When you need to check which options were compiled into a running Linux kernel but don't have access to the /boot/config-* file, there are several reliable alternatives:
Many modern kernels compress their configuration into a special file:
zcat /proc/config.gz | grep CONFIG_OPTION_NAME
This requires the kernel to be built with CONFIG_IKCONFIG_PROC=y. To check if this is available:
if [ -f /proc/config.gz ]; then
echo "Config available in /proc/config.gz";
else
echo "Alternative methods required";
fi
For kernels without /proc/config.gz, you can try extracting from the binary:
scripts/extract-ikconfig /boot/vmlinuz-$(uname -r)
This requires kernel source scripts. If you don't have them, install via:
sudo apt install linux-source # Debian/Ubuntu
sudo dnf install kernel-devel # RHEL/Fedora
Many module-related options appear in sysfs:
ls /sys/module/
grep -r CONFIG_ /sys/module/*/parameters/
Some configurations appear in boot parameters:
cat /proc/cmdline
To verify if KASLR is enabled:
if grep -q "nokaslr" /proc/cmdline; then
echo "KASLR disabled";
elif [ -f /proc/config.gz ]; then
zcat /proc/config.gz | grep CONFIG_RANDOMIZE_BASE;
else
echo "Check via dmesg:";
dmesg | grep "KASLR";
fi
Here's a bash function to check multiple options:
check_kernel_config() {
local option=$1
if [ -f /proc/config.gz ]; then
zcat /proc/config.gz | grep "^${option}="
elif [ -x "$(command -v extract-ikconfig)" ]; then
extract-ikconfig /boot/vmlinuz-$(uname -r) | grep "^${option}="
else
echo "No config extraction method available" >&2
return 1
fi
}
# Usage:
check_kernel_config CONFIG_KVM
When working on systems where the original /boot/config-* file is unavailable, you still have several reliable methods to examine the kernel's compile-time configuration:
Modern Linux kernels often provide compressed configuration through /proc:
zcat /proc/config.gz | grep CONFIG_OPTION_NAME
# Example for checking SMP support:
zcat /proc/config.gz | grep CONFIG_SMPNote: This requires kernel built with CONFIG_IKCONFIG_PROC=y.
For kernels with configuration embedded (CONFIG_IKCONFIG=y):
scripts/extract-ikconfig /boot/vmlinuz-$(uname -r)
# Alternative for some distributions:
sudo grep -a "CONFIG_" /boot/vmlinuz-$(uname -r)For specific feature verification without full config:
# Check if module is built-in (returns nothing if not built-in)
grep MODULE /lib/modules/$(uname -r)/modules.builtin
# Check for specific filesystem support
grep -qw ext4 /proc/filesystems && echo "EXT4 supported"
# Verify security features
grep "NX protection:" /var/log/dmesgExamine /proc/cmdline for active kernel parameters:
cat /proc/cmdline
# Compare with possible parameters from:
# https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.htmlOn Debian-based systems when the package is installed:
dpkg -L linux-image-$(uname -r) | grep config
# Extract from deb package directly:
ar p /var/cache/apt/archives/linux-image-*.deb data.tar.xz | tar -xOJ ./boot/config-*Here's how I recently debugged a kernel without config file:
# First try proc method
if [ -f /proc/config.gz ]; then
zcat /proc/config.gz > /tmp/kernel_config
else
# Fallback to module inspection
find /lib/modules/$(uname -r) -name "*.ko" | xargs modinfo | grep depends
fiThis revealed that certain cryptographic modules were compiled as loadable rather than built-in.