Kernel Version 4.14.117 Android — Authentic & Trusted

TARGET_KERNEL_VERSION := 4.14 TARGET_KERNEL_CONFIG := vendor/sdm660_defconfig TARGET_KERNEL_SOURCE := kernel/msm-4.14 BOARD_KERNEL_IMAGE_NAME := Image.gz-dtb Then run:

source build/envsetup.sh lunch aosp_arm64-userdebug make bootimage 4.1 Mandatory Android Configs Check with scripts/ver_linux and android/abi_gki_*.xml (if GKI). Core configs: kernel version 4.14.117 android

ion: ion@0 compatible = "qcom,msm-ion"; system_heap: ion-system-heap qcom,ion-heap-type = "SYSTEM"; ; ; Cause : Missing CONFIG_SDCARD_FS=y . Workaround : Switch to FUSE or backport sdcardfs from newer 4.14 branches. 9. Upgrading from 4.14.117 to a newer 4.14.x To apply LTS fixes while staying on 4.14 branch: TARGET_KERNEL_VERSION := 4

make headers_install INSTALL_HDR_PATH=out/ Cause : Outdated ION heap definitions in dts. Fix : Verify ion_heap nodes in device tree: -name "*

mkdtimg create dtbo.img --page_size=4096 $(find . -name "*.dtbo") 6.1 Dynamic Debug Enable at boot:

echo "file mm/* +p" > /sys/kernel/debug/dynamic_debug/control echo function > /sys/kernel/debug/tracing/current_tracer cat /sys/kernel/debug/tracing/trace_pipe 6.3 Kernel Logs with ramoops (pstore) Enable in defconfig:

CONFIG_PSTORE=y CONFIG_PSTORE_CONSOLE=y CONFIG_PSTORE_RAM=y Location after crash: /sys/fs/pstore/console-ramoops echo 0 > /sys/module/binder/parameters/debug_mask # enable binder logs # or set dynamic debug: file binder.c +p 7. Security Features (4.14.117 specific) | Feature | Status in 4.14.117 | |---------|--------------------| | SELinux | Enforcing (Android policy) | | KASLR | Supported (if CONFIG_RANDOMIZE_BASE=y ) | | CFI (Control Flow Integrity) | No (added in 4.15+) | | Shadow Call Stack | No (added in 4.17+) | | PAN (Privileged Access Never) | Emulated via CONFIG_ARM64_SW_TTBR0_PAN | | Spectre v2 mitigation | Yes (SMCCC/BPIALL) | | Meltdown mitigation | N/A for ARM64 | 7.1 Hardening Configs to add CONFIG_STRICT_KERNEL_RWX=y CONFIG_STRICT_MODULE_RWX=y CONFIG_RANDOMIZE_BASE=y CONFIG_DEBUG_RODATA=y # alias for STRICT_KERNEL_RWX on 4.14 CONFIG_HARDENED_USERCOPY=y CONFIG_FORTIFY_SOURCE=y 8. Common Issues & Fixes in 4.14.117 8.1 Boot loop due to incompatible binder ABI Cause : Kernel binder version mismatch with userspace libbinder . Fix : Ensure CONFIG_ANDROID_BINDER_IPC is built-in ( =y , not =m ). Sync kernel headers: