIG_ENA_ETHERNET=y
CONFIG_NET_VENDOR_AMD=y
CONFIG_PCNET32=y
CONFIG_NET_VENDOR_AQUANTIA=y
CONFIG_AQTION=y
CONFIG_NET_VENDOR_ATHEROS=y
CONFIG_ATL1=y
CONFIG_ATL1C=y
CONFIG_ALX=y
CONFIG_NET_VENDOR_BROADCOM=y
CONFIG_BNX2=y
CONFIG_TIGON3=y
CONFIG_BNX2X=y
CONFIG_BNXT=y
CONFIG_NET_VENDOR_CHELSIO=y
CONFIG_CHELSIO_T4=y
CONFIG_NET_VENDOR_CISCO=y
CONFIG_ENIC=y
CONFIG_NET_VENDOR_EMULEX=y
CONFIG_BE2NET=y
CONFIG_NET_VENDOR_GOOGLE=y
CONFIG_GVE=y
CONFIG_NET_VENDOR_HUAWEI=y
CONFIG_HINIC=y
CONFIG_NET_VENDOR_INTEL=y
CONFIG_E100=y
CONFIG_E1000=y
CONFIG_E1000E=y
CONFIG_IGB=y
CONFIG_IGBVF=y
CONFIG_IXGBE=y
CONFIG_IXGBEVF=y
CONFIG_I40E=y
CONFIG_IAVF=y
CONFIG_ICE=y
CONFIG_IGC=y
CONFIG_NET_VENDOR_MARVELL=y
CONFIG_SKGE=y
CONFIG_SKY2=y
CONFIG_NET_VENDOR_MELLANOX=y
CONFIG_MLX4_EN=y
CONFIG_MLX4_CORE=y
CONFIG_MLX5_CORE=y
CONFIG_NET_VENDOR_MICROSOFT=y
CONFIG_MICROSOFT_MANA=y
CONFIG_NET_VENDOR_QLOGIC=y
CONFIG_QLA3XXX=y
CONFIG_QLCNIC=y
CONFIG_QED=y
CONFIG_QEDE=y
CONFIG_NET_VENDOR_REALTEK=y
CONFIG_8139CP=y
CONFIG_8139TOO=y
CONFIG_R8169=y
CONFIG_NET_VENDOR_SOLARFLARE=y
CONFIG_SFC=y
CONFIG_NET_VENDOR_VIA=y
CONFIG_VIA_RHINE=y
CONFIG_PPP=y
CONFIG_PPP_BSDCOMP=y
CONFIG_PPP_DEFLATE=y
CONFIG_PPPOE=y
CONFIG_PPP_ASYNC=y
CONFIG_PPP_SYNC_TTY=y
CONFIG_SLIP=y
CONFIG_SLHC=y
CONFIG_WLAN=y
CONFIG_WLAN_VENDOR_BROADCOM=y
CONFIG_BRCMFMAC=y
CONFIG_BRCMUTIL=y
CONFIG_BRCMSMAC=y

# Qualcomm Atheros -- covers 802.11n/ac/ax across all eras
# ath9k: 802.11n PCIe/SDIO (AR9xxx) -- still widely used embedded/laptop
# ath10k: 802.11ac QCA9xxx/WCN3990 -- 5 GHz on many mid-range laptops
# ath11k: 802.11ax (Wi-Fi 6) -- QCN6122/WCN6855 -- modern laptops/tablets
# ath12k: 802.11be (Wi-Fi 7) -- QCN9274/WCN7850 -- cutting-edge platforms
CONFIG_WLAN_VENDOR_ATH=y
CONFIG_ATH_COMMON=y
CONFIG_ATH9K=y
CONFIG_ATH9K_HTC=y
CONFIG_ATH9K_COMMON=y
CONFIG_ATH9K_PCI=y
CONFIG_ATH9K_USB=y
CONFIG_ATH10K=y
CONFIG_ATH10K_PCI=y
CONFIG_ATH10K_USB=y
CONFIG_ATH10K_SDIO=y
CONFIG_ATH11K=y
CONFIG_ATH11K_PCI=y
CONFIG_ATH11K_AHB=y
CONFIG_ATH12K=y

CONFIG_WLAN_VENDOR_INTEL=y
CONFIG_IWLWIFI=y
CONFIG_IWLDVM=y
CONFIG_IWLMVM=y

CONFIG_WLAN_VENDOR_MEDIATEK=y
CONFIG_MT76_CORE=y
CONFIG_MT76_USB=y
CONFIG_MT76_SDIO=y
CONFIG_MT76x02_LIB=y
CONFIG_MT76x02_USB=y
CONFIG_MT7603E=y
CONFIG_MT7615_COMMON=y
CONFIG_MT7663_USB_SDIO_COMMON=y
CONFIG_MT7663U=y
CONFIG_MT7663S=y
CONFIG_MT7921_COMMON=y
CONFIG_MT7921E=y
CONFIG_MT7921U=y
CONFIG_MT7921S=y
CONFIG_MT7925_COMMON=y
CONFIG_MT7925E=y
CONFIG_MT7925U=y

CONFIG_WLAN_VENDOR_RALINK=y
CONFIG_RT2X00=y
CONFIG_RT2800PCI=y
CONFIG_RT2800USB=y
CONFIG_RT2800MMIO=y

# RTW88: Realtek 802.11ac (PCIe) -- RTL8822B/C, RTL8821C, RTL8723D
# RTW89: Realtek 802.11ax Wi-Fi 6/6E -- RTL8852A/B/C, RTL8851B
# These are completely separate from the older RTL8xxx stack above
CONFIG_WLAN_VENDOR_REALTEK=y
CONFIG_RTL8192CE=y
CONFIG_RTL8192EE=y
CONFIG_RTL8723BE=y
CONFIG_RTL8812AE=y
CONFIG_RTL8821AE=y
CONFIG_RTW88=y
CONFIG_RTW88_CORE=y
CONFIG_RTW88_PCI=y
CONFIG_RTW88_USB=y
CONFIG_RTW88_8822BE=y
CONFIG_RTW88_8822CE=y
CONFIG_RTW88_8723DE=y
CONFIG_RTW88_8821CE=y
CONFIG_RTW89=y
CONFIG_RTW89_CORE=y
CONFIG_RTW89_PCI=y
CONFIG_RTW89_USB=y
CONFIG_RTW89_8852AE=y
CONFIG_RTW89_8852BE=y
CONFIG_RTW89_8852CE=y
CONFIG_RTW89_8851BE=y

CONFIG_WLAN_VENDOR_TI=y
CONFIG_WL18XX=y
CONFIG_WLCORE=y

# ==============================================================
# CGROUPS
# ==============================================================
CONFIG_CGROUPS=y
CONFIG_PAGE_COUNTER=y
CONFIG_MEMCG=y
CONFIG_MEMCG_SWAP=y
CONFIG_MEMCG_KMEM=y
CONFIG_BLK_CGROUP=y
CONFIG_CGROUP_WRITEBACK=y
CONFIG_CGROUP_SCHED=y
CONFIG_FAIR_GROUP_SCHED=y
CONFIG_CFS_BANDWIDTH=y
CONFIG_RT_GROUP_SCHED=y
CONFIG_CGROUP_PIDS=y
CONFIG_CGROUP_FREEZER=y
CONFIG_CGROUP_HUGETLB=y
CONFIG_CPUSETS=y
CONFIG_PROC_PID_CPUSET=y
CONFIG_CGROUP_DEVICE=y
CONFIG_CGROUP_CPUACCT=y
CONFIG_CGROUP_PERF=y
CONFIG_CGROUP_BPF=y
CONFIG_CGROUP_MISC=y
CONFIG_SOCK_CGROUP_DATA=y

# ==============================================================
# NAMESPACES
# ==============================================================
CONFIG_NAMESPACES=y
CONFIG_UTS_NS=y
CONFIG_TIME_NS=y
CONFIG_IPC_NS=y
CONFIG_USER_NS=y
CONFIG_PID_NS=y
CONFIG_NET_NS=y

# ==============================================================
# ANDROID BINDER / BINDERFS -- Waydroid & Anbox support
# Required for running Android apps via Waydroid container.
# CONFIG_ANDROID=y: enables the Android subsystem umbrella
# CONFIG_ANDROID_BINDER_IPC=y: core Binder IPC driver (in-kernel)
# CONFIG_ANDROID_BINDERFS=y: filesystem interface for binder devices
#   -> mounts at /dev/binderfs; waydroid-container.service uses this
# CONFIG_ANDROID_BINDER_DEVICES="": empty = binderfs manages names
#   -> waydroid creates anbox-binder, anbox-hwbinder, anbox-vndbinder
# Source: ArchWiki Waydroid, kernel.org android/ directory
# Verified: Linux 6.x has these upstream (no DKMS needed)
# ==============================================================
CONFIG_ANDROID=y
CONFIG_ANDROID_BINDER_IPC=y
# ANDROID_BINDER_IPC_SELFTEST: in-kernel binder correctness tests.
# Keep OFF for production -- only enable when debugging binder regressions.
# CONFIG_ANDROID_BINDER_IPC_SELFTEST is not set
CONFIG_ANDROID_BINDERFS=y
CONFIG_ANDROID_BINDER_DEVICES=""

# --------------------------------------------------------------
# WAYDROID / ANBOX CONTAINER DEPENDENCY AUDIT (all satisfied above)
# Waydroid uses LXC containers -- NOT KVM -- to run the Android image.
# Every dependency below is already built-in (=y) in this config:
#
#   ANDROID_BINDER_IPC + BINDERFS -- [x] above
#   SQUASHFS (system image mount)  -- [x] CONFIG_SQUASHFS=y
#   EROFS_FS + EROFS_FS_ONDEMAND   -- [x] both set (EROFS apex mounts)
#   OVERLAY_FS (writable layer)    -- [x] CONFIG_OVERLAY_FS=y
#   FUSE_FS (some Waydroid paths)  -- [x] CONFIG_FUSE_FS=y
#   NAMESPACES (UTS/IPC/PID/NET)   -- [x] all enabled
#   CGROUPS + MEMCG + BLK_CGROUP   -- [x] full cgroup v2 hierarchy
#   PSI (pressure stall reporting) -- [x] CONFIG_PSI=y, default ON
#   NET_BRIDGE + VETH + NF_NAT     -- [x] for waydroid0 bridge NAT
#   TUN (waydroid network tap)     -- [x] CONFIG_TUN=y
#   VSOCKETS + VIRTIO_VSOCKETS     -- [x] host<->container RPC
#   VHOST_VSOCK                    -- [x] kernel-side vsock accelerator
#   MACVLAN / IPVLAN               -- [x] alternative network modes
#   IP_NF_TARGET_MASQUERADE        -- [x] SNAT for container outbound
#   USER_NS + NET_NS + PID_NS      -- [x] full namespace isolation
# --------------------------------------------------------------

# ==============================================================
# DEBUG -- Minimal overhead, maximum visibility
# All performance-testing debug tools are OFF
# All lockup/hang detection is ON -- know when things go wrong
# ==============================================================
# CONFIG_DEBUG_KERNEL is not set
# CONFIG_DEBUG_INFO is not set
CONFIG_DEBUG_INFO_NONE=y
# CONFIG_GDB_SCRIPTS is not set
CONFIG_ENABLE_MUST_CHECK=y
CONFIG_FRAME_WARN=2048
CONFIG_STRIP_ASM_SYMS=y
CONFIG_SECTION_MISMATCH_WARN_ONLY=y
CONFIG_DEBUG_BUGVERBOSE=y

# Lockup detection
CONFIG_LOCKUP_DETECTOR=y
CONFIG_SOFTLOCKUP_DETECTOR=y
CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC=n
CONFIG_HARDLOCKUP_DETECTOR=y
CONFIG_BOOTPARAM_HARDLOCKUP_PANIC=n
CONFIG_DETECT_HUNG_TASK=y
CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
CONFIG_BOOTPARAM_HUNG_TASK_PANIC=n

# ==============================================================
# DEVELOPER TOOLS -- Full visibility, zero production overhead
# All tools below are gated behind active invocation.
# Cost at rest: zero. Cost when profiling: only what you ask for.
# ==============================================================

# KGDB: Kernel GNU Debugger -- attach GDB over serial or kgdboc
# (USB-to-serial, network console, or kgdbwait boot param).
# Indispensable for debugging kernel modules, oops analysis,
# and live memory inspection without a reboot cycle.
# Usage: boot with kgdbwait or echo g > /proc/sysrq-trigger
# Source: kernel.org/doc/html/latest/dev-tools/kgdb.html
CONFIG_KGDB=y
CONFIG_KGDB_SERIAL_CONSOLE=y
# KGDB_KDB: KDB -- the built-in kernel debugger shell.
# Accessible from VT/serial on crash. Inspect registers,
# call stacks, memory without a remote GDB session.
# Activate with Alt+SysRq+G after loading the kgdb module.
CONFIG_KGDB_KDB=y
CONFIG_KDB_KEYBOARD=y
CONFIG_KDB_CONTINUE_CATASTROPHIC=0

# MAGIC_SYSRQ: Emergency kernel controls via keyboard.
# Alt+SysRq+B = reboot, +S = sync, +U = remount-ro,
# +K = kill all on VT, +T = task dump, +M = memory dump.
# Saves the filesystem from corruption when X/Wayland locks.
# Source: kernel.org/doc/html/latest/admin-guide/sysrq.html
CONFIG_MAGIC_SYSRQ=y
CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=1
CONFIG_MAGIC_SYSRQ_SERIAL=y

# SCHED_DEBUG: Lightweight scheduler diagnostics.
# Exposes /proc/sched_debug and /proc/schedstat.
# Essential for profiling sched-ext BPF schedulers:
#   watch -n 0.5 cat /proc/sched_debug | grep -A4 "cpu#0"
# Also required for tuning BORE burst scores and latency targets.
# Overhead: near-zero -- data is only gathered on /proc read.
CONFIG_SCHED_DEBUG=y
CONFIG_SCHEDSTATS=y

# FTRACE: Function-level kernel tracer.
# Powers: trace-cmd, kernelshark, perf ftrace, BPF fentry/fexit.
# Required for latency tracing (irqsoff, preemptoff, wakeup).
# Use to diagnose audio glitches, scheduler stalls, DRM hangs.
# Source: kernel.org/doc/html/latest/trace/ftrace.html
CONFIG_FTRACE=y
CONFIG_FUNCTION_TRACER=y
CONFIG_FUNCTION_GRAPH_TRACER=y
CONFIG_IRQSOFF_TRACER=y
CONFIG_PREEMPT_TRACER=y
CONFIG_SCHED_TRACER=y
CONFIG_HWLAT_TRACER=y
CONFIG_OSNOISE_TRACER=y
CONFIG_TIMERLAT_TRACER=y
CONFIG_DYNAMIC_FTRACE=y
CONFIG_DYNAMIC_FTRACE_WITH_REGS=y
CONFIG_FPROBE=y
CONFIG_FPROBE_EVENTS=y
CONFIG_TRACING_SUPPORT=y
CONFIG_GENERIC_TRACER=y

# DYNAMIC_DEBUG: Per-call-site debug message control.
# echo "module drm +p" > /sys/kernel/debug/dynamic_debug/control
# Turns on debug messages for specific modules without rebuild.
# Zero cost when messages are off (disabled at compile with jump labels).
CONFIG_DYNAMIC_DEBUG=y
CONFIG_DYNAMIC_DEBUG_CORE=y
# CONFIG_KFENCE is not set
# CONFIG_UBSAN is not set
# CONFIG_KCSAN is not set
# CONFIG_KCOV is not set
# CONFIG_KMEMLEAK is not set
# CONFIG_DEBUG_PAGEALLOC is not set
# CONFIG_DEBUG_OBJECTS is not set
# CONFIG_DEBUG_MUTEXES is not set
# CONFIG_DEBUG_SPINLOCK is not set
# CONFIG_DEBUG_LOCK_ALLOC is not set
# CONFIG_PROVE_LOCKING is not set
# CONFIG_LOCK_STAT is not set
# CONFIG_DEBUG_ATOMIC_SLEEP is not set
# CONFIG_DEBUG_LIST is not set
# CONFIG_DEBUG_VM is not set
# CONFIG_TRACE_IRQFLAGS is not set
# CONFIG_FTRACE is not set
# CONFIG_DYNAMIC_DEBUG is not set
# CONFIG_TRACING_SUPPORT is not set

# CONFIG_KALLSYMS already set above -- duplicate suppressed
# CONFIG_KALLSYMS_ALL already set above -- duplicate suppressed

# LIVEPATCH: Live kernel patching -- apply CVE fixes without rebooting.
# Critical for a daily-driver dev system: security patches are applied
# immediately while games/compiles/VMs continue running uninterrupted.
# Source: Josh Poimboeuf (Red Hat), merged Linux 4.0. Used by KPATCH,
# kGraft, and kernel-livepatch packages in RHEL/SLES/Ubuntu.
CONFIG_LIVEPATCH=y
CONFIG_MESSAGE_LOGLEVEL_DEFAULT=4
CONFIG_CONSOLE_LOGLEVEL_DEFAULT=7
CONFIG_EARLY_PRINTK=y
CONFIG_EARLY_PRINTK_EFI=y
CONFIG_PANIC_ON_OOPS=n
CONFIG_PANIC_TIMEOUT=0

# ==============================================================
# HYPERION v2.2.4 -- GOD-TIER ADDITIONS
# All features below are sourced from: CachyOS kernel config,
# RHEL Low-Latency Tuning Guide, sched-ext upstream, XanMod,
# kernel.org documentation, LKML, Phoronix benchmarks (2024-2026)
# ==============================================================

# --------------------------------------------------------------
# SCHED_EXT -- Extensible BPF Scheduler Framework (Linux 6.12+)
# Enables runtime-swappable CPU schedulers via eBPF.
# scx_bpfland: cache-topology-aware interactive scheduler
# scx_lavd:    gaming-optimised (latency-aware virtual deadline)
# scx_rusty:   LLC-domain load balancer for multi-CCX/NUMA
# No kernel recompile needed to swap schedulers at runtime.
# Source: kernel.org/doc/sched-ext, github.com/sched-ext/scx
# Merged mainline: Linux 6.12 (Linus Torvalds, Nov 2024)
# --------------------------------------------------------------
CONFIG_SCHED_CLASS_EXT=y

# BORE: Burst-Oriented Response Enhancer scheduler tweak.
# Extends EEVDF with per-task burst accounting: tasks that
# historically consume CPU in short bursts (interactive: games,
# terminals, audio daemons) are given deadline priority over
# tasks that run long and steady (batch compiles, ffmpeg).
# Net result: sub-frame input latency even under 100% compile load.
# This is the CachyOS default scheduler policy for desktop.
# Source: github.com/firelzrd/bore-scheduler
# Merged into CachyOS linux-cachyos kernel, Nobara, and several
# AUR builds. Upstream submission ongoing as of 2025.
CONFIG_SCHED_BORE=y
# BORE_BURST_SMOOTHNESS: how aggressively burst score decays.
# 2 = balanced (CachyOS default). Lower = more reactive.
CONFIG_SCHED_BORE_BURST_SMOOTHNESS=2
# capacity. Games and audio daemons clamp to min=100% -> always
# on fast cores. Background tasks clamp to max=50% -> out of the way.
# Source: schedutil + uclamp integration, Android/ChromeOS upstream
CONFIG_UCLAMP_TASK=y
CONFIG_UCLAMP_TASK_GROUP=y

# --------------------------------------------------------------
# RCU NOCB -- Move RCU callbacks off CPU for nohz_full correctness
# nohz_full CPUs can't tick -- RCU callbacks must run elsewhere.
# Without this, nohz_full silently breaks RCU grace periods.
# RCU_NOCB_CPU_DEFAULT_ALL: every CPU offloads by default
# Source: kernel.org/doc/timers/no_hz.html, Paul McKenney (IBM)
# --------------------------------------------------------------
CONFIG_RCU_NOCB_CPU=y
CONFIG_RCU_NOCB_CPU_DEFAULT_ALL=y
CONFIG_RCU_LAZY=y

# IRQ_FORCED_THREADING: Convert all non-threaded IRQ handlers to
# threaded mode. Gives the scheduler full control over IRQ timing.
# Measurable latency improvement under heavy IRQ load (NVMe, GPU).
# Source: Thomas Gleixner, Linux RT patchset, RHEL latency guide
CONFIG_IRQ_FORCED_THREADING=y
CONFIG_IRQ_FORCED_THREADING_DEFAULT=y

# WQ_POWER_EFFICIENT_DEFAULT disabled: Power-efficient workqueues
# migrate work items across cores to save power -- causing L1/L2
# cache thrashing. On a performance kernel this is pure overhead.
# Source: CachyOS-Settings, theyareonit/linux-gaming-optimization
# CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set

# NUMA-aware spinlocks: Linux 6.5+ spinlock NUMA topology awareness.
# On multi-socket/multi-CCX systems reduces remote-NUMA lock bouncing.
# Measurable win on AMD Zen 3/4 with multiple CCXs sharing one socket.
# Source: Waiman Long, LKML 2023, merged 6.5
CONFIG_NUMA_AWARE_SPINLOCKS=y

# MUTEX_SPIN_ON_OWNER / LOCK_SPIN_ON_OWNER: Spin briefly before
# sleeping on a contended mutex. Avoids context switch overhead for
# very-short critical sections (syscalls, page faults, VMA ops).
# Net win on desktop workloads; server kernels disable for throughput.
CONFIG_MUTEX_SPIN_ON_OWNER=y
CONFIG_LOCK_SPIN_ON_OWNER=y

# --------------------------------------------------------------
# MEMORY -- Additional god-tier tweaks
# --------------------------------------------------------------

# LRU_GEN_WALKS_MMU: MGLRU uses MMU page-table walk to find cold
# pages instead of relying solely on access bits. More accurate
# reclaim decisions; reduces false evictions under memory pressure.
# Source: Yu Zhao (Google), lore.kernel.org MGLRU series v17+
CONFIG_LRU_GEN_WALKS_MMU=y

# BALLOON_COMPACTION: Compacts memory around ballooned (freed)
# regions. Reduces THP fragmentation over long uptimes.
CONFIG_BALLOON_COMPACTION=y

# SLAB_BUCKETS: Per-size-bucket slab tracking -- reduces internal
# fragmentation in the SLUB allocator for mixed-size alloc patterns
# (common in networking, gaming engines with per-frame allocations).
CONFIG_SLAB_BUCKETS=y

# MEMCG_V1 disabled -- cgroup v2 only. v1 hierarchy has locking
# overhead on every page alloc/free. v2 unified hierarchy is leaner.
# CONFIG_MEMCG_V1 is not set

# --------------------------------------------------------------
# NETWORKING -- More built-in firepower
# --------------------------------------------------------------

# TCP_CONG_BBR: BBRv3 (if present in 6.19) uses updated bandwidth
# probing and loss recovery. Already set as default -- ensure built-in.
# CONFIG_TCP_CONG_BBR already set above -- duplicate suppressed
# CONFIG_DEFAULT_BBR already set above -- duplicate suppressed

# CAKE (Common Applications Kept Enhanced): Best qdisc for home
# broadband. Combines FQ + AQM + traffic shaping + overhead accounting.
# Outperforms FQ_CoDel on asymmetric links (cable, DSL, LTE).
# Source: Toke Hiland-Jrgensen, Dave Taht -- bufferbloat.net
# CONFIG_NET_SCH_CAKE already set above -- duplicate suppressed

# TCP_FASTOPEN: Reduces SYN RTT by one for repeat connections.
# Significant win on high-frequency short-lived connections (gaming
# matchmaking, API calls, DNS over TCP).
CONFIG_TCP_FASTOPEN=y

# TCP_NOTSENT_LOWAT: Per-socket send buffer floor.
# Prevents TCP from buffering more than necessary before sending.
# Eliminates the "bufferbloat inside the kernel" problem for game
# servers and streaming applications using SO_NOTSENT_LOWAT.
# Source: Eric Dumazet (Google), merged Linux 4.1
CONFIG_TCP_NOTSENT_LOWAT=y

# UDP_GRO: Generic Receive Offload for UDP.
# Coalesces multiple small UDP packets into one large skb before
# passing up the stack -- critical for QUIC/HTTP3 receive performance.
# ~2x UDP receive throughput on hardware that supports it.
CONFIG_UDP_GRO=y

# GRO (Generic Receive Offload) -- already implied by NET_CORE.
# GRO_CELLS: multi-producer GRO engine for high-pps NICs.
CONFIG_GRO_CELLS=y

# NETFILTER FLOWTABLE hardware offload -- once conntrack establishes
# a flow, bypass the full netfilter stack for subsequent packets.
# ~4x throughput increase for NAT/routing on compatible hardware.
# CONFIG_NF_FLOW_TABLE already set above -- duplicate suppressed
# CONFIG_NF_FLOW_TABLE_INET already set above -- duplicate suppressed

# MPTCP already enabled above -- ensure multipath TCP is wired in.
# Allows connections to use multiple interfaces simultaneously.
# CONFIG_MPTCP already set above -- duplicate suppressed
CONFIG_INET_MPTCP_DIAG=y

# XDP / AF_XDP: Zero-copy packet processing in userspace.
# Required for DPDK, Suricata, Cilium, and high-performance VPN.
# CONFIG_AF_XDP already set above -- duplicate suppressed
# CONFIG_XDP_SOCKETS already set above -- duplicate suppressed
# CONFIG_XDP_SOCKETS_DIAG already set above -- duplicate suppressed

# NET_RX_BUSY_POLL: Spin-poll on receive queues instead of sleeping.
# Eliminates IRQ wakeup latency for latency-critical networking.
# Used by: DPDK apps, game servers, trading systems.
CONFIG_NET_RX_BUSY_POLL=y

# --------------------------------------------------------------
# STORAGE -- Built-in accelerators
# --------------------------------------------------------------

# NVME_TCP + NVME_RDMA built-in: NVMe-oF targets/initiators without
# module load delay. Required for diskless boot and HPC storage.
# CONFIG_NVME_TCP already set above -- duplicate suppressed
# NVME_RDMA: NVMe over RDMA (RoCE/iWARP) -- zero-copy NVMe-oF over
# InfiniBand/Ethernet RDMA. Required for HPC/cloud storage clusters.
CONFIG_NVME_RDMA=y
# NVME_FC: NVMe over Fibre Channel -- enterprise SAN environments.
CONFIG_NVME_FC=y
CONFIG_NVME_TARGET_FC=y

# BLK_DEV_ZONED already enabled -- ensure ZNS NVMe + SMR HDD support.
# CONFIG_BLK_DEV_ZONED already set above -- duplicate suppressed

# DM_WRITECACHE: Transparent write-back cache layer (SSD in front of
# HDD). Better than bcache for simple setups -- no separate mkfs.
# CONFIG_DM_WRITECACHE already set above -- duplicate suppressed

# DM_INTEGRITY: Per-block HMAC integrity checking -- cheap insurance
# against silent data corruption on consumer drives.
# CONFIG_DM_INTEGRITY already set above -- duplicate suppressed

# --------------------------------------------------------------
# FILESYSTEMS -- Built-in for zero-latency mount
# --------------------------------------------------------------

# EROFS on-demand loading: pull filesystem blocks on access from
# a backing store. Used by Android Compressed Apex, container layers.
CONFIG_EROFS_FS_ONDEMAND=y

# FSCACHE + CACHEFILES: Persistent local cache for network
# filesystems (NFS, CIFS, AFS, CEPH). Survives reconnection.
# Built-in avoids the module-load race at mount time.
CONFIG_FSCACHE=y
CONFIG_CACHEFILES=y
CONFIG_CACHEFILES_ONDEMAND=y

# TMPFS with huge pages: tmpfs backed by THPs where possible.
# Game shader caches and browser profiles in tmpfs benefit hugely.
CONFIG_TMPFS_INODE64=y

# --------------------------------------------------------------
# CRYPTO -- Everything hardware-accelerated and built-in
# --------------------------------------------------------------

# AES-NI, AVX-accelerated ChaCha20/Poly1305 built-in -- no lazy load.
# WireGuard VPN, TLS 1.3, dm-crypt all benefit from zero-latency
# crypto primitive availability on the very first call.
# CONFIG_CRYPTO_AES_NI_INTEL already set above -- duplicate suppressed
# CONFIG_CRYPTO_CHACHA20_X86_64 already set above -- duplicate suppressed
# CONFIG_CRYPTO_POLY1305_X86_64 already set above -- duplicate suppressed
# CONFIG_CRYPTO_SHA256_SSSE3 already set above -- duplicate suppressed
CONFIG_CRYPTO_SHA512_SSSE3=y
# CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL already set above -- duplicate suppressed
# CONFIG_CRYPTO_CRC32C_INTEL already set above -- duplicate suppressed
# CONFIG_CRYPTO_CRCT10DIF_PCLMUL already set above -- duplicate suppressed

# AEGIS-128 AES-NI: AEAD cipher -- faster than AES-GCM on CPUs with
# AES-NI but without CLMUL (older Ivy Bridge, some AMD). Used by
# WireGuard fallback and QUIC implementations.
CONFIG_CRYPTO_AEGIS128_AESNI_SSE2=y

# --------------------------------------------------------------
# SECURITY -- Hardening that costs nothing at runtime
# --------------------------------------------------------------

# CFI_CLANG: Control Flow Integrity -- would need Clang. With GCC,
# ensure STACKPROTECTOR_STRONG is maximally effective.
# CONFIG_STACKPROTECTOR_STRONG already set above -- duplicate suppressed

# INIT_STACK_ALL_ZERO: Zero-initialise all stack variables on
# function entry. GCC 12+ can do this efficiently with -ftrivial-auto-var-init=zero.
# Kills entire classes of uninitialised-variable info leaks.
CONFIG_INIT_STACK_NONE=n
CONFIG_INIT_STACK_ALL_ZERO=y

# RANDOMIZE_KSTACK_OFFSET: Randomise kernel stack pointer offset on
# every syscall entry. Defeats stack-layout-dependent exploits.
# Zero runtime cost -- one extra instruction per syscall.
# Source: Kees Cook, merged 5.17, Google Security Research
CONFIG_RANDOMIZE_KSTACK_OFFSET=y
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y

# HARDENED_USERCOPY strict: reject copies that cross object boundaries.
# CONFIG_HARDENED_USERCOPY already set above -- duplicate suppressed
CONFIG_HARDENED_USERCOPY_FALLBACK=n

# --------------------------------------------------------------
# SCHEDULER -- Fine-grain responsiveness knobs
# --------------------------------------------------------------

# PREEMPT_NOTIFIERS: Hook into scheduler context-switch events.
# Required by KVM, VFIO passthrough, real-time audio frameworks.
CONFIG_PREEMPT_NOTIFIERS=y

# CPU_FREQ_TIMES: Per-frequency time-in-state accounting.
# Powers cpufreq-info, energy models, and EAS decisions.
CONFIG_CPU_FREQ_TIMES=y

# ARCH_WANT_OPTIMIZE_LINKED_LIST: Enable arch-optimised linked-list
# traversal (x86_64 CMOVcc tricks). Faster scheduler run-queue walks.
CONFIG_ARCH_WANT_OPTIMIZE_LINKED_LIST=y

# SCHED_TASK_ISOLATION: Per-task isolation mode hint.
# Combined with nohz_full and isolcpus for zero-jitter critical tasks.
CONFIG_SCHED_ISOLATION=y

# --------------------------------------------------------------
# HARDWARE ACCELERATION & MISC
# --------------------------------------------------------------

# INTEL_RAPL: Read CPU/DRAM power telemetry from MSRs.
# Required for powercap, turbostat, and energy-aware scheduling hints.
CONFIG_INTEL_RAPL=y
CONFIG_INTEL_RAPL_CORE=y

# AMD_ENERGY: Equivalent for AMD CPUs -- E-core power readout.
CONFIG_AMD_ENERGY=y

# PERF_EVENTS_AMD_UNCORE: AMD uncore (Infinity Fabric) perf counters.
# Essential for tuning memory bandwidth, NPS mode, NUMA balance.
CONFIG_PERF_EVENTS_AMD_UNCORE=y

# INTEL_UNCORE: Intel uncore performance counters (IMC, PCIe, LLC).
CONFIG_INTEL_UNCORE=y

# X86_SGX: Intel SGX enclave support. Zero overhead when unused.
# Required for: attestation services, confidential compute workloads.
CONFIG_X86_SGX=y

# GENERIC_IRQ_CHIP + IRQ_DOMAIN: needed by new platform interrupt
# controllers (for future-proofing on new AMD/Intel platforms).
CONFIG_GENERIC_IRQ_CHIP=y
CONFIG_IRQ_DOMAIN=y
CONFIG_IRQ_DOMAIN_HIERARCHY=y

# TICK_CPU_ACCOUNTING: High-resolution CPU time accounting per tick.
# More accurate than virt-based accounting; zero overhead on bare metal.
CONFIG_TICK_CPU_ACCOUNTING=y

# VIRT_CPU_ACCOUNTING_GEN: Generic virtual CPU accounting.
# With NO_HZ_FULL this is the correct accounting mode.
CONFIG_VIRT_CPU_ACCOUNTING_GEN=y

# HAVE_FAST_GUP: Architecture fast get_user_pages -- bypasses slow
# mmap_lock path. HUGE win for GPU drivers, io_uring, RDMA.
CONFIG_HAVE_FAST_GUP=y

# ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH: Batch TLB invalidations across
# CPUs before the final IPI. Reduces TLB shootdown overhead in
# multi-threaded workloads by coalescing flushes -- measurable win
# on Vulkan multithreaded command buffer submission.
CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y

# ARCH_HAS_HW_PTE_YOUNG: Hardware-maintained young/dirty bits.
# Enables MGLRU to skip software A-bit scanning on x86_64.
CONFIG_ARCH_HAS_HW_PTE_YOUNG=y

# ARCH_SUPPORTS_INT128: Enable __int128 in kernel code.
# Required by some crypto primitives and BPF verifier fast-paths.
CONFIG_ARCH_SUPPORTS_INT128=y

# ==============================================================

# ==============================================================
# HYPERION KERNEL v2.2.4 -- WAYLAND / HYPRLAND / ARCHISO PASS
#
# Goal: Guarantee Arch Linux, archiso live boot, SquashFS live
#       root, Wayland graphics stack, and Hyprland compositor all
#       work out of the box with zero userspace workarounds.
#
# Sources:
#   - kernel.org/doc/html/latest/driver-api/dma-buf.html
#   - wiki.archlinux.org/title/Wayland
#   - wiki.archlinux.org/title/Hyprland
#   - wiki.hypr.land (official Hyprland documentation)
#   - github.com/torvalds/linux/blob/master/drivers/dma-buf/Kconfig
#   - wayland.app/protocols/linux-drm-syncobj-v1
#   - archiso source: gitlab.archlinux.org/archlinux/archiso
#   - kernel defconfig: arch/x86/configs/x86_64_defconfig
# ==============================================================

# --------------------------------------------------------------
# SECTION A: DMA-BUF AND EXPLICIT SYNCHRONISATION FRAMEWORK
#
# These three options are the foundation of the modern Linux
# graphics stack. Every Wayland compositor, every GBM-based GPU
# driver, and every Vulkan ICD depends on them being present.
#
# DMA_SHARED_BUFFER: The kernel-level framework for sharing GPU
# buffers (dma-bufs) between drivers without copying. Hyprland
# and wlroots allocate framebuffers via GBM, which produces
# dma-buf fds that are passed to KMS for scanout. Without this,
# the linux-dmabuf-v1 Wayland protocol cannot function and no
# Wayland compositor can display a frame.
# Source: kernel.org/doc/html/latest/driver-api/dma-buf.html
# --------------------------------------------------------------
CONFIG_DMA_SHARED_BUFFER=y

# SYNC_FILE: Explicit synchronisation via userspace.
# Exports struct dma_fence objects to userspace as file
# descriptors. This is the kernel primitive behind:
#   - Vulkan timeline semaphores (DRM_SYNCOBJ_TIMELINE -- already y)
#   - The linux-drm-syncobj-v1 Wayland protocol used by
#     Hyprland 0.41+ and wlroots 0.18+ for flicker-free
#     explicit sync with NVIDIA 555+ drivers.
#   - Android-derived fence passing between GPU and display.
# Without SYNC_FILE, Hyprland falls back to implicit sync and
# NVIDIA Wayland sessions show frame-ordering artifacts and
# flickering that cannot be fixed in userspace.
# Source: wayland.app/protocols/linux-drm-syncobj-v1
#         github.com/torvalds/linux/blob/master/drivers/dma-buf/Kconfig
CONFIG_SYNC_FILE=y

# UDMABUF: Userspace DMA buffer misc driver.
# Lets userspace turn memfd regions into dma-bufs.
# Required by: QEMU for guest framebuffers in VMs,
#              some GBM fallback paths on systems without
#              a dedicated heap allocator.
# Depends: DMA_SHARED_BUFFER (set above), MEMFD_CREATE (already y)
# Source: github.com/torvalds/linux/blob/master/drivers/dma-buf/Kconfig
CONFIG_UDMABUF=y

# DMABUF_HEAPS: DMA-BUF userland memory heaps.
# Creates /dev/dma_heap/ chardevs. Allows userspace to allocate
# dma-bufs directly without going through a specific driver.
# Used by: Android gralloc HALs (needed for Waydroid, already
# supported), newer Mesa GBM implementations, and media
# pipelines that share buffers between V4L2 and DRM.
CONFIG_DMABUF_HEAPS=y

# DMABUF_HEAPS_SYSTEM: System (kmalloc/vmalloc) heap.
# The universal fallback heap. Always available regardless of
# whether CMA is configured. Provides dma-buf fds backed by
# normal system RAM, used when GPU-local or contiguous memory
# is not needed (e.g. software rendering fallback paths).
CONFIG_DMABUF_HEAPS_SYSTEM=y

# DMABUF_HEAPS_CMA: Contiguous Memory Allocator heap.
# Allocates physically contiguous DMA buffers suitable for
# hardware scan-out without an IOMMU. Important for:
#   - Systems without an IOMMU (some embedded/APU configs)
#   - Zero-copy video decode to display (V4L2 -> KMS)
#   - Ensures /dev/dma_heap/linux,cma is available for gralloc
CONFIG_DMABUF_HEAPS_CMA=y

# --------------------------------------------------------------
# SECTION B: SIMPLEDRM AND SYSFB -- EARLY DISPLAY FOR ARCHISO
#
# archiso and Arch Linux live environments need a working display
# from the very first frame after the kernel hands off to the
# initramfs. Before the GPU driver (amdgpu, i915, xe) probes and
# claims the hardware, the EFI framebuffer must remain usable.
# SYSFB + SIMPLEDRM provide this: they create a DRM device from
# the EFI/VESA framebuffer so that the console, plymouth, and
# early boot messages are visible on screen without any GPU
# driver being loaded.
#
# SYSFB_SIMPLEFB and DRM_SIMPLEDRM together replace the old
# efifb/vesafb approach with a proper KMS device that Wayland
# compositors can also fall back to in emergency mode.
# Source: kernel.org/doc/html/latest/fb/simplefb.html
#         git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
#         /tree/drivers/gpu/drm/tiny/simpledrm.c
# --------------------------------------------------------------

# SYSFB: System framebuffer infrastructure.
# Registers the firmware-provided framebuffer (EFI GOP, VESA)
# as a platform device so that DRM_SIMPLEDRM can claim it.
# Without SYSFB, DRM_SIMPLEDRM has nothing to bind to.
CONFIG_SYSFB=y

# SYSFB_SIMPLEFB: Expose the firmware framebuffer as simplefb.
# Creates the platform_device that DRM_SIMPLEDRM probes.
# This is what makes the EFI framebuffer visible as a DRM node
# before any GPU driver loads.
CONFIG_SYSFB_SIMPLEFB=y

# DRM_SIMPLEDRM: Simple DRM driver for firmware framebuffers.
# Binds to the simplefb platform device created by SYSFB.
# Provides a proper /dev/dri/card0 KMS device backed by the
# EFI GOP framebuffer. This gives:
#   - archiso a KMS console from the first boot frame
#   - A DRM device that Wayland compositors can open if the
#     real GPU driver is not yet loaded (installer environments)
#   - Automatic handoff: when the GPU driver loads, simpledrm
#     yields /dev/dri/card0 and the GPU driver takes over
# Source: kernel.org/doc/html/latest/gpu/drm-drivers.html
CONFIG_DRM_SIMPLEDRM=y

# DRM_GEM_DMA_HELPER: GEM DMA buffer management helpers.
# Required by DRM_SIMPLEDRM and several small display drivers.
# Provides the DMA-backed GEM BO (buffer object) infrastructure
# used when TTM is not appropriate (simple / non-GPU contexts).
CONFIG_DRM_GEM_DMA_HELPER=y

# --------------------------------------------------------------
# SECTION C: ARCHISO LIVE BOOT COMPLETENESS
#
# The Arch ISO (archiso) boots using:
#   1. ISO9660 filesystem on the optical/USB media (already y)
#   2. A loop device mounting the squashfs image (already y)
#   3. An overlay filesystem for the writeable upper layer (already y)
#   4. tmpfs for the writable layer (already y)
#
# Additional options verified against the archiso mkinitcpio
# configuration and the archiso GitLab repository.
# Source: gitlab.archlinux.org/archlinux/archiso/-/blob/master/
#         configs/releng/airootfs/etc/mkinitcpio.conf
# --------------------------------------------------------------

# SQUASHFS_DECOMP_MULTI_PERCPU: Per-CPU multi-threaded decompressor.
# The archiso squashfs image is several hundred MB. Per-CPU
# decompression uses all available cores during decompression,
# cutting live-boot read time on multicore systems by up to 60%
# versus the single-threaded path (Phoronix: squashfs throughput).
# SQUASHFS_DECOMP_MULTI (already set) provides multi-threaded
# decompression; PERCPU variant additionally avoids lock contention
# on per-decompressor state by using per-CPU decompress contexts.
CONFIG_SQUASHFS_DECOMP_MULTI_PERCPU=y

# OVERLAY_FS_REDIRECT_DIR: OverlayFS directory redirect support.
# Required for correct rename(2) behaviour across overlay layers.
# archiso uses overlayfs in redirect mode so that package
# installations during a live session do not corrupt the lower
# (squashfs) layer.
# Source: kernel.org/doc/html/latest/filesystems/overlayfs.html
CONFIG_OVERLAY_FS_REDIRECT_DIR=y

# OVERLAY_FS_REDIRECT_ALWAYS_FOLLOW: Follow redirect on upper layer.
# Ensures that readdir on the merged directory correctly follows
# redirect xattrs on directories in the lower squashfs layer.
# Prevents stale directory listings in the archiso overlayfs mount.
CONFIG_OVERLAY_FS_REDIRECT_ALWAYS_FOLLOW=y

# OVERLAY_FS_INDEX: OverlayFS index directory support.
# Provides crash-consistent NFS re-export of overlayfs mounts.
# Also required for correct hardlink behaviour across overlay
# layers, which matters when the live root has hardlinked binaries.
CONFIG_OVERLAY_FS_INDEX=y

# OVERLAY_FS_XINO_AUTO: Auto-assign inode numbers in overlayfs.
# Prevents inode number collisions between upper and lower layers.
# Without this, some tools (find, rsync, btrfs) that rely on
# unique inode numbers across the merged view return incorrect
# results in the archiso environment.
CONFIG_OVERLAY_FS_XINO_AUTO=y

# OVERLAY_FS_METACOPY: Metadata-only copy-up.
# Allows overlayfs to copy only file metadata (ownership, mode,
# xattrs) to the upper layer without copying file data until the
# file is actually written. Reduces unnecessary writes to the
# tmpfs upper layer during live session package operations.
CONFIG_OVERLAY_FS_METACOPY=y

# BLK_DEV_LOOP_MIN_COUNT: Minimum number of loop devices.
# archiso uses at least one loop device for the squashfs image.
# The default of 8 is already set. Confirm it is present.
# CONFIG_BLK_DEV_LOOP_MIN_COUNT=8  (already set in base config)

# CDROM: CD-ROM/DVD support for ISO boot from optical drives.
# Required when booting archiso from a physical DVD or a USB
# device that presents itself as a CD-ROM (some BIOS/UEFI modes).
# CONFIG_BLK_DEV_SR already set above -- duplicate suppressed
CONFIG_CDROM=y

# UDF filesystem: Universal Disk Format.
# Some archiso creators (isohybrid, ventoy) produce UDF
# partitions alongside ISO9660. Having UDF built-in ensures
# the media mounts regardless of which tool created it.
# CONFIG_UDF_FS already set above -- duplicate suppressed

# --------------------------------------------------------------
# SECTION D: INPUT COMPLETENESS FOR WAYLAND/HYPRLAND
#
# Hyprland uses libinput, which reads from /dev/input/eventN.
# libinput requires:
#   - INPUT_EVDEV (already y): the event device interface
#   - Proper tablet device support for drawing tablets
#   - INPUT_UINPUT (already y): for virtual input in Wayland
# Additional options for completeness.
# Source: wayland.freedesktop.org/libinput/doc/latest/
# --------------------------------------------------------------

# INPUT_TABLET: Drawing tablet (stylus/pen) support.
# Required for Wacom, UCLogic, Huion tablets under libinput.
# Provides the tablet tool and tablet pad evdev event types
# (EV_ABS with ABS_TILT_X, BTN_STYLUS, etc.) that libinput
# reads to deliver tablet events to Wayland compositors.
# Without this, tablets work but produce only mouse-like events
# without pressure, tilt, or proximity information.
CONFIG_INPUT_TABLET=y

# MOUSE_SERIAL: Serial port mice.
# Rare in modern use but present in some embedded environments.
# Cost is zero (one object file). Prevents "unknown mouse" on
# systems with legacy serial connections.
CONFIG_MOUSE_SERIAL=y

# MOUSE_VSXXXAA: DEC VSXXX-AA/GA mouse -- rare legacy.
# Included for completeness alongside MOUSE_SERIAL.
# Zero runtime cost when not present.
CONFIG_MOUSE_VSXXXAA=y

# KEYBOARD_I8042: PS/2 keyboard via i8042 controller.
# The i8042 KBD + AUX controller is present on virtually every
# x86 laptop and desktop motherboard. KEYBOARD_ATKBD (already y)
# provides the AT keyboard protocol; SERIO_I8042 (already y)
# provides the bus. This option enables the i8042 keyboard port
# specifically, ensuring the console keyboard works during archiso
# boot before USB HID is available.
CONFIG_KEYBOARD_I8042=y

# KEYBOARD_XTKBD: XT keyboard support (legacy IBM PC).
# Zero cost. Required on some vintage hardware.
CONFIG_KEYBOARD_XTKBD=y

# KEYBOARD_LKKBD: DEC LK keyboard support.
# Included for completeness. Zero runtime cost.
CONFIG_KEYBOARD_LKKBD=y

# SERIO_PCIPS2: PCI PS/2 adapter.
# Some embedded x86 boards route PS/2 through PCI rather than
# the legacy ISA/LPC i8042. Without this, PS/2 keyboards on
# those boards are silent during archiso boot.
CONFIG_SERIO_PCIPS2=y

# INPUT_LEDS: LED trigger support for keyboard LEDs.
# Exposes keyboard LEDs (Caps Lock, Num Lock, Scroll Lock) as
# LED class devices under /sys/class/leds/. Required by:
#   - systemd for keyboard LED management
#   - Hyprland for accurate Caps Lock state display in status bars
CONFIG_INPUT_LEDS=y

# INPUT_SPARSEKMAP: Sparse keymap library for embedded keyboards.
# Used by several laptop keyboard drivers (Asus, HP, Samsung).
# Zero cost on systems without those laptops.
CONFIG_INPUT_SPARSEKMAP=y

# KEYBOARD_APPLESPI: Apple SPI keyboard (MacBook 2015+).
# Apple laptops from 2015 onward use an SPI bus for the
# keyboard and trackpad rather than USB or PS/2. Without this,
# the keyboard is completely silent on affected MacBook models.
# CONFIG_KEYBOARD_APPLESPI already set above -- duplicate suppressed

# --------------------------------------------------------------
# SECTION E: VT / CONSOLE COMPLETENESS FOR ARCHISO BOOT
#
# The archiso environment uses the virtual terminal (VT) for its
# installation interface. These options ensure VT is fully
# functional during the live session.
# --------------------------------------------------------------

# VT_HW_CONSOLE_BINDING: Bind the hardware console driver to VT.
# Allows switching between framebuffer and hardware console
# drivers at runtime. Required for smooth transition from the
# EFI framebuffer (simpledrm) to the GPU driver's KMS console
# after the GPU driver probes during archiso boot.
# CONFIG_VT_HW_CONSOLE_BINDING already set above -- duplicate suppressed

# CONSOLE_TRANSLATIONS: Character set translation tables.
# Provides the console_map facility used to display non-ASCII
# characters on the VT in the archiso installer (package names,
# mirror URLs with unicode characters).
# CONFIG_CONSOLE_TRANSLATIONS already set above -- duplicate suppressed

# --------------------------------------------------------------
# SECTION F: GPU DISPLAY INFRASTRUCTURE
#
# Additional DRM/KMS infrastructure required by modern Wayland
# compositors and multi-GPU setups.
# --------------------------------------------------------------

# DRM_BRIDGE: DRM bridge driver support.
# Bridges connect the display controller output to the physical
# connector (e.g. LVDS encoder, DP bridge, HDMI encoder).
# Required by several connector drivers and by the DRM panel
# subsystem. Without this, some external displays on laptops
# with bridge chips (common on AMD and Intel laptops post-2020)
# show as unconfigured in KMS.
CONFIG_DRM_BRIDGE=y

# DRM_PANEL: DRM panel support.
# Provides the panel subsystem used by display drivers to manage
# LCD and OLED panels (backlight, enable/disable, modes).
# Required by: laptop displays using the panel bridge model,
# simpledrm panel fallback, and Wayland compositors that use
# the DRM panel API for backlight control via xdg-desktop-portal.
CONFIG_DRM_PANEL=y

# DRM_PANEL_SIMPLE: Generic simple panel driver.
# Supports hundreds of LCD/OLED panels via a static table.
# Covers most laptop internal displays (eDP panels) not
# supported by a dedicated vendor driver.
CONFIG_DRM_PANEL_SIMPLE=y

# DRM_DISPLAY_DP_HELPER: DisplayPort link training helpers.
# Used by i915, amdgpu, xe, and nouveau for DP/eDP link
# training. Already likely selected as a dependency, but
# making it explicit ensures it is not accidentally dropped.
# Already set via DRM_DISPLAY_HELPER dep chain. Listed for
# documentation clarity.
# CONFIG_DRM_DISPLAY_DP_HELPER=y  (already y via dep chain)

# DRM_FBDEV_EMULATION: Framebuffer device emulation over DRM.
# Already set. Documents why it stays: archiso uses fbterm and
# the console framebuffer before Wayland starts. fbdev
# emulation provides /dev/fb0 from the KMS device.
# CONFIG_DRM_FBDEV_EMULATION=y  (already set)

# BACKLIGHT_LCD_SUPPORT: LCD backlight support infrastructure.
# Provides the backlight class device infrastructure. Required
# by Hyprland and wlroots for adjusting display brightness via
# the /sys/class/backlight/ sysfs interface.
CONFIG_BACKLIGHT_LCD_SUPPORT=y

# BACKLIGHT_PWMBL: PWM backlight driver.
# Controls display brightness via PWM signal. Present on most
# laptops with Intel and AMD integrated graphics where the
# backlight is driven by the PWM output of the PCH/APML.
CONFIG_BACKLIGHT_PWMBL=y

# ACPI_BACKLIGHT: ACPI-based backlight control.
# Provides the _BCM/_BQC ACPI methods for backlight on laptops.
# Used as a fallback when the GPU driver does not implement its
# own backlight interface. Hyprland's wlr-backlight protocol
# relies on either the GPU driver or ACPI backlight.
CONFIG_ACPI_BACKLIGHT=y

# --------------------------------------------------------------
# SECTION G: FILESYSTEMS REQUIRED BY ARCH LINUX ENVIRONMENTS
# --------------------------------------------------------------

# BTRFS: B-tree filesystem.
# Arch Linux's recommended filesystem for modern installs.
# Required to mount the root during post-install and for
# Btrfs subvolume snapshots used by timeshift/snapper.
# Note: BTRFS is likely already y in the base config.
# Listed here for explicit documentation.
# CONFIG_BTRFS_FS=y  (verify separately -- likely already set)

# FUSE_FS: Filesystem in userspace.
# Required by: overlayfs upper-layer userspace implementations,
# sshfs, rclone mounts, gvfs (used by GTK file dialogs in
# Wayland), AppImage loop mounts, Flatpak sandbox runtime.
# Without FUSE, most GTK and Qt file dialogs in Wayland sessions
# cannot show remote or virtual filesystems.
# CONFIG_FUSE_FS=y  (already y in base config)

# NLS_UTF8: UTF-8 codepage support.
# Required for correct Unicode filename display on FAT, NTFS,
# and ISO9660 filesystems during archiso boot.
# Ensures accented characters in filenames (common in
# localised Arch mirrors) are handled correctly.
# CONFIG_NLS_UTF8=y  (already y in base config)

# --------------------------------------------------------------
# SECTION H: MISCELLANEOUS WAYLAND/HYPRLAND REQUIREMENTS
# --------------------------------------------------------------

# DNOTIFY: Directory notification.
# Legacy but required by some GTK applications and file
# managers that use it alongside inotify. Zero cost.
CONFIG_DNOTIFY=y

# POSIX_TIMERS: POSIX timer support.
# Required by PipeWire, PulseAudio, and libinput for accurate
# timing in the Wayland session. Without this, PipeWire cannot
# create CLOCK_MONOTONIC-based timers for audio scheduling.
# This should already be y but is listed for completeness.
# CONFIG_POSIX_TIMERS=y  (verify -- should be default y)

# TIMERFD: timerfd() syscall support.
# Used by wlroots event loop, libinput timer handling, and
# Wayland compositor frame pacing. The Hyprland compositor
# uses timerfd for its animation and vsync timer callbacks.
# CONFIG_TIMERFD already set above -- duplicate suppressed

# EVENTFD: eventfd() syscall support.
# Used by Wayland protocol socket wakeup, PipeWire ringbuffer
# synchronisation, and Vulkan driver fence notification.
# CONFIG_EVENTFD already set above -- duplicate suppressed

# EPOLL: epoll() I/O event notification.
# The primary event loop primitive in every Wayland compositor.
# wlroots, Hyprland, KWin, and Mutter all use epoll as the
# backbone of their display server event loop. Without epoll,
# no Wayland compositor can function.
# CONFIG_EPOLL already set above -- duplicate suppressed

# SIGNALFD: signalfd() syscall.
# Used by systemd user session, dbus-daemon, and several
# Wayland session helpers for clean signal handling.
# CONFIG_SIGNALFD already set above -- duplicate suppressed

# UNIX domain sockets: AF_UNIX.
# The Wayland protocol uses Unix domain sockets exclusively.
# Every Wayland client and compositor communicates via
# /run/user/<uid>/wayland-0 (a Unix socket). This is
# non-negotiable: without AF_UNIX, no Wayland session starts.
# CONFIG_UNIX=y  (should already be y -- confirm)
# CONFIG_UNIX already set above -- duplicate suppressed

# SHMEM: shared memory support.
# Wayland's primary buffer sharing mechanism for software
# rendering (wl_shm protocol) uses POSIX shared memory, which
# relies on CONFIG_SHMEM. Already set in base config.
# Listed for completeness.
# CONFIG_SHMEM=y  (already y)

# EXPERT mode off: Ensure safety-critical syscalls are not
# accidentally disabled by an EXPERT=y that gates them.
# CONFIG_EXPERT is not set

# --------------------------------------------------------------
# SECTION I: SECURITY COMPLETENESS FOR WAYLAND SESSIONS
#
# Hyprland uses seccomp-bpf for sandboxing Flatpak and portal
# applications. Flatpak requires a functioning seccomp filter
# to sandbox GUI applications in a Wayland session.
# --------------------------------------------------------------

# SECCOMP: Secure computing mode.
# Required by Flatpak (seccomp sandbox), Chromium, Firefox,
# and many other Wayland-native applications for privilege
# separation. Without seccomp, Flatpak refuses to run
# sandboxed applications.
# CONFIG_SECCOMP already set above -- duplicate suppressed

# SECCOMP_FILTER: BPF-based seccomp filtering.
# Extends seccomp to allow flexible BPF syscall filters.
# Flatpak uses seccomp-bpf filters to restrict which syscalls
# sandboxed applications can invoke. This is the modern mode;
# old seccomp strict mode is insufficient.
# CONFIG_SECCOMP_FILTER already set above -- duplicate suppressed

# SECURITY_LOCKDOWN_LSM: Integrity lockdown module.
# Already likely configured, but required explicitly for
# Wayland security models that depend on kernel integrity.
# Listed for documentation; actual value depends on deployment.
# CONFIG_SECURITY_LOCKDOWN_LSM=y  (already y in security block)

# KEYS: Kernel key retention service.
# Required by: dm-crypt key management (used in encrypted
# Arch installs), eCryptfs, and some Wayland keyring daemons
# (e.g. GNOME Keyring in a Wayland session).
# CONFIG_KEYS already set above -- duplicate suppressed

# --------------------------------------------------------------
# SECTION J: POWER MANAGEMENT FOR WAYLAND LAPTOPS
#
# Laptops running Hyprland need correct ACPI lid, power button,
# and sleep/wake event delivery to the compositor.
# --------------------------------------------------------------

# INPUT_EVDEV is already y. This section documents why it also
# covers the ACPI button device events.

# ACPI_BUTTON: ACPI button driver (power/sleep/lid).
# Delivers lid-close, power-button, and sleep-button events as
# input events to /dev/input/eventN. Hyprland and KWin listen
# for these events to trigger sleep, lock, or lid-close actions.
# Without this, closing a laptop lid does not trigger any
# compositor action on Wayland (unlike X11 where logind handles
# it via acpid).
# CONFIG_ACPI_BUTTON already set above -- duplicate suppressed

# ACPI_LID: Laptop lid device driver.
# Specifically handles lid open/close state and generates the
# SW_LID switch event that libinput and logind use to determine
# lid state. Required for correct lid-close-to-sleep behaviour
# in Wayland sessions without acpid.
CONFIG_ACPI_LID=y

# ==============================================================
# END -- HYPERION v2.2.4 WAYLAND / HYPRLAND / ARCHISO ADDITIONS
# ==============================================================

# END -- HYPERION KERNEL v2.2.4
# Build: make -j$(nproc) LOCALVERSION="-Hyperion-2.2.4" KCFLAGS="-fivopts -fmodulo-sched -fno-semantic-interposition"
# Author: Soumalya Das (2026)
#
#  v2.2.4 -- ULTIMATE PERFORMANCE, RUST & DEVELOPER TOOLING PASS
#
#   RUST     -- CONFIG_RUST=y + CONFIG_HAVE_RUST=y
#              Full Rust language infrastructure in the kernel build.
#              Required for emerging Rust-based kernel drivers.
#              Zero overhead when no Rust drivers are loaded.
#
#   SCHED    -- CONFIG_SCHED_BORE=y: BORE scheduler (CachyOS default).
#              Burst-Oriented Response Enhancer: extends EEVDF with
#              per-task burst accounting. Interactive tasks (games,
#              audio, terminals) preempt batch tasks even under 100%
#              compile load. Best gaming-under-load feel on Linux.
#              CONFIG_SCHED_BORE_BURST_SMOOTHNESS=2 (balanced default).
#
#   IO       -- CONFIG_IOSCHED_ADIOS=y: CachyOS Adaptive Deadline I/O.
#              Predicts per-queue I/O latency via historical data.
#              Beats BFQ and Kyber on mixed desktop workloads.
#              Set as CONFIG_DEFAULT_IOSCHED="adios".
#
#   GPU      -- CONFIG_DRM_GPUVM=y: GPU VM manager framework.
#              Required by Mesa 24.1+ radv/anv Vulkan for GPU address
#              space management. Also for Intel Arc SR-IOV vGPU.
#              CONFIG_DRM_EXEC=y: GPU execution context manager.
#              CONFIG_DRM_PANEL=y + DRM_PANEL_SIMPLE=y: laptop eDP.
#              CONFIG_DRM_BRIDGE=y: bridge chip display support.
#
#   DEBUG    -- CONFIG_KGDB=y: kernel GDB over kgdboc/serial.
#              Full GDB session into a live or crashed kernel.
#              CONFIG_KGDB_KDB=y: KDB shell on crash -- no remote host.
#              CONFIG_MAGIC_SYSRQ=y: Alt+SysRq+{B,S,U,K,T,M,...}.
#              CONFIG_SCHED_DEBUG=y: /proc/sched_debug for BORE/scx tuning.
#              CONFIG_FTRACE=y + full tracer suite: irqsoff, preemptoff,
#              wakeup, hwlat, osnoise, timerlat, function graph.
#              CONFIG_DYNAMIC_DEBUG=y: per-site debug message toggle.
#
#   NETWORK  -- CONFIG_NET_SCH_TAPRIO=y: Time-Aware Priority Shaper.
#              Required for SO_TXTIME pacing, QUIC, TSN.
#              CONFIG_NET_SCH_ETF=y: Earliest TxTime First.
#              CONFIG_TCP_NOTSENT_LOWAT=y: eliminates kernel-side bufferbloat.
#              CONFIG_UDP_GRO=y: ~2x UDP receive (QUIC/HTTP3).
#              CONFIG_GRO_CELLS=y: multi-producer GRO for high-pps NICs.
#              CONFIG_NET_EMATCH=y: extended TC match framework.
#
#   MEMORY   -- CONFIG_ZRAM_DEF_COMP2="lz4hc": dual-stream ZRAM.
#              LZ4HC secondary tier: better ratio than LZ4, 3x faster
#              decompression vs ZSTD under extreme memory pressure.
#
#   LTO      -- CONFIG_LTO_NONE=y documented with full GCC flag guide.
#              Companion KCFLAGS: -fivopts -fmodulo-sched
#              -fno-semantic-interposition for measurable perf gain.
#
#   VERSION  -- Linux 6.19.6, GCC 14.2.0, Rust support enabled.
#
# ==============================================================
# LEGENDARY 2.2.4 STATUS: God-tier achieved 🧠🐧⚡🦀
#   Gaming · Development · Compilation · Media · Virtualization
#   Security · Networking · Storage · Audio · Display · Debug
# ==============================================================
#   USB PM  -- CONFIG_USB_AUTOSUSPEND_DELAY=-1: kernel compile-time
#              default for all USB devices set to "never autosuspend".
#              Eliminates the 2-second default that causes HID device
#              sleep (dropped keystrokes, stuck modifiers, mouse stutter)
#              and USB audio DAC disconnects (PipeWire silence, ALSA xruns).
#   USB PM  -- USB_DEFAULT_PERSIST=y (retained): preserves device
#              logical state across system sleep -- no full disconnect/
#              reconnect on resume, keyboard LEDs and audio state survive.
#   USB PERF-- usbhid.mousepoll=1, usbhid.kbpoll=1, usbhid.jspoll=1:
#              1 kHz polling for all HID devices (cmdline -- documented).
#   USB UDEV-- Full 5-layer defence strategy documented in config:
#              Layer 1: CONFIG_USB_AUTOSUSPEND_DELAY=-1 (this file)
#              Layer 2: usbcore.autosuspend=-1 (kernel cmdline)
#              Layer 3: udev rules for power/control="on" (class-based)
#              Layer 4: /etc/modprobe.d/usbcore.conf options
#              Layer 5: sysfs runtime verification commands
#   xHCI    -- Annotated USB_XHCI_PCI with xHCI autosuspend quirk
#              explanation (port power gating vs EHCI behavior).
#   AUDIO   -- SND_USB_AUDIO annotated with DAC autosuspend fix notes
#              and snd-usb-audio modprobe options for DAC stability.
#   CMDLINE -- Expanded boot parameter section with full USB param set:
#              usbcore.autosuspend=-1, usbcore.use_persist=1,
#              usbhid.mousepoll/kbpoll/jspoll=1, AMD+Intel examples.
#              Added full sysctl companion (vm.swappiness, tcp_rmem, etc.)
#              Added complete udev rules template in comment block.
#
#  v2.2.4 -- PRECISION TUNING PASS
#   SCHED    -- SCHED_HRTICK=y, PREEMPT_LAZY=y
#   MEMORY   -- HUGETLB_PAGE_OPTIMIZE_VMEMMAP=y, BATCHED TLB flush
#   TRACING  -- KPROBES + UPROBE_EVENTS for bpftrace/bcc
#   NETWORK  -- PAGE_POOL, ETHTOOL_NETLINK, SOCK_MAP, SKB_EXTENSIONS
#   GAMING   -- HID_STEAM, HID_NINTENDO, JOYSTICK_HRTIMER
#   POWER    -- AMD_PMF, ACPI_CPPC_CPUFREQ_FAST_SWITCH
#   CRYPTO   -- BLAKE2B/S, GHASH CLMUL explicit
#   STABILITY-- LIVEPATCH=y
#
#  v2.2.4 -- MONOLITHIC INTEGRATION PASS
#   All previous features retained -- see inline comments above.
# ==============================================================
#   SCHED    -- SCHED_HRTICK=y: sub-ms scheduler ticks via hrtimer
#              Critical for PipeWire 64-frame quanta and >120 FPS
#              frame pacing. Fills the gap HIGH_RES_TIMERS alone leaves.
#   SCHED    -- PREEMPT_LAZY=y: Linux 6.12 lazy preemption mode.
#              Switchable at boot (preempt=lazy/full) via PREEMPT_DYNAMIC.
#   MEMORY   -- HUGETLB_PAGE_OPTIMIZE_VMEMMAP=y: frees 7 struct pages
#              per 2 MB THP -- saves RAM on JVM/game-engine workloads.
#   MEMORY   -- ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y: batch TLB
#              shootdowns -- reduces IPI overhead in Vulkan submission.
#   TRACING  -- KPROBES=y + KRETPROBES=y + KPROBE_EVENTS=y +
#              UPROBE_EVENTS=y: dynamic probes for BPF bcc/bpftrace
#              tools (execsnoop, opensnoop, biolatency). Essential
#              for dev profiling without source instrumentation.
#   NETWORK  -- PAGE_POOL=y: per-NIC page recycling -- eliminates
#              alloc/free per packet at line rate.
#   NETWORK  -- ETHTOOL_NETLINK=y: modern ethtool netlink interface.
#   NETWORK  -- NET_SOCK_MSG=y + SOCK_MAP=y: BPF sockmap for Cilium,
#              Envoy, and zero-copy inter-socket redirection.
#   NETWORK  -- SKB_EXTENSIONS=y: per-packet metadata extension slots.
#   CRYPTO   -- BLAKE2B=y + BLAKE2S=y: fast modern hash (BTRFS b2,
#              restic, WireGuard PSK, systemd-homed).
#   CRYPTO   -- GHASH_CLMUL_NI_INTEL=y built-in (was missing explicit).
#   POWER    -- AMD_PMF=y: AMD Platform Management Framework for Zen4+
#              laptops (SmartShift eco/performance modes).
#   POWER    -- ACPI_CPPC_CPUFREQ_FAST_SWITCH=y: frequency transitions
#              from IRQ context -- removes per-transition context-switch.
#   GAMING   -- HID_STEAM=y: Valve Steam Controller support.
#   GAMING   -- HID_NINTENDO=y: Switch Pro / Joy-Con support.
#   GAMING   -- JOYSTICK_HRTIMER=y: 1 kHz+ gamepad polling support.
#   STABILITY-- LIVEPATCH=y: live kernel patching (kpatch/kGraft).
#              Apply CVE fixes without rebooting running VMs/games.
#
#  v2.2.4 -- MONOLITHIC INTEGRATION PASS (all =m -> =y):
#   BUILTIN  -- 608 module entries promoted to built-in (=y)
#              Zero module-load latency for ANY in-tree driver.
#              bzImage handles everything on its own.
#   BUILTIN  -- KALLSYMS_ALL=y (full symbol table, safe now everything
#              is in-tree -- required for sched_ext BPF introspection)
#   BUILTIN  -- EFIVAR_FS=y (was =m -- efibootmgr works from initramfs)
#
#  All previous v2.2.4 additions retained
# ==============================================================
#   TARGET   -- Full compatibility: Arch - Ubuntu - Debian - Fedora -
#              openSUSE - RHEL - Mint - Pop!_OS - NixOS and any
#              distro that ships a standard Linux userspace.
#
#   SECURITY -- CONFIG_SECURITY_SELINUX=y: full SELinux support
#              compiled in for Fedora/RHEL/Android-lineage distros.
#              CONFIG_SECURITY_TOMOYO=y: pathname MAC for openSUSE/Debian.
#              Both coexist with AppArmor (default) -- boot param selects.
#
#   WIRELESS -- CONFIG_ATH9K/10K/11K/12K=y: Qualcomm Atheros 802.11n
#              through Wi-Fi 7. Every ath-chipset laptop now works OOB.
#              CONFIG_RTW88=y + CONFIG_RTW89=y: modern Realtek 802.11ax
#              (was missing -- RTL8852/8851 laptops had no Wi-Fi).
#              CONFIG_MT7925=y: MediaTek Wi-Fi 7 (2024+ laptops).
#              CONFIG_BRCMSMAC=y: Broadcom WLAN for Apple/Lenovo hybrids.
#              CONFIG_IWLWIFI: Intel AX200/210/211 fully covered.
#
#   THUNDERBOLT/USB4 -- CONFIG_THUNDERBOLT=y + CONFIG_USB4=y:
#              eGPU docks, TB4 NVMe, TB networking, USB4 hubs all work.
#
#   WIREGUARD -- CONFIG_WIREGUARD=y: built-in WireGuard VPN.
#              Zero module-load race; crypto (ChaCha20/Poly1305 NI)
#              available from first packet.
#
#   WEBCAM/MEDIA -- CONFIG_USB_VIDEO_CLASS=y: every USB webcam (UVC).
#              CONFIG_V4L2_MEM2MEM_DEV=y: hardware video encode/decode.
#              CONFIG_MEDIA_CEC_SUPPORT=y: HDMI CEC for AV receivers.
#              CONFIG_DVB_CORE=y: TV tuners and SDR dongles.
#
#   SOC AUDIO -- Intel SOF (ICL/TGL/ADL/MTL), AMD ACP3x/6x/PS:
#              modern laptop audio now works without out-of-tree DKMS.
#              RT5682/RT5682S/CS35L41 codec support for 2020-2026 laptops.
#
#   BLUETOOTH -- BT_HCIUART + Intel/QCA/BCM UART drivers: laptop BT
#              (Intel AX210, Qualcomm WCN685x) now works OOB.
#
#   HID       -- CONFIG_HID_WACOM=y: full Wacom tablet/stylus/pen support.
#              CONFIG_HID_UCLOGIC=y: XP-Pen, Huion, Gaomon, UGEE, Veikk.
#              CONFIG_HIDRAW=y: libfprint fingerprint readers, fwupd,
#              OpenRGB, Piper, and all HID-based userspace tools.
#
#   VIRT FIXES-- CONFIG_KVM_SMM=y: OVMF/EDK2 UEFI guests now POST.
#              CONFIG_KVM_HYPERV=y: Windows VM performance +20-40%.
#              CONFIG_KVM_XEN=y: Xen workload migration.
#              CONFIG_VFIO_PLATFORM=y: non-PCI device passthrough.
#              CONFIG_VFIO_VIRQFD=y: explicit IRQ fd for VFIO.
#              CONFIG_VSOCK_LOOPBACK=y: Waydroid clipboard/ADB fixed.
#              CONFIG_VHOST_VDPA=y + CONFIG_VDUSE=y: SR-IOV vDPA NICs.
#
#   IOMMU     -- CONFIG_IOMMU_SVA=y: VFIO+GPU heterogeneous compute.
#              CONFIG_INTEL_IOMMU_PERF_EVENTS=y: VT-d profiling.
#
#   POWER     -- CONFIG_ACPI_PLATFORM_PROFILE=y: power-profiles-daemon.
#              CONFIG_AMD_PMC=y: AMD s2idle (modern standby) on laptops.
#              CONFIG_AMD_HSMP=y: per-CCX power telemetry.
#
#   STORAGE   -- CONFIG_NVME_FC=y: NVMe over Fibre Channel (enterprise).
#              CONFIG_SCSI_MQ_DEFAULT=y: multi-queue SCSI mandatory.
#              CONFIG_DM_USER=y: Android Virtual A/B OTA snapshots.
#
#   NET       -- CONFIG_WIREGUARD=y: modern VPN built-in.
#              CONFIG_L2TP=y + L2TP_V3/IP/ETH: enterprise/ISP VPNs.
#              CONFIG_NETFILTER_XT_TARGET_CHECKSUM=y: VM DHCP/DNS fix.
#
#  All previous v2.2.4 additions retained (see below)
# ==============================================================
#
# v2.2.4 -- MONOLITHIC INTEGRATION PASS (all =m -> =y):
#   BUILTIN  -- 608 module entries promoted to built-in (=y)
#              Zero module-load latency for ANY in-tree driver.
#              bzImage handles everything on its own.
#   BUILTIN  -- KALLSYMS_ALL=y (full symbol table, safe now everything
#              is in-tree -- required for sched_ext BPF introspection)
#   BUILTIN  -- EFIVAR_FS=y (was =m -- efibootmgr works from initramfs)
#
# v2.2.4 -- NEW GOD-TIER TWEAKS (sourced from web + upstream):
#   SCHED    -- SCHED_CLASS_EXT=y: sched_ext BPF framework (Linux 6.12)
#              Runtime-swappable CPU schedulers: scx_bpfland, scx_lavd,
#              scx_rusty -- no recompile needed to switch schedulers.
#   SCHED    -- UCLAMP_TASK=y + UCLAMP_TASK_GROUP=y: CPU capacity
#              clamping -- games pin to fast cores, bg tasks stay quiet.
#   SCHED    -- SCHED_ISOLATION=y: per-task isolation hints for nohz_full
#   SCHED    -- IRQ_FORCED_THREADING=y: all IRQ handlers threaded
#              -> scheduler has full control over IRQ timing
#   MEMORY   -- RCU_NOCB_CPU=y + RCU_NOCB_CPU_DEFAULT_ALL=y:
#              RCU callbacks off nohz_full CPUs -- fixes silent RCU stalls
#   MEMORY   -- LRU_GEN_WALKS_MMU=y: MGLRU MMU-walk mode (more accurate
#              cold-page detection, fewer false evictions)
#   MEMORY   -- SLAB_BUCKETS=y: reduced SLUB fragmentation
#   MEMORY   -- INIT_STACK_ALL_ZERO=y: zero-init all stack variables
#   MEMORY   -- BALLOON_COMPACTION=y: combat THP fragmentation
#   SECURITY -- RANDOMIZE_KSTACK_OFFSET=y (one instruction per syscall,
#              kills stack-layout exploits -- Kees Cook, 5.17)
#   SECURITY -- HARDENED_USERCOPY_FALLBACK=n (strict object boundary)
#   CACHE    -- WQ_POWER_EFFICIENT=n: no cross-core workqueue migration
#              -> prevents L1/L2 cache thrashing (CachyOS tip)
#   NUMA     -- NUMA_AWARE_SPINLOCKS=y: reduces NUMA lock bouncing
#              on AMD Zen multi-CCX and multi-socket Intel
#   NET      -- NET_RX_BUSY_POLL=y: spin-poll receive queues
#   NET      -- TCP_FASTOPEN=y: -1 RTT on repeat TCP connections
#   CRYPTO   -- AES-NI/AVX/ChaCha20/Poly1305 all built-in (was =m)
#              WireGuard/TLS 1.3/dm-crypt available from first call
#   STORAGE  -- NVME_TCP + NVME_RDMA built-in (NVMe-oF zero-latency)
#   FS       -- FSCACHE + CACHEFILES built-in (NFS/CIFS persistent cache)
#   HW       -- INTEL_RAPL + AMD_ENERGY: power telemetry for EAS
#   HW       -- X86_SGX=y: Intel SGX enclave support (zero cost unused)
#   HW       -- VIRT_CPU_ACCOUNTING_GEN=y: correct accounting w/ nohz_full
#
# v2.2.4: SCHED_CORE, INTEL_IDLE, ZSWAP_SHRINKER, PER_VMA_LOCK,
#         INET_DIAG=y, NVME_AUTH, RANDOM_KMALLOC_CACHES
#
# v2.2.4 -- QEMU boot + Waydroid:
#   BOOT FIX  -- BLK_DEV_INITRD=y + RD_* decompressors (was missing)
#   BOOT FIX  -- VIRTIO=y, VIRTIO_PCI=y, VIRTIO_BLK=y (was =m)
#   BOOT FIX  -- ATA_PIIX=y (was =m)
#   WAYDROID  -- ANDROID=y, ANDROID_BINDER_IPC=y, ANDROID_BINDERFS=y
#   GUI INPUT -- INPUT_EVDEV=y (was missing)
#   BLUETOOTH -- BT=y stack + UHID (was entirely absent)
#
# v2.2.4 -- KVM / VM / Waydroid full pass (new additions):
#   KVM      -- KVM_ASYNC_PF=y: async page fault delivery (huge win for
#              ballooned/swapped guest memory -- vCPU parks instead of halts)
#   KVM      -- KVM_COMPAT=y: 32-bit compat ioctls for legacy mgmt tools
#   KVM      -- KVM_AMD_SEV_SNP=y: Secure Nested Paging for AMD EPYC 3rd+
#   VFIO     -- VFIO_PCI_VGA=y: VGA aperture passthrough (single-GPU, Looking Glass)
#   VHOST    -- VHOST_IOTLB=y: IOMMU TLB for vhost-user / vDPA correctness
#   VHOST    -- VHOST_RING=y: shared virtqueue ring (required by all vhost backends)
#   VIRTIO   -- VIRTIO_MMIO=y + VIRTIO_MMIO_CMDLINE_DEVICES=y:
#              VirtIO over MMIO (Firecracker, QEMU microvm, direct-boot)
#   VIRTIO   -- VIRTIO_PMEM=y: VirtIO NVDIMM/DAX device for pmem guests
#   VIRTIO   -- VIRTIO_DMA_SHARED_BUFFER=y: zero-copy virgl/virtio-gpu DMA
#   IOMMU    -- X86_MEM_ENCRYPT=y: umbrella for AMD SME/SEV + Intel TME
#   IOMMU    -- AMD_MEM_ENCRYPT=y (active_by_default=n): opt-in SME/SEV host
#   IOMMU    -- INTEL_TDX_GUEST=y: run this kernel inside a TDX trust domain
#   WAYDROID -- ANDROID_BINDER_IPC_SELFTEST disabled (production-safe)
#              Full container dependency audit added as inline comments
#
# v2.2.4 -- Real hardware (UEFI) sanity pass:
#   REAL HW   -- CONFIG_EFI=y: UEFI runtime services (was missing)
#   REAL HW   -- CONFIG_EFI_STUB=y: kernel IS the EFI executable
#   REAL HW   -- CONFIG_EFIVAR_FS=y: /sys/firmware/efi/efivars
#               (was =m -- now built-in, available before initramfs)
#   REAL HW   -- CONFIG_USB_HID=y: USB keyboards in initramfs
#
# v2.2.4 -- FULL VM / KVM / WAYDROID / ANDROID PASS:
#   KVM EXT  -- KVM_MMIO=y: MMIO emulation (ACPI/PCI ROM/BIOS in VMs)
#   KVM EXT  -- KVM_ASYNC_PF=y: async page fault -- stops vCPU stalls
#              on host page faults. Critical for overcommit + Windows.
#   KVM EXT  -- KVM_VFIO=y: KVM<->VFIO bridge for GPU/device passthrough
#              MSI/MSI-X from VFIO devices now reach the guest.
#   KVM EXT  -- KVM_SMM=y: SMM emulation -- REQUIRED for OVMF/EDK2 UEFI
#              firmware. Without it QEMU UEFI VMs silently fail to boot.
#   KVM EXT  -- KVM_HYPERV=y: Hyper-V enlightenments for Windows VMs
#              Reduces VM exits 20-40%. Free perf for Win10/11 guests.
#   KVM EXT  -- KVM_XEN=y: Xen compat layer -- Xen->KVM workload migration
#   KVM EXT  -- X86_SGX_KVM=y: SGX enclaves inside KVM guests
#   KVM EXT  -- KVM_GENERIC_DIRTYLOG_READ_PROTECT=y: live migration
#   KVM EXT  -- KVM_COMPAT=y: 32-bit KVM ioctl compat for legacy tools
#   VFIO EXT -- VFIO_NOIOMMU=y: VFIO without IOMMU (dev/test; use carefully)
#   VFIO EXT -- VFIO_PCI_VGA=y: VGA legacy decode passthrough (old GPUs)
#   VFIO EXT -- VFIO_PLATFORM=y: platform device passthrough (ARM compat)
#   VFIO EXT -- VFIO_VIRQFD=y: virtual IRQ fd (explicit, was implicit)
#   VIRT EXT -- VIRTIO_MMIO=y: mmio virtio transport (Cuttlefish/ARM QEMU)
#   VIRT EXT -- VIRTIO_PMEM=y: virtio NVDIMM passthrough to guests
#   VIRT EXT -- VIRTIO_IOMMU=y: para-virt IOMMU -- DMA isolation in guests
#   VHOST    -- VHOST_IOTLB=y: vhost IOMMU TLB (foundation for vDPA)
#   VHOST    -- VHOST_VDPA=y: SR-IOV VFs exposed as virtio (line-rate NIC)
#   VHOST    -- VDUSE=y: userspace vDPA backend (DPDK/SPDK as vhost block)
#   VSOCK    -- VSOCK_LOOPBACK=y: REQUIRED for Waydroid host<->container
#              clipboard sync, show-full-ui, ADB over vsock -- was missing!
#   IOMMU    -- IOMMU_SVA=y: Shared Virtual Addressing for VFIO+DMA-BUF
#   IOMMU    -- INTEL_IOMMU_PERF_EVENTS=y: VT-d perf counters (profiling)
#   ANDROID  -- Full Waydroid requirement audit table added (see above)
#   ANDROID  -- DM_USER=y: Android Virtual A/B OTA snapshots
#   NET      -- NETFILTER_XT_TARGET_CHECKSUM=y: fix VM DHCP/DNS checksums
# ==============================================================

# ==============================================================
# RECOMMENDED KERNEL COMMAND-LINE PARAMETERS (bootloader)
# Add to GRUB_CMDLINE_LINUX / systemd-boot options / etc.
# ==============================================================
#
#  USB STABILITY (CRITICAL -- do not omit)
#
#   usbcore.autosuspend=-1
#     WHY: Even though CONFIG_USB_AUTOSUSPEND_DELAY=-1 sets the
#     compile-time default, some initramfs environments (dracut,
#     mkinitcpio with usbcore early-load) can set the parameter
#     from their own modprobe.d BEFORE this kernel's Kconfig
#     default takes effect. This cmdline parameter overrides
#     any modprobe.d options and is evaluated by the kernel's
#     param parser before ANY driver initialises. It is the
#     absolute last word on the autosuspend default.
#     Effect: /sys/module/usbcore/parameters/autosuspend = -1
#     for the lifetime of the boot.
#
#   usbcore.use_persist=1
#     WHY: Enables USB device persistence across system suspend.
#     Without this, every wake-from-suspend causes the USB stack
#     to disconnect and reconnect all devices -- keyboards lose
#     their LED state, audio DACs reset their sample rate, and
#     USB hubs re-enumerate all children. With use_persist=1,
#     the kernel saves the device's logical state and re-attaches
#     to the same device object after resume, with sub-50 ms
#     total restoration time vs 500 ms-2 s for full re-enum.
#
#   usbcore.initial_descriptor_timeout=5000
#     WHY: Increases the USB device descriptor read timeout from
#     the default 5s to 5s (already default -- but explicit here).
#     On slow embedded USB hubs this prevents "device not accepting
#     address" errors at boot that cause USB keyboards to not appear.
#     Harmless on fast hardware.
#
#   usbhid.mousepoll=1
#     WHY: Forces USB HID mice and trackballs to poll at 1 ms
#     intervals (1000 Hz) instead of their default 8 ms (125 Hz)
#     or 4 ms (250 Hz). Results in sub-1 ms input latency for
#     gaming mice. Some mice poll at 8 ms by default even if they
#     are capable of 1 ms. This overrides it system-wide.
#     Note: for per-device control, use evdev-based udev rules.
#
#   usbhid.kbpoll=1
#     WHY: Sets USB keyboard polling to 1 ms. Default is 10 ms
#     (100 Hz). At 10 ms a fast typist can lose keystrokes during
#     scheduler latency spikes. At 1 ms the kernel sees each
#     keypress within 1 ms of the physical event -- eliminates the
#     "double-tap required" issue under heavy CPU load.
#
#   usbhid.jspoll=1
#     WHY: Sets USB joystick/gamepad polling to 1 ms. Critical for
#     fighting game inputs (1-frame = 16 ms at 60 FPS; missing a
#     1-frame window at 8 ms poll means 50% chance of dropped input).
#
#  CORE PERFORMANCE
#
#   preempt=full
#     Maximum scheduler responsiveness. CFS preempts at every
#     opportunity -- lowest input latency for Wayland/Hyprland.
#
#   threadirqs
#     All IRQ handlers become kernel threads, giving the scheduler
#     full control over their timing. GPU interrupt storms no longer
#     block keyboard/mouse event delivery. Pairs with CONFIG_IRQ_FORCED_THREADING=y.
#
#   mitigations=auto
#     Keep Spectre/Meltdown mitigations. Penalty is <3% on Zen4/Alder
#     Lake. Disabling them for "performance" is irresponsible on a
#     daily-driver with a browser running untrusted JS.
#
#   transparent_hugepage=madvise
#     THP only for memory regions that explicitly request it via
#     madvise(MADV_HUGEPAGE). Games and JVMs benefit; background
#     daemons with small allocs do not waste memory on 2 MB chunks.
#
#   hugepagesz=2M hugepages=512
#     Pre-allocates 1 GB of locked 2 MB huge pages at boot.
#     Available to games, Wine/Proton (enable via WINE_LARGE_ADDRESS_AWARE),
#     and JVMs (java -XX:+UseLargePages). Avoids fragmentation stalls.
#
#  CPU / SCHEDULER
#
#   nohz_full=2-N         (replace N with max CPU index)
#     Tickless operation on all CPUs except core 0. A CPU running a
#     single-threaded game loop or ML inference receives NO timer
#     interrupts -- eliminating the periodic 1 ms jitter that causes
#     frame time variance and audio xruns.
#
#   rcu_nocbs=2-N
#     Move RCU callbacks off the nohz_full CPUs. Without this,
#     nohz_full is silently broken: RCU grace periods stall when
#     callbacks can't run on a tickless CPU.
#
#   skew_tick=1
#     Stagger the HZ tick across CPUs so they don't all fire
#     simultaneously. Reduces memory bus contention during tick
#     processing and eliminates "thundering herd" IRQ storms.
#
#   nosoftlockup
#     Disable the soft lockup watchdog. On nohz_full CPUs the
#     watchdog fires false positives when a CPU is legitimately
#     running a tight game loop without yielding. Eliminates
#     spurious "soft lockup" kernel messages under gaming load.
#
#  AMD-SPECIFIC
#
#   amd_pstate=active
#     AMD P-State with EPP (Energy Performance Preference) in
#     active mode. The CPU hardware manages its own boost/frequency
#     within the EPP hint -- faster response than OS-controlled
#     passive mode. Required for proper Zen4 boost behavior.
#
#   amd_iommu=pt
#     AMD IOMMU passthrough mode -- devices with no VFIO driver
#     bypass the IOMMU translation table entirely (direct PA->PA).
#     Eliminates ~2-5% IOMMU translation overhead on NVMe I/O.
#
#  INTEL-SPECIFIC
#
#   intel_pstate=active
#     Intel HWP active mode -- equivalent to AMD active EPP.
#
#   intel_iommu=on
#     Enable VT-d. Required for VFIO GPU passthrough.
#     Default is off to avoid DMA remapping overhead on non-VFIO hosts.
#
#  MEMORY (sysctl -- set in /etc/sysctl.d/99-hyperion.conf)
#
#   vm.swappiness=10
#   vm.dirty_ratio=10
#   vm.dirty_background_ratio=5
#   vm.vfs_cache_pressure=50          -- keep dentries/inodes in cache
#   kernel.numa_balancing=1
#   net.core.default_qdisc=fq
#   net.ipv4.tcp_congestion_control=bbr
#   net.core.rmem_max=16777216
#   net.core.wmem_max=16777216
#   net.ipv4.tcp_rmem=4096 87380 16777216
#   net.ipv4.tcp_wmem=4096 65536 16777216
#
#  SECURITY (hardened but DKMS-compatible)
#
#   lockdown=none
#   lsm=landlock,lockdown,yama,apparmor,bpf
#
#  COMPLETE EXAMPLE CMDLINE (AMD Zen4 gaming desktop)
#
#   quiet splash preempt=full threadirqs
#   usbcore.autosuspend=-1 usbcore.use_persist=1
#   usbhid.mousepoll=1 usbhid.kbpoll=1 usbhid.jspoll=1
#   amd_pstate=active amd_iommu=pt
#   transparent_hugepage=madvise hugepagesz=2M hugepages=512
#   nohz_full=1-N rcu_nocbs=1-N skew_tick=1 nosoftlockup
#   lsm=landlock,lockdown,yama,apparmor,bpf
#
#  COMPLETE EXAMPLE CMDLINE (Intel 13th/14th gen gaming desktop):
#
#   quiet splash preempt=full threadirqs
#   usbcore.autosuspend=-1 usbcore.use_persist=1
#   usbhid.mousepoll=1 usbhid.kbpoll=1 usbhid.jspoll=1
#   intel_pstate=active intel_iommu=on
#   transparent_hugepage=madvise hugepagesz=2M hugepages=512
#   nohz_full=1-N rcu_nocbs=1-N skew_tick=1 nosoftlockup
#   lsm=landlock,lockdown,yama,apparmor,bpf
#
#  COMPLETE USERSPACE COMPANION (apply after boot)
#
#   /etc/modprobe.d/usbcore.conf:
#     options usbcore autosuspend=-1
#
#   /etc/udev/rules.d/99-usb-power.rules:
#     ACTION=="add", SUBSYSTEM=="usb", TEST=="power/control",       \
#       ATTR{power/control}="on"
#     ACTION=="add", SUBSYSTEM=="usb",                               \
#       TEST=="power/autosuspend_delay_ms",                          \
#       ATTR{power/autosuspend_delay_ms}="-1"
#     ACTION=="add", SUBSYSTEM=="usb", ATTR{bDeviceClass}=="03",    \
#       ATTR{power/control}="on"
#     ACTION=="add", SUBSYSTEM=="usb", ATTR{bDeviceClass}=="01",    \
#       ATTR{power/control}="on"
#     ACTION=="add", SUBSYSTEM=="usb", ATTR{bDeviceClass}=="09",    \
#       ATTR{power/control}="on"
#
#   Reload rules without reboot:
#     sudo udevadm control --reload-rules
#     sudo udevadm trigger --subsystem-match=usb
#
# ==============================================================


# ==============================================================
# HYPERION KERNEL v2.2.4 -- PERFORMANCE & SECURITY TUNING PASS
#
# This is the "2026 Baseline" config pass. Every option below
# is documented with its rationale, source, and expected impact.
#
# Sources:
#   - kernel.org/doc/html/latest/bpf/
#   - kernel.org/doc/html/latest/scheduler/sched-ext.html
#   - kernel.org/doc/html/latest/security/landlock.html
#   - kernel.org/doc/html/latest/admin-guide/ipe.html
#   - CachyOS kernel config (cachy-linux/linux-cachyos)
#   - LKML BPF/sched-ext discussions 2025-2026
# ==============================================================

# ==============================================================
# BPF & JIT OPTIMIZATION
# In 2026, BPF is the backbone of networking, security (LSM),
# and scheduling (sched-ext). Every BPF program MUST run at
# native machine speed via JIT -- interpreted BPF is 10-100x
# slower and a regression in every measurable workload.
#
# Source: kernel.org/doc/html/latest/bpf/bpf_design_QA.html
#         LKML: "bpf: JIT always on" -- Daniel Borkmann 2018
# ==============================================================
# JIT: compiles BPF bytecode -> native x86_64 machine code.
# Without this, every XDP hook, every Cilium rule, every
# sched-ext decision runs in a software interpreter -- unacceptable.
CONFIG_BPF_JIT=y
# ALWAYS_ON: eliminates the interpreter entirely.
# Attack surface reduction: without an interpreter, BPF
# speculative execution bugs (Spectre-BPF class) are blocked.
# Source: lore.kernel.org/bpf/20180427150343.26759-1-ast@kernel.org
CONFIG_BPF_JIT_ALWAYS_ON=y
# DEFAULT_ON: JIT active without sysctl net.core.bpf_jit_enable=1
# required for sched-ext and Cilium to work correctly out of the box.
CONFIG_BPF_JIT_DEFAULT_ON=y
# UNPRIV_DEFAULT_OFF: unprivileged users cannot load BPF programs.
# CVE-2021-3490, CVE-2022-0185, CVE-2023-2163 all required
# unprivileged BPF access as a prerequisite.
# This is the single most impactful BPF hardening knob in 2026.
CONFIG_BPF_UNPRIV_DEFAULT_OFF=y

# ==============================================================
# ADVANCED SCHEDULER EXTENSIONS (sched-ext)
# Linux 6.12+ allows the CPU scheduler policy to be replaced
# at runtime with a BPF program -- without rebooting or
# recompiling the kernel. This is the biggest breakthrough in
# desktop scheduling feel since CFS replaced O(1) in 2007.
#
# Runtime-swappable schedulers:
#   scx_bpfland  -- interactive-first, good for desktop/gaming
#   scx_lavd     -- Latency-criticAl Virtual Deadline (CachyOS)
#   scx_rusty    -- NUMA-aware multi-layer scheduler (Meta)
#   scx_tickless -- aggressive tickless for HPC/ML workloads
#
# Source: kernel.org/doc/html/latest/scheduler/sched-ext.html
#         github.com/sched-ext/scx
# ==============================================================
CONFIG_SCHED_CLASS_EXT=y

# ==============================================================
# ARCH-SPECIFIC & INSTRUCTION TUNING
# Modern CPUs expose features the kernel can exploit internally
# for memory copies, checksums, and APIC scaling.
# Source: kernel.org/doc/html/latest/x86/x86_64/
# ==============================================================
# X2APIC: Scales interrupt routing to 2^32 CPUs.
# Required on any EPYC/Threadripper with >255 logical CPUs.
# On desktop it reduces APIC register access latency.
CONFIG_X86_X2APIC=y
# CHECK_BIOS_CORRUPTION: Scans the BIOS reserved memory region
# for corruption during boot and on a timer. Catches bad BIOS
# firmware that overwrites kernel memory on certain platforms.
CONFIG_X86_CHECK_BIOS_CORRUPTION=y
# Disabled: automatic memory corruption check at boot adds latency.
# The timer-based check in CHECK_BIOS_CORRUPTION is sufficient.
# CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK is not set
# INTEL_USERCOPY_CHECK: Use enhanced REP MOVSB/STOSB (ERMSB)
# for copy_user() on Haswell+ processors.
# Benefit: ~2x faster user<->kernel copies on Sandy Bridge+.
# Source: Intel Optimization Manual, Section 3.7.6
CONFIG_X86_INTEL_USERCOPY_CHECK=y
# AMD PSTATE: Active EPP mode (mode=3) -- hardware manages its
# own frequency within the Energy Performance Preference hint.
# Mode 3 gives the best single-core boost on Zen3/4 because
# the CPU reacts to load faster than any OS governor can.
CONFIG_X86_AMD_PSTATE=y
CONFIG_X86_AMD_PSTATE_DEFAULT_MODE=3

# ==============================================================
# FILESYSTEM & CACHING PERFORMANCE
# FS_ENCRYPTION and FS_VERITY are prerequisite infrastructure
# for modern filesystems: ext4 and f2fs use both for per-file
# encryption and dm-verity-style integrity without dm-verity.
#
# UNICODE: Case-insensitive directory lookups. Steam on Linux
# requires case-insensitive paths for Windows game compatibility.
# Wine/Proton uses it for NTFS-like path semantics on ext4/f2fs.
#
# Source: kernel.org/doc/html/latest/filesystems/fscrypt.html
#         kernel.org/doc/html/latest/filesystems/fsverity.html
# ==============================================================
# FS_ENCRYPTION: Per-file encryption infrastructure (fscrypt).
# Used by ext4 -O encrypt, f2fs, ubifs.
# Android, ChromeOS, and some enterprise ext4 setups require it.
CONFIG_FS_ENCRYPTION=y
# FS_VERITY: Per-file Merkle-tree integrity verification.
# Used by Android APK verification, Chromium, and flatpak.
CONFIG_FS_VERITY=y
# FS_VERITY_BUILTIN_SIGNATURES: Allow verity signatures verified
# against the kernel keyring -- useful for IPE integration.
CONFIG_FS_VERITY_BUILTIN_SIGNATURES=y
# UNICODE: NFC UTF-8 folding table for case-insensitive lookups.
# Required by ext4 -O casefold and f2fs -o extent_cache.
CONFIG_UNICODE=y
CONFIG_UNICODE_UTF8_DATA=y

# ==============================================================
# VIRTUALIZATION & CONTAINER HARDENING (The "Zero-Leak" Goal)
# vhost-net: zero-copy virtio-net backend in the kernel.
#   Avoids a context switch per packet vs QEMU userspace backend.
#   Essential for VMs running at >5 Gbps throughput.
# VSOCK: host<->guest communication without a network stack.
#   Used by Waydroid ADB, Docker Desktop, WSL2-style interfaces.
# Source: kernel.org/doc/html/latest/virt/vsock.html
# ==============================================================
CONFIG_VHOST_NET=y
CONFIG_VHOST_IOTLB=y
CONFIG_VHOST_VSOCK=y
CONFIG_VSOCKETS=y
CONFIG_VSOCKETS_DIAG=y
CONFIG_VSOCK_LOOPBACK=y

# ==============================================================
# RECLAIM & MEMORY COMPACTION
# ZRAM_MULTI_COMP: Allows two compression streams per zram device.
# Use ZSTD as the primary stream (best ratio) and LZ4 for the
# writeback secondary stream (fastest decompression under pressure).
# On a 32 GB system with swap = 8 GB ZRAM, this recovers ~2-3 GB
# of additional physical RAM compared to single-stream ZSTD.
#
# Source: lore.kernel.org/linux-mm/
#         zram documentation: Documentation/admin-guide/blockdev/zram.rst
# ==============================================================
CONFIG_ZRAM=y
CONFIG_ZRAM_WRITEBACK=y
CONFIG_ZRAM_MULTI_COMP=y
# Primary compression algorithm for zram (best ratio at reasonable speed)
CONFIG_ZRAM_DEF_COMP_ZSTD=y
CONFIG_ZRAM_DEF_COMP="zstd"
# LZ4HC secondary stream: better ratio than plain LZ4, still 2–3x
# faster decompression than ZSTD under extreme memory pressure.
# With ZRAM_MULTI_COMP=y, LZ4HC handles the writeback secondary tier.
# Net result on 32 GB system: recovers ~3 GB vs single-stream ZSTD.
CONFIG_ZRAM_DEF_COMP2="lz4hc"

# ==============================================================
# SECURITY: LANDLOCK & IPE (Integrity Policy Enforcement)
# Landlock: per-process filesystem sandboxing via syscall.
#   Unlike AppArmor/SELinux, Landlock is unprivileged and
#   application-driven -- any process can sandbox itself.
#   Used by Flatpak, systemd-run --property=, bubblewrap.
#   Source: kernel.org/doc/html/latest/security/landlock.html
#
# IPE (Integrity Policy Enforcement Engine):
#   Policy-based access control tied to dm-verity and fs-verity
#   boot integrity measurements. Allows enforcing that only
#   code from verified (signed/measured) filesystems executes.
#   The standard for endpoint integrity in 2026 enterprise Linux.
#   Source: kernel.org/doc/html/latest/admin-guide/ipe.html
#           github.com/microsoft/ipe
# ==============================================================
CONFIG_SECURITY_LANDLOCK=y
# IPE: Integrity Policy Enforcement
# Enforces code execution policies based on boot-time verified
# filesystem integrity. Works with dm-verity + FS_VERITY above.
CONFIG_SECURITY_IPE=y
# IPE_PROP_BOOT_VERIFIED: Expose dm-verity boot-verified property
# to IPE policy -- allows "only execute from verified root" rules.
CONFIG_IPE_PROP_BOOT_VERIFIED=y
CONFIG_IPE_PROP_DM_VERITY=y
CONFIG_IPE_PROP_FS_VERITY=y
CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG=y

# ==============================================================
# DEBUGGING -- OPTIMIZED OUT
# We retain symbol tables and stack traces (needed for bpftrace,
# perf, and crash analysis) but disable all performance-killing
# correctness-checking options that belong in development kernels
# only. These checks can add 5-50% overhead to hot paths.
#
# Rule: if it fires on correct code, it is disabled.
#       if it only fires on bugs and costs nothing on clean paths,
#       it stays on (e.g. LOCKUP_DETECTOR, PSI, pstore).
#
# Source: kernel.org/doc/html/latest/dev-tools/kasan.html
#         CachyOS and XanMod both disable these for production.
# ==============================================================
# These are already NOT set in the base config but are explicitly
# documented here so reviewers know the decision was intentional:
# CONFIG_DEBUG_PREEMPT is not set      -- adds ~3% syscall overhead
# CONFIG_PROVE_LOCKING is not set      -- lockdep: ~40% overhead
# CONFIG_DEBUG_ATOMIC_SLEEP is not set -- kills audio RT threads
# CONFIG_DEBUG_VM is not set           -- per-page overhead
# CONFIG_KASAN is not set              -- 2x memory overhead
# CONFIG_UBSAN is not set              -- codegen bloat

# STACKTRACE: Always-on call chain recording.
# Required by perf, bpftrace, BPF stack_id maps, and crash dumps.
# Cost: ~0 at runtime (only activated on perf/BPF calls or crash).
CONFIG_STACKTRACE=y

# ==============================================================
# NETWORKING & USB TETHERING STACK -- ULTIMATE TIER (2026 NETWORKING PASS)
# Comprehensive support for USB RNDIS/CDC, WiFi, Ethernet, Modern Networking
# Merged from: pasted document, CachyOS, Fedora, kernel.org, web surveys 2024-2025
# Goal: ZERO networking connectivity failures - universal driver support
# Source: Arch Linux, Gentoo Wiki, kernel.org/doc, kernel.org/drivers, lkddb, GitHub
# ==============================================================

# CRITICAL USB TETHERING & CDC STACK
# Stack foundation: Hardware -> USB HCD -> usbnet framework -> protocol drivers -> network interface
CONFIG_USB_NET_DRIVERS=y
CONFIG_USB_USBNET=y
CONFIG_MII=y

# RNDIS: Remote Network Driver Interface Specification (Microsoft, proprietary)
# Status: Deprecated (Greg Kroah-Hartman, Dec 2024) but CRITICAL for legacy Android
# Impact: Android devices <2024 almost exclusively use RNDIS for USB tethering
# Fact: Without this, older/mid-range Android phones cannot tether to Linux
CONFIG_USB_NET_RNDIS_HOST=y

# CDC Alternatives - Standardized USB Communications Device Class
# CDC-ECM: Ethernet Control Model (traditional, good cross-platform compatibility)
CONFIG_USB_NET_CDCETHER=y

# CDC-NCM: Network Control Model (modern, efficient, frame grouping, alignment options)
# Recommendation: Primary for Android 14+, MacOS, Windows 11 USB devices
CONFIG_USB_NET_CDC_NCM=y

# CDC-EEM: Ethernet Emulation Model (lightweight, for underpowered embedded systems)
CONFIG_USB_NET_CDC_EEM=y

# CDC-MBIM: Mobile Broadband Interface Model (4G/5G cellular modems, LTE hotspots)
CONFIG_USB_NET_CDC_MBIM=y

# QMI WWAN: Qualcomm Mobile Interface (Qualcomm-based cellular modems, MDM9xxx)
CONFIG_USB_NET_QMI_WWAN=y

# Huawei CDC NCM - Vendor-specific extension for Huawei 4G/5G modems
CONFIG_USB_NET_HUAWEI_CDC_NCM=y

# CDC Subset - Generic fallback for non-compliant or legacy USB Ethernet devices
CONFIG_USB_NET_CDC_SUBSET=y

# ==============================================================
# USB ETHERNET ADAPTERS - Popular external USB NIC chipsets
# These are critical for laptops without Ethernet ports connecting to wired networks
# ==============================================================
CONFIG_USB_NET_AX8817X=y         # ASIX AX88xxx (ubiquitous budget USB Ethernet)
CONFIG_USB_NET_AX88179_178A=y    # ASIX AX88179/AX88178A (gigabit USB adapters)
CONFIG_USB_NET_DM9601=y          # Davicom DM9601 (legacy but still in market)
CONFIG_USB_NET_SR9700=y          # CoreChip SR9700 (100Mbps USB)
CONFIG_USB_NET_SR9800=y          # CoreChip SR9800 (gigabit USB)
CONFIG_USB_NET_SMSC75XX=y        # SMAC LAN75xx (USB gigabit, modern devices)
CONFIG_USB_NET_SMSC95XX=y        # SMAC LAN95xx (USB Fast Ethernet 100Mbps)
CONFIG_USB_NET_CH9200=y          # WinChip CH9200 (legacy)
CONFIG_USB_NET_ZAURUS=y          # Zaurus / PDA devices (historical)
CONFIG_USB_NET_PLUSB=y           # Prolific PL-2301/2302 cables (peer-to-peer)

# ==============================================================
# WIRELESS SUBSYSTEM CORE & MAC80211 INFRASTRUCTURE
# Foundation for all WiFi drivers (802.11 standards compliance layer)
# ==============================================================
CONFIG_WLAN=y
CONFIG_MAC80211=y                # Core WiFi 802.11 MAC management
CONFIG_CFG80211=y                # Configuration/wireless extensions subsystem
CONFIG_CFG80211_WEXT=y           # Wireless extensions (legacy userspace compatibility)
CONFIG_CFG80211_WEXT_EXPORT=y    # Export wext through netlink
CONFIG_CFG80211_USE_KERNEL_REGDB_KEYS=y # Kernel regulatory database key verification
CONFIG_MAC80211_MESH=y           # Mesh networking (11s)
CONFIG_RFKILL=y                  # Hardware/software RF kill switches and soft-blocking
CONFIG_RFKILL_INPUT=y            # Input device handling for RF kill

# ==============================================================
# INTEL WIRELESS DRIVERS (iwlwifi, DVM, MVM stacks)
# Supports: 802.11a/b/g/n/ac/ax (WiFi 6), ultrabooks, modern laptops, enterprise
# Models: 7260, 8260, 9260, AX200, AX210, etc.
# ==============================================================
CONFIG_WLAN_VENDOR_INTEL=y
CONFIG_IWLWIFI=y
CONFIG_IWLWIFI_OPMODE_MODULAR=y  # Modular operation modes (STA, AP, Monitor)
CONFIG_IWLDVM=y                  # DVM: Legacy firmware architecture support
CONFIG_IWLMVM=y                  # MVM: Modern firmware, WiFi 6+, better power management
CONFIG_IWLWIFI_DEBUGFS=y         # Debug filesystem for diagnostics
CONFIG_IWLWIFI_BCAST_FILTERING=y # Broadcast filtering (power save)
CONFIG_IWLWIFI_UAPSD=y           # U-APSD power save mechanism
CONFIG_IWLWIFI_P2P=y             # Peer-to-Peer WiFi Direct support

# ==============================================================
# REALTEK WIRELESS DRIVERS (RTL8xxx/RTL88xx series - ubiquitous budget hardware)
# Covers: USB WiFi adapters, laptop integrated cards, cheap dongles
# ==============================================================
CONFIG_WLAN_VENDOR_REALTEK=y
CONFIG_RTL8187=y                 # RTL8187: Legacy 802.11b/g USB WiFi adapter
CONFIG_RTL8192CU=y               # RTL8192CU: 802.11n USB (Android tablets, budget dongles)
CONFIG_RTL8192CE=y               # RTL8192CE: 802.11n PCIe WiFi
CONFIG_RTL8723AE=y               # RTL8723AE: Combo WiFi+BT (Intel Atom-based tablets)
CONFIG_RTL8723BE=y               # RTL8723BE: Modern 802.11ac PCIe card
CONFIG_RTL8821AE=y               # RTL8821AE: 802.11ac+ PCIe (gaming laptops)
CONFIG_RTL8821CE=y               # RTL8821CE: Latest 802.11ac+BT (modern budget hardware)
CONFIG_RTL8XXXU=y                # RTL8XXXU: Generic driver for RTL81xx/82xx/88xx USB
CONFIG_RTL8723BS=y               # RTL8723BS: Common Chromebooks and budget laptops
CONFIG_RTL88XXAU=y               # RTL88xxAU: Bleeding-edge USB WiFi 6 adapters

# ==============================================================
# ATHEROS WIRELESS DRIVERS (QCA/Qualcomm Atheros - enterprise & gaming grade)
# Covers: AR5xxx, AR9xxx, AR10xx, QCA988x, QCA6174, QCA6391, QCA6390, QCA639x
# ==============================================================
CONFIG_WLAN_VENDOR_ATH=y
CONFIG_ATH_COMMON=y
CONFIG_ATH5K=y                   # ATH5K: Older Atheros 802.11a/b/g (AR5xxx series)
CONFIG_ATH5K_AHB=y               # ATH5K AHB memory bus support
CONFIG_ATH5K_PCI=y               # ATH5K PCI bus support
CONFIG_ATH9K=y                   # ATH9K: Modern 802.11n/ac (AR9xxx, AR10xx - most common)
CONFIG_ATH9K_PCI=y               # ATH9K PCI support
CONFIG_ATH9K_DEBUGFS=y           # ATH9K debug interface
CONFIG_ATH9K_DYNACK=y            # Dynamic ACK timeout optimization
CONFIG_ATH9K_DFS=y               # Dynamic Frequency Selection (5GHz regulatory)
CONFIG_ATH9K_STATION_STATISTICS=y # Per-station stats
CONFIG_ATH10K=y                  # ATH10K: 802.11ac Wave 1 (QCA988x, QCA6174)
CONFIG_ATH10K_PCI=y              # ATH10K PCI support
CONFIG_ATH10K_USB=y              # ATH10K USB (rare but supported)
CONFIG_ATH10K_SDIO=y             # ATH10K SDIO (tablets, embedded systems)
CONFIG_ATH10K_DEBUGFS=y          # ATH10K debug interface
CONFIG_ATH10K_TRACING=y          # ATH10K kernel tracing support
CONFIG_ATH10K_DFS=y              # ATH10K DFS support
CONFIG_ATH11K=y                  # ATH11K: 802.11ax WiFi 6 (QCA6390, QCA6174)
CONFIG_ATH11K_PCI=y              # ATH11K PCI support
CONFIG_ATH12K=y                  # ATH12K: 802.11be WiFi 7 (QCA6391, newest generation)
CONFIG_ATH12K_PCI=y              # ATH12K PCI support

# ==============================================================
# BROADCOM WIRELESS DRIVERS (legacy wl + open-source b43)
# Covers: BCM43xx, BCM43455, BCM4375, BCM4377 (Apple, Lenovo, Dell)
# ==============================================================
CONFIG_WLAN_VENDOR_BROADCOM=y
CONFIG_B43=y                     # B43: Open-source Broadcom driver (older BCM43xx chipsets)
CONFIG_B43_PCI=y                 # B43 PCI support
CONFIG_B43_PCICORE_HOSTMODE=y    # B43 PCIe host mode
CONFIG_B43_DEBUG=y               # B43 debug interface
CONFIG_BRCMFMAC=y                # BRCMFMAC: Modern open Broadcom driver (BCM43455+)
CONFIG_BRCMFMAC_PROTO_BCDC=y     # BRCMFMAC BCDC protocol (older firmware)
CONFIG_BRCMFMAC_PROTO_MSGBUF=y   # BRCMFMAC Message Buffer protocol (modern)
CONFIG_BRCMFMAC_PCIE=y           # BRCMFMAC PCIe support (modern laptops)
CONFIG_BRCMFMAC_USB=y            # BRCMFMAC USB support (USB WiFi adapters)
CONFIG_BRCMFMAC_SDIO=y           # BRCMFMAC SDIO support (tablets, Raspberry Pi)
CONFIG_BRCMFMAC_POWER_SAVE=y     # BRCMFMAC power save modes
CONFIG_BRCMFMAC_FEATURE_DISABLE=y # BRCMFMAC feature disabling mechanism

# ==============================================================
# MEDIATEK / RALINK WIRELESS (MTK, RT2x, RT5x, MT7xxx series)
# Covers: MT7915, MT7921, MT7612, RT3070, RT5370, and others
# ==============================================================
CONFIG_WLAN_VENDOR_MEDIATEK=y
CONFIG_MT7915E=y                 # MediaTek MT7915: 802.11ax WiFi 6 (modern)
CONFIG_MT7921E=y                 # MediaTek MT7921: 802.11ax WiFi 6 (newer generation)
CONFIG_MT7921U=y                 # MediaTek MT7921U: USB WiFi 6 adapter
CONFIG_MT76_CORE=y               # MT76 core driver infrastructure
CONFIG_MT76_USB=y                # MT76 USB support
CONFIG_MT76_SDIO=y               # MT76 SDIO support (tablets)
CONFIG_MT76_MMIO=y               # MT76 memory-mapped IO support

# ==============================================================
# MARVELL WIRELESS (Libertas series - presently rare)
# ==============================================================
CONFIG_WLAN_VENDOR_MARVELL=y
CONFIG_MWIFIEX=y                 # Marvell WiFi EXtensible driver
CONFIG_MWIFIEX_SDIO=y            # MWIFIEX SDIO support
CONFIG_MWIFIEX_PCIE=y            # MWIFIEX PCIe support
CONFIG_MWIFIEX_USB=y             # MWIFIEX USB support

# ==============================================================
# RALINK LEGACY & OTHER VENDORS (Cisco Aironet, etc.)
# ==============================================================
CONFIG_WLAN_VENDOR_RALINK=y
CONFIG_RT2800USB=y               # Ralink RT2800 USB (older USB WiFi dongles, still in use)
CONFIG_RT2800PCI=y               # Ralink RT2800 PCI
CONFIG_WLAN_VENDOR_CISCO=y       # Cisco Aironet wireless
CONFIG_WLAN_VENDOR_ST=y          # STMicroelectronics wireless

# ==============================================================
# ETHERNET DRIVERS - LOCAL AREA NETWORKING (wired connections)
# Covers: Gigabit, 10G, 25G, 40G, 100G high-speed NIC support
# ==============================================================
CONFIG_ETHERNET=y
CONFIG_NET_VENDOR_INTEL=y
CONFIG_E1000=y                   # Intel e1000: Legacy Gigabit NICs (82540, 82545, 82546)
CONFIG_E1000E=y                  # Intel e1000e: Modern Gigabit (82563/6/7, 82571-83, I217/I218/I219)
CONFIG_IGB=y                     # Intel IGB: Gigabit+ server NICs (82576, 82580, 82599, X540, X550)
CONFIG_IXGBE=y                   # Intel IXGBE: 10 Gigabit+ (X520, X540, X550, X710)
CONFIG_I40E=y                    # Intel i40e: 10/25/40 Gigabit+ (XL710, X710, Ethernet 800)
CONFIG_ICE=y                     # Intel ICE: Newest ultra-high-speed (E810, 10/25/50/100 Gbps)
CONFIG_NET_VENDOR_REALTEK=y
CONFIG_R8169=y                   # Realtek RTL8111/8168: PCIe Gigabit (ubiquitous on consumer boards)
CONFIG_R8125=y                   # Realtek RTL8125: 2.5 Gigabit (modern consumer motherboards)
CONFIG_NET_VENDOR_BROADCOM=y
CONFIG_TIGON3=y                  # Broadcom Tigon3: 10/100/1000 Mbps (enterprise servers)
CONFIG_BNX2=y                    # Broadcom NetXtreme II: Gigabit+ (high-end servers)
CONFIG_BNXT_EN=y                 # Broadcom BNXT: NetXtreme-E (modern 10G+ enterprise)
CONFIG_NET_VENDOR_MARVELL=y      # Marvell/Cavium Ethernet controllers
CONFIG_NET_VENDOR_AQUANTIA=y     # Aquantia multi-gigabit NICs
CONFIG_AQTION=y                  # AQC Aquantia 5/10/25 Gigabit (gaming, content creation)
CONFIG_NET_VENDOR_CAVIUM=y       # Cavium (now part of Marvell) high-speed adapters
CONFIG_NET_VENDOR_STMICRO=y      # STMicroelectronics embedded Ethernet
CONFIG_STMMAC_ETH=y              # STMicroelectronics MAC driver
CONFIG_NET_VENDOR_SUN=y          # Sun (historical but kept for compatibility)
CONFIG_NET_VENDOR_HUAWEI=y       # Huawei high-speed data center NICs

# ==============================================================
# USB HID & SERIAL - USB device identification and diagnostics
# ==============================================================
CONFIG_USB_HID=y                 # USB Human Interface Devices
CONFIG_USB_HIDDEV=y              # USB HID raw device interface
CONFIG_HID=y                     # HID core subsystem
CONFIG_HID_GENERIC=y             # Generic HID driver
CONFIG_USB_SERIAL=y              # USB serial port emulation
CONFIG_USB_SERIAL_GENERIC=y      # Generic USB serial driver
CONFIG_USB_SERIAL_OPTION=y       # Option Semiconductor (Huawei/ZTE modems, routers)

# ==============================================================
# ADVANCED USB CONTROLLER SUPPORT (all host controller types)
# Ensures USB 3.0, USB 2.0, and USB 1.1 device compatibility
# ==============================================================
CONFIG_USB_XHCI_HCD=y            # eXtensible Host Controller (USB 3.0/3.1/USB 3.1+)
CONFIG_USB_XHCI_PCI=y            # XHCI PCI support (most common desktop/laptop)
CONFIG_USB_XHCI_PLATFORM=y       # XHCI platform support (embedded systems)
CONFIG_USB_EHCI_HCD=y            # Enhanced Host Controller Interface (USB 2.0)
CONFIG_USB_EHCI_PCI=y            # EHCI PCI support
CONFIG_USB_EHCI_PLATFORM=y       # EHCI platform support
CONFIG_USB_OHCI_HCD=y            # Open Host Controller Interface (USB 1.1, legacy)
CONFIG_USB_OHCI_PCI=y            # OHCI PCI support
CONFIG_USB_OHCI_PLATFORM=y       # OHCI platform support (embedded, ARM boards)
CONFIG_USB_UHCI_HCD=y            # Universal Host Controller Interface (USB 1.1)
CONFIG_USB_ANNOUNCE_NEW_DEVICES=y # Log new USB device connections

# ==============================================================
# ADVANCED NETWORKING OPTIONS FOR QUALITY OF LIFE
# Infrastructure for modern networking applications
# ==============================================================
CONFIG_NET_PACKET=y              # Packet sockets (raw packet capture)
CONFIG_PACKET=y                  # Packet protocol family
CONFIG_PACKET_DIAG=y             # Packet diagnostic interface
CONFIG_NETLINK_DIAG=y            # Netlink diagnostic interface
CONFIG_NETFILTER=y               # iptables/netfilter (firewalls, NAT, QoS)
CONFIG_NETFILTER_ADVANCED=y      # Advanced netfilter options
CONFIG_BRIDGE=y                  # Ethernet bridging (virtual switches, KVM, Docker)
CONFIG_BRIDGE_IGMP_SNOOPING=y    # IGMP snooping (multicast optimization in bridges)
CONFIG_VLAN_8021Q=y              # VLAN 802.1Q tagging (enterprise, containers)
CONFIG_VLAN_8021Q_GVRP=y         # GARP VLAN Registration Protocol
CONFIG_VLAN_8021Q_MVRP=y         # Multiple VLAN Registration Protocol
CONFIG_TUN=y                     # TUN device (OpenVPN, WireGuard, Tailscale, etc.)
CONFIG_VETH=y                    # Virtual Ethernet pairs (container networking, bridges)
CONFIG_NETDEVICES_STATISTICS=y   # Network device statistics
CONFIG_SLHC=y                    # Serial Line IP compression (modem connections)
CONFIG_PPPOE=y                   # PPP over Ethernet (ISP dial-up)
CONFIG_PPPOL2TP=y                # PPP over L2TP (VPN tunneling)
CONFIG_PPPOE_FILTER=y            # PPPoE filtering
CONFIG_BRIDGE_NF_EBTABLES=y      # Bridge netfilter tables (advanced bridge filtering)
CONFIG_NETWORK_PHY_TIMESTAMPING=y # PHY-level timestamping for PTP

# ==============================================================
# FIRMWARE LOADING & CALIBRATION INFRASTRUCTURE
# Critical for WiFi regulatory compliance and device initialization
# ==============================================================
CONFIG_FW_LOADER=y               # Firmware loading infrastructure
CONFIG_FW_LOADER_USER_HELPER=y   # User-helper fallback for firmware
CONFIG_EXTRA_FIRMWARE=y          # Include firmware in kernel binary (optional)
CONFIG_FIRMWARE_IN_KERNEL=y      # Keep firmware sources accessible at runtime

# ==============================================================
# MODERN NETWORKING FEATURES (5.0+ kernel innovations)
# ==============================================================
CONFIG_TCP_CONG_BBR=y            # BBR congestion control (Google's modern algorithm)
CONFIG_TCP_CONG_CUBIC=y          # CUBIC (fallback algorithm)
CONFIG_TCP_CONG_WESTWOOD=y       # Westwood+ (alternate algorithm)
CONFIG_SOCK_CGROUP_DATA=y        # Socket cgroup data (cgroups-v2 traffic shaping)
CONFIG_BPF_SYSCALL=y             # eBPF syscall (eBPF programs, container networking)
CONFIG_HAVE_EBPF_JIT=y           # eBPF JIT compilation support
CONFIG_BPF_JIT=y                 # eBPF Just-In-Time compiler
CONFIG_BPF_JIT_ALWAYS_ON=y       # Always use JIT (no interpreter fallback)
CONFIG_MPTCP=y                   # Multipath TCP (mobile handover, link aggregation)
CONFIG_LWTUNNEL=y                # Lightweight tunneling infrastructure
CONFIG_LWTUNNEL_BPF=y            # BPF-based lightweight tunneling

# ==============================================================
# NETWORK QUALITY OF SERVICE (QoS) & BUFFER MANAGEMENT
# Critical for WiFi, mobile, and congested network optimization
# ==============================================================
CONFIG_NET_SCHED=y               # Network scheduling (QoS)
CONFIG_NET_SCH_CODEL=y           # CoDel queue discipline (modern buffer management)
CONFIG_NET_SCH_FQ_CODEL=y        # Fair Queue CoDel (excellent mixed traffic handling)
CONFIG_NET_SCH_FQ=y              # Fair Queue (WiFi and cellular optimization)
CONFIG_NET_SCH_PRIO=y            # Priority queue (traffic prioritization)
CONFIG_NET_CLS_CGROUP=y          # Cgroup-based traffic classification (container QoS)

# ==============================================================
# IPv6 & MODERN IP FEATURES (future internet compatibility)
# ==============================================================
CONFIG_IPV6=y                    # IPv6 protocol stack
CONFIG_IPV6_ROUTER_PREF=y        # IPv6 Router Preference (RFC 4191)
CONFIG_IPV6_ROUTE_INFO=y         # IPv6 Route Information (RFC 4191)
CONFIG_IPV6_OPTIMISTIC_DAD=y     # Optimistic Duplicate Address Detection
CONFIG_IPV6_MIP6=y               # Mobile IPv6 support
CONFIG_IPV6_MULTIPLE_TABLES=y    # Policy-based routing for IPv6
CONFIG_NETFILTER_XT_MATCH_IPRANGE=y # IP range matching (firewalls)

# ==============================================================
# MULTICAST & SERVICE DISCOVERY (mDNS, SSDP, UPnP)
# Infrastructure for local network discovery and service announcement
# ==============================================================
CONFIG_IP_MULTICAST=y            # IP multicast support
CONFIG_IP_MROUTE=y               # IP multicast routing
CONFIG_IP_MROUTE_MULTIPLE_TABLES=y # Multiple multicast routing tables
CONFIG_IPV6_MROUTE=y             # IPv6 multicast routing
CONFIG_IGMP_SNOOPING=y           # IGMP snooping (multicast optimization)

# ==============================================================
# ADVANCED PACKET FILTERING & INSPECTION (IDS/DPI, firewalls)
# For network intrusion detection and deep packet inspection
# ==============================================================
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y  # Connection byte matching
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y  # Connection tracking matching
CONFIG_NETFILTER_XT_MATCH_MARK=y       # Packet mark matching
CONFIG_NETFILTER_XT_TARGET_MARK=y      # Packet mark setting
CONFIG_NETFILTER_XT_TARGET_LOG=y       # Packet logging target
CONFIG_NF_CONNTRACK=y                  # Connection tracking (firewall state)
CONFIG_NF_CONNTRACK_ZONES=y            # Connection tracking zones (isolation)
CONFIG_NF_CONNTRACK_EVENTS=y           # Connection tracking events (userspace notification)

# ==============================================================
# v2.2.4 -- COMPREHENSIVE CHANGELOG (Performance + Networking + Security Pass)
#
# Additions in the 2026 integrated performance/networking/security pass:
#
# >>>>>>>>>> ULTIMATE NETWORKING STACK (Jan-Mar 2026) <<<<<<<<<
#   USB TETHERING & CDC PROTOCOLS:
#   + CONFIG_USB_NET_DRIVERS=y                    (USB network driver core)
#   + CONFIG_USB_USBNET=y                         (USB network framework)
#   + CONFIG_USB_NET_RNDIS_HOST=y                 (RNDIS Android tethering)
#   + CONFIG_USB_NET_CDCETHER=y                   (CDC Ethernet ECM)
#   + CONFIG_USB_NET_CDC_NCM=y                    (CDC NCM modern protocol)
#   + CONFIG_USB_NET_CDC_EEM=y                    (CDC Ethernet Emulation)
#   + CONFIG_USB_NET_CDC_MBIM=y                   (Mobile Broadband Interface)
#   + CONFIG_USB_NET_QMI_WWAN=y                   (Qualcomm mobile modems)
#   + CONFIG_USB_NET_HUAWEI_CDC_NCM=y             (Huawei 4G/5G support)
#   + CONFIG_USB_NET_CDC_SUBSET=y                 (CDC fallback subset)
#
#   USB ETHERNET ADAPTERS:
#   + CONFIG_USB_NET_AX8817X=y                    (ASIX USB Ethernet)
#   + CONFIG_USB_NET_AX88179_178A=y               (ASIX gigabit USB)
#   + CONFIG_USB_NET_DM9601=y                     (Davicom adapters)
#   + CONFIG_USB_NET_SR9700=y                     (CoreChip 100Mbps)
#   + CONFIG_USB_NET_SR9800=y                     (CoreChip gigabit)
#   + CONFIG_USB_NET_SMSC75XX=y                   (SMAC gigabit)
#   + CONFIG_USB_NET_SMSC95XX=y                   (SMAC 100Mbps)
#   + CONFIG_USB_NET_CH9200=y                     (WinChip USB Ethernet)
#   + CONFIG_USB_NET_ZAURUS=y                     (Zaurus/PDA devices)
#   + CONFIG_USB_NET_PLUSB=y                      (Prolific cables)
#   + CONFIG_MII=y                                (Media Independent Interface)
#
#   WIRELESS CORE:
#   + CONFIG_WLAN=y                               (WiFi subsystem)
#   + CONFIG_MAC80211=y                           (802.11 MAC layer)
#   + CONFIG_CFG80211=y                           (WiFi configuration core)
#   + CONFIG_CFG80211_WEXT=y                      (Wireless extensions legacy)
#   + CONFIG_CFG80211_USE_KERNEL_REGDB_KEYS=y    (Regulatory database)
#   + CONFIG_MAC80211_MESH=y                      (Mesh networking 802.11s)
#   + CONFIG_RFKILL=y                             (RF kill switches)
#   + CONFIG_RFKILL_INPUT=y                       (RF kill input handling)
#
#   INTEL WIRELESS (iwlwifi, 802.11a/b/g/n/ac/ax):
#   + CONFIG_WLAN_VENDOR_INTEL=y                  (Intel WiFi support)
#   + CONFIG_IWLWIFI=y                            (Intel WiFi driver)
#   + CONFIG_IWLWIFI_OPMODE_MODULAR=y             (Modular operation modes)
#   + CONFIG_IWLDVM=y                             (Legacy DVM firmware)
#   + CONFIG_IWLMVM=y                             (Modern MVM + WiFi 6)
#   + CONFIG_IWLWIFI_DEBUGFS=y                    (Debug interface)
#   + CONFIG_IWLWIFI_BCAST_FILTERING=y            (Broadcast filtering)
#   + CONFIG_IWLWIFI_UAPSD=y                      (U-APSD power save)
#   + CONFIG_IWLWIFI_P2P=y                        (WiFi Direct P2P)
#
#   REALTEK WIRELESS (RTL8xxx budget hardware):
#   + CONFIG_WLAN_VENDOR_REALTEK=y                (Realtek WiFi)
#   + CONFIG_RTL8187=y                            (RTL8187 legacy USB)
#   + CONFIG_RTL8192CU=y                          (RTL8192CU USB 802.11n)
#   + CONFIG_RTL8192CE=y                          (RTL8192CE PCIe)
#   + CONFIG_RTL8723AE=y                          (RTL8723AE combo WiFi+BT)
#   + CONFIG_RTL8723BE=y                          (RTL8723BE 802.11ac)
#   + CONFIG_RTL8821AE=y                          (RTL8821AE 802.11ac+)
#   + CONFIG_RTL8821CE=y                          (RTL8821CE latest)
#   + CONFIG_RTL8XXXU=y                           (RTL8xxx generic USB)
#   + CONFIG_RTL8723BS=y                          (RTL8723BS Chromebooks)
#   + CONFIG_RTL88XXAU=y                          (RTL88xx WiFi 6 USB)
#
#   ATHEROS WIRELESS (QCA, enterprise-grade):
#   + CONFIG_WLAN_VENDOR_ATH=y                    (Atheros WiFi core)
#   + CONFIG_ATH_COMMON=y                         (ATH common infrastructure)
#   + CONFIG_ATH5K=y                              (ATH5K 802.11a/b/g)
#   + CONFIG_ATH5K_AHB=y                          (ATH5K AHB bus)
#   + CONFIG_ATH5K_PCI=y                          (ATH5K PCI bus)
#   + CONFIG_ATH9K=y                              (ATH9K 802.11n/ac)
#   + CONFIG_ATH9K_PCI=y                          (ATH9K PCI support)
#   + CONFIG_ATH9K_DEBUGFS=y                      (ATH9K debug)
#   + CONFIG_ATH9K_DYNACK=y                       (ATH9K dynamic ACK)
#   + CONFIG_ATH9K_DFS=y                          (ATH9K DFS 5GHz)
#   + CONFIG_ATH9K_STATION_STATISTICS=y           (ATH9K per-station stats)
#   + CONFIG_ATH10K=y                             (ATH10K 802.11ac Wave 1)
#   + CONFIG_ATH10K_PCI=y                         (ATH10K PCI)
#   + CONFIG_ATH10K_USB=y                         (ATH10K USB rare)
#   + CONFIG_ATH10K_SDIO=y                        (ATH10K SDIO tablets)
#   + CONFIG_ATH10K_DEBUGFS=y                     (ATH10K debug)
#   + CONFIG_ATH10K_TRACING=y                     (ATH10K tracing)
#   + CONFIG_ATH10K_DFS=y                         (ATH10K DFS)
#   + CONFIG_ATH11K=y                             (ATH11K WiFi 6 802.11ax)
#   + CONFIG_ATH11K_PCI=y                         (ATH11K PCI)
#   + CONFIG_ATH12K=y                             (ATH12K WiFi 7 802.11be)
#   + CONFIG_ATH12K_PCI=y                         (ATH12K PCI)
#
#   BROADCOM WIRELESS (BCM43xx):
#   + CONFIG_WLAN_VENDOR_BROADCOM=y               (Broadcom WiFi core)
#   + CONFIG_B43=y                                (B43 open-source driver)
#   + CONFIG_B43_PCI=y                            (B43 PCI support)
#   + CONFIG_B43_PCICORE_HOSTMODE=y               (B43 PCIe host mode)
#   + CONFIG_B43_DEBUG=y                          (B43 debug interface)
#   + CONFIG_BRCMFMAC=y                           (BRCMFMAC modern driver)
#   + CONFIG_BRCMFMAC_PROTO_BCDC=y                (BRCMFMAC BCDC)
#   + CONFIG_BRCMFMAC_PROTO_MSGBUF=y              (BRCMFMAC msgbuf)
#   + CONFIG_BRCMFMAC_PCIE=y                      (BRCMFMAC PCIe)
#   + CONFIG_BRCMFMAC_USB=y                       (BRCMFMAC USB)
#   + CONFIG_BRCMFMAC_SDIO=y                      (BRCMFMAC SDIO)
#   + CONFIG_BRCMFMAC_POWER_SAVE=y                (BRCMFMAC power save)
#   + CONFIG_BRCMFMAC_FEATURE_DISABLE=y           (BRCMFMAC feature ctrl)
#
#   MEDIATEK WIRELESS (MT7915, MT7921 WiFi 6):
#   + CONFIG_WLAN_VENDOR_MEDIATEK=y               (MediaTek WiFi core)
#   + CONFIG_MT7915E=y                            (MT7915 802.11ax)
#   + CONFIG_MT7921E=y                            (MT7921 WiFi 6)
#   + CONFIG_MT7921U=y                            (MT7921U USB WiFi 6)
#   + CONFIG_MT76_CORE=y                          (MT76 core driver)
#   + CONFIG_MT76_USB=y                           (MT76 USB)
#   + CONFIG_MT76_SDIO=y                          (MT76 SDIO)
#   + CONFIG_MT76_MMIO=y                          (MT76 memory-mapped IO)
#
#   OTHER WIRELESS (Marvell, Ralink, Cisco):
#   + CONFIG_WLAN_VENDOR_MARVELL=y                (Marvell WiFi)
#   + CONFIG_MWIFIEX=y                            (MWIFIEX driver)
#   + CONFIG_MWIFIEX_SDIO=y                       (MWIFIEX SDIO)
#   + CONFIG_MWIFIEX_PCIE=y                       (MWIFIEX PCIe)
#   + CONFIG_MWIFIEX_USB=y                        (MWIFIEX USB)
#   + CONFIG_WLAN_VENDOR_RALINK=y                 (Ralink legacy)
#   + CONFIG_RT2800USB=y                          (RT2800 USB)
#   + CONFIG_RT2800PCI=y                          (RT2800 PCI)
#   + CONFIG_WLAN_VENDOR_CISCO=y                  (Cisco Aironet)
#   + CONFIG_WLAN_VENDOR_ST=y                     (STMicroelectronics)
#
#   ETHERNET DRIVERS (wired networking):
#   + CONFIG_ETHERNET=y                           (Ethernet core)
#   + CONFIG_NET_VENDOR_INTEL=y                   (Intel NICs)
#   + CONFIG_E1000=y                              (Intel e1000 legacy gigabit)
#   + CONFIG_E1000E=y                             (Intel e1000e modern gigabit)
#   + CONFIG_IGB=y                                (Intel IGB gigabit+)
#   + CONFIG_IXGBE=y                              (Intel IXGBE 10 gigabit+)
#   + CONFIG_I40E=y                               (Intel i40e 10/25/40 gigabit+)
#   + CONFIG_ICE=y                                (Intel ICE 100+ gigabit)
#   + CONFIG_NET_VENDOR_REALTEK=y                 (Realtek Ethernet)
#   + CONFIG_R8169=y                              (Realtek RTL8111 PCIe GbE)
#   + CONFIG_R8125=y                              (Realtek RTL8125 2.5G)
#   + CONFIG_NET_VENDOR_BROADCOM=y                (Broadcom Ethernet)
#   + CONFIG_TIGON3=y                             (Broadcom Tigon3)
#   + CONFIG_BNX2=y                               (Broadcom NetXtreme II)
#   + CONFIG_BNXT_EN=y                            (Broadcom BNXT modern)
#   + CONFIG_NET_VENDOR_MARVELL=y                 (Marvell/Cavium)
#   + CONFIG_NET_VENDOR_AQUANTIA=y                (Aquantia)
#   + CONFIG_AQTION=y                             (AQC multi-gigabit)
#   + CONFIG_NET_VENDOR_CAVIUM=y                  (Cavium enterprise)
#   + CONFIG_NET_VENDOR_STMICRO=y                 (STMicroelectronics)
#   + CONFIG_STMMAC_ETH=y                         (STMMAC MAC driver)
#   + CONFIG_NET_VENDOR_SUN=y                     (Sun historical)
#   + CONFIG_NET_VENDOR_HUAWEI=y                  (Huawei data center)
#
#   USB CONTROLLERS & HID:
#   + CONFIG_USB_XHCI_HCD=y                       (USB 3.0/3.1 XHCI)
#   + CONFIG_USB_XHCI_PCI=y                       (XHCI PCI)
#   + CONFIG_USB_XHCI_PLATFORM=y                  (XHCI platform)
#   + CONFIG_USB_EHCI_HCD=y                       (USB 2.0 EHCI)
#   + CONFIG_USB_EHCI_PCI=y                       (EHCI PCI)
#   + CONFIG_USB_EHCI_PLATFORM=y                  (EHCI platform)
#   + CONFIG_USB_OHCI_HCD=y                       (USB 1.1 OHCI legacy)
#   + CONFIG_USB_OHCI_PCI=y                       (OHCI PCI)
#   + CONFIG_USB_OHCI_PLATFORM=y                  (OHCI platform)
#   + CONFIG_USB_UHCI_HCD=y                       (USB 1.1 UHCI legacy)
#   + CONFIG_USB_ANNOUNCE_NEW_DEVICES=y           (USB device logging)
#   + CONFIG_USB_HID=y                            (USB Human Interface Devices)
#   + CONFIG_USB_HIDDEV=y                         (USB HID raw interface)
#   + CONFIG_HID=y                                (HID core)
#   + CONFIG_HID_GENERIC=y                        (Generic HID driver)
#   + CONFIG_USB_SERIAL=y                         (USB serial emulation)
#   + CONFIG_USB_SERIAL_GENERIC=y                 (Generic USB serial)
#   + CONFIG_USB_SERIAL_OPTION=y                  (Option vendor modems)
#
#   ADVANCED NETWORKING (modern infrastructure):
#   + CONFIG_NET_PACKET=y                         (packet sockets)
#   + CONFIG_PACKET=y                             (packet protocol)
#   + CONFIG_PACKET_DIAG=y                        (packet diagnostics)
#   + CONFIG_NETLINK_DIAG=y                       (netlink diagnostics)
#   + CONFIG_NETFILTER=y                          (iptables/netfilter)
#   + CONFIG_NETFILTER_ADVANCED=y                 (advanced netfilter)
#   + CONFIG_BRIDGE=y                             (Ethernet bridging)
#   + CONFIG_BRIDGE_IGMP_SNOOPING=y               (IGMP snooping)
#   + CONFIG_VLAN_8021Q=y                         (VLAN 802.1Q)
#   + CONFIG_VLAN_8021Q_GVRP=y                    (GARP VLAN Reg)
#   + CONFIG_VLAN_8021Q_MVRP=y                    (MVRP VLAN Reg)
#   + CONFIG_TUN=y                                (TUN device VPN/VG)
#   + CONFIG_VETH=y                               (virtual ethernet)
#   + CONFIG_NETDEVICES_STATISTICS=y              (net stats)
#   + CONFIG_SLHC=y                               (serial line IP)
#   + CONFIG_PPPOE=y                              (PPP over Ethernet)
#   + CONFIG_PPPOL2TP=y                           (PPP over L2TP)
#   + CONFIG_PPPOE_FILTER=y                       (PPPoE filtering)
#   + CONFIG_BRIDGE_NF_EBTABLES=y                 (bridge netfilter)
#   + CONFIG_NETWORK_PHY_TIMESTAMPING=y           (PHY timestamping)
#
#   PACKET CAPTURE & ANALYSIS (tcpdump, Wireshark):
#   + CONFIG_PACKET=y                             (packet sockets)
#   + CONFIG_NET_PACKET=y                         (raw packet)
#
#   FIRMWARE & QOS:
#   + CONFIG_FW_LOADER=y                          (firmware loader)
#   + CONFIG_FW_LOADER_USER_HELPER=y              (firmware fallback)
#   + CONFIG_EXTRA_FIRMWARE=y                     (extra firmware)
#   + CONFIG_FIRMWARE_IN_KERNEL=y                 (firmware in kernel)
#   + CONFIG_NET_SCHED=y                          (QoS scheduling)
#   + CONFIG_NET_SCH_CODEL=y                      (CoDel queue disc)
#   + CONFIG_NET_SCH_FQ_CODEL=y                   (Fair Queue CoDel)
#   + CONFIG_NET_SCH_FQ=y                         (Fair Queue)
#   + CONFIG_NET_SCH_PRIO=y                       (Priority queue)
#   + CONFIG_NET_CLS_CGROUP=y                     (cgroup QoS)
#
#   IPV6 & MODERN IP:
#   + CONFIG_IPV6=y                               (IPv6 protocol)
#   + CONFIG_IPV6_ROUTER_PREF=y                   (Router preference)
#   + CONFIG_IPV6_ROUTE_INFO=y                    (Route info)
#   + CONFIG_IPV6_OPTIMISTIC_DAD=y                (Optimistic DAD)
#   + CONFIG_IPV6_MIP6=y                          (Mobile IPv6)
#   + CONFIG_IPV6_MULTIPLE_TABLES=y               (Policy routing)
#   + CONFIG_NETFILTER_XT_MATCH_IPRANGE=y         (IP range match)
#
#   MULTICAST & DISCOVERY:
#   + CONFIG_IP_MULTICAST=y                       (IP multicast)
#   + CONFIG_IP_MROUTE=y                          (IP mroute)
#   + CONFIG_IP_MROUTE_MULTIPLE_TABLES=y          (multiple mroute tables)
#   + CONFIG_IPV6_MROUTE=y                        (IPv6 mroute)
#   + CONFIG_IGMP_SNOOPING=y                      (IGMP snooping)
#
#   ADVANCED PACKET FILTERING:
#   + CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y       (connbytes match)
#   + CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y       (conntrack match)
#   + CONFIG_NETFILTER_XT_MATCH_MARK=y            (mark match)
#   + CONFIG_NETFILTER_XT_TARGET_MARK=y           (mark target)
#   + CONFIG_NETFILTER_XT_TARGET_LOG=y            (packet logging)
#   + CONFIG_NF_CONNTRACK=y                       (connection tracking)
#   + CONFIG_NF_CONNTRACK_ZONES=y                 (conntrack zones)
#   + CONFIG_NF_CONNTRACK_EVENTS=y                (conntrack events)
#
#   TCP CONGESTION & BPF:
#   + CONFIG_TCP_CONG_BBR=y                       (BBR congestion ctrl)
#   + CONFIG_TCP_CONG_CUBIC=y                     (CUBIC fallback)
#   + CONFIG_TCP_CONG_WESTWOOD=y                  (Westwood+ algo)
#   + CONFIG_SOCK_CGROUP_DATA=y                   (socket cgroup)
#   + CONFIG_BPF_SYSCALL=y                        (eBPF syscall)
#   + CONFIG_HAVE_EBPF_JIT=y                      (eBPF JIT capable)
#   + CONFIG_BPF_JIT=y                            (eBPF JIT)
#   + CONFIG_BPF_JIT_ALWAYS_ON=y                  (always JIT)
#   + CONFIG_MPTCP=y                              (Multipath TCP)
#   + CONFIG_LWTUNNEL=y                           (lightweight tunnel)
#   + CONFIG_LWTUNNEL_BPF=y                       (BPF tunnel)
#
# >>>>>>>>>> ORIGINAL PERFORMANCE & SECURITY ADDITIONS <<<<<<<<<<
#
#   BPF & JIT:
#   + CONFIG_BPF_JIT=y                   (JIT compilation)
#   + CONFIG_BPF_JIT_ALWAYS_ON=y         (no interpreter fallback)
#   + CONFIG_BPF_UNPRIV_DEFAULT_OFF=y    (unpriv BPF blocked)
#
#   SCHEDULER:
#   + CONFIG_SCHED_CLASS_EXT=y           (BPF-swappable scheduler)
#
#   X86 ARCH:
#   + CONFIG_X86_X2APIC=y                (APIC scalability)
#   + CONFIG_X86_CHECK_BIOS_CORRUPTION=y (BIOS integrity check)
#   + CONFIG_X86_INTEL_USERCOPY_CHECK=y  (ERMSB user copies)
#   + CONFIG_X86_AMD_PSTATE=y            (hardware EPP boost)
#   + CONFIG_X86_AMD_PSTATE_DEFAULT_MODE=3 (Active EPP)
#
#   FILESYSTEM:
#   + CONFIG_FS_ENCRYPTION=y             (fscrypt per-file AES)
#   + CONFIG_FS_VERITY=y                 (Merkle-tree integrity)
#   + CONFIG_FS_VERITY_BUILTIN_SIGNATURES=y (signed verity)
#   + CONFIG_UNICODE=y                   (case-insensitive fs)
#   + CONFIG_UNICODE_UTF8_DATA=y         (NFC folding table)
#
#   VIRTUALIZATION:
#   + CONFIG_VHOST_NET=y                 (zero-copy virtio-net)
#   + CONFIG_VHOST_IOTLB=y               (vhost IOMMU TLB)
#   + CONFIG_VHOST_VSOCK=y               (vsock vhost backend)
#   + CONFIG_VSOCKETS=y                  (AF_VSOCK socket family)
#   + CONFIG_VSOCKETS_DIAG=y             (vsock diagnostics)
#   + CONFIG_VSOCK_LOOPBACK=y            (loopback vsock)
#
#   MEMORY:
#   + CONFIG_ZRAM_MULTI_COMP=y           (dual compression stream)
#   + CONFIG_ZRAM_DEF_COMP="zstd"        (ZSTD primary stream)
#
#   SECURITY:
#   + CONFIG_SECURITY_LANDLOCK=y         (unprivileged sandboxing)
#   + CONFIG_SECURITY_IPE=y              (integrity policy engine)
#   + CONFIG_IPE_PROP_BOOT_VERIFIED=y    (dm-verity boot prop)
#   + CONFIG_IPE_PROP_DM_VERITY=y        (dm-verity IPE prop)
#   + CONFIG_IPE_PROP_FS_VERITY=y        (fs-verity IPE prop)
#   + CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG=y (signed verity)
#
#   OBSERVABILITY:
#   + CONFIG_STACKTRACE=y                (call chain recording)
#
# ==============================================================
# LEGENDARY 2.2.4 STATUS: God-tier networking achieved 🧠🐧⚡