安装编译依赖

sudo apt install build-essential libncurses-dev bison flex libssl-dev libelf-dev

下载内核源代码

从www.kernel.org下载你想要的版本，这里下载的是5.4.34。

配置内核编译选项

cd linux-5.4.34/
make menuconfig

需要注意的相关配置如下

make menuconfig
# 打开debug相关选项
Kernel hacking  --->Compile-time checks and compiler options  --->[*] Compile the kernel with debug info[*]   Provide GDB scripts for kernel debugging[*] Kernel debugging
# 关闭KASLR，否则会导致打断点失败
Processor type and features ---->[] Randomize the address of the kernel image (KASLR)

vim .config

在其中搜索CONFIG_PREEMPTION，设置为y，如果没有添加该项，否则可能导致编译失败

/CONFIG_PREMPTION
CONFIG_PREEMPTION=y

开始编译

make -j10

下载qemu，并测试一下内核能不能正常加载运行，因为没有文件系统最终会kernel panic

sudo apt install qemu-system-x86
qemu-system-x86_64 -kernel arch/x86/boot/bzImage

使用busybox制作文件系统

首先从https://www.busybox.net下载 busybox源代码解压，解压完成后，跟内核一样先配置编译，并安装，这里安装的是1.36.0版本，尽量选择较新的版本进行安装，否则可能出现错误。

cd busybox-1.36.0
make menuconfig

需要注意的相关配置如下，使用静态链接

Settings  --->[*] Build static binary (no shared libs)

开始编译

make -j10

然后制作内存根文件系统镜像，大致过程如下：

mkdir rootfs
cd rootfs
cp ../busybox-1.36.0/_install/* ./ -rf
mkdir dev proc sys home
sudo cp -a /dev/{null,console,tty,tty1,tty2,tty3,tty4} dev/

准备init脚本文件放在根文件系统跟目录下（rootfs/init），添加如下内容到init文件。

#!/bin/sh
mount -t proc none /proc
mount -t sysfs none /sys
echo "526zhugeLab3"
echo "--------------------"
cd home
/bin/sh

给init脚本添加可执行权限

chmod +x init

打包成内存根文件系统镜像

find . -print0 | cpio --null -ov --format=newc | gzip -9 > ../rootfs.cpio.gz 

测试挂载根文件系统，看内核启动完成后是否执行init脚本

qemu-system-x86_64 -kernel linux-5.4.34/arch/x86/boot/bzImage -initrd rootfs.cpio.gz

可以启动

配置VSCode

使用VSCode打开linux-5.4.34文件夹

在linux-5.4.34文件夹上创建.vscode文件夹，加入以下配置文件

c_cpp_properties.json

{"configurations": [{"name": "Linux","includePath": ["${workspaceFolder}/arch/x86/include/**","${workspaceFolder}/include/**","${workspaceFolder}/include/linux/**","${workspaceFolder}/arch/x86/**","${workspaceFolder}/**"],"cStandard": "c11","intelliSenseMode": "gcc-x64","compileCommands": "${workspaceFolder}/compile_commands.json"}],"version": 4
}

compile_commands.json

借助一个 Python 脚本来生成 compile_commands.json 文件帮助 Intellisense 正常提示（包括头文件和宏定义等）。在Linux源代码目录下直接运行如下命令就可以生成 compile_commands.json 了。

python3 ./scripts/gen_compile_commands.py

launch.json

由于直接在preLaunchTask中使用qemu可能导致阻塞，这里将改任务取消了，使用手动方式开启。

{// Use IntelliSense to learn about possible attributes.// Hover to view descriptions of existing attributes.// For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387"version": "0.2.0","configurations": [{"name": "(gdb) linux","type": "cppdbg","request": "launch",//"preLaunchTask": "vm","program": "${workspaceRoot}/vmlinux","miDebuggerServerAddress": "localhost:1234","args": [],"stopAtEntry": true,"cwd": "${workspaceFolder}","environment": [],"externalConsole": false,"MIMode": "gdb","miDebuggerArgs": "-n","targetArchitecture": "x64","setupCommands": [{"text": "set arch i386:x86-64:intel","ignoreFailures": false},{"text": "dir .","ignoreFailures": false},{"text": "add-auto-load-safe-path ./","ignoreFailures": false},{"text": "-enable-pretty-printing","ignoreFailures": true}]}]}

tasks.json

{// See https://go.microsoft.com/fwlink/?LinkId=733558// for the documentation about the tasks.json format"version": "2.0.0","tasks": [{"label": "vm","type": "shell","command": "qemu-system-x86_64 -kernel ${workspaceFolder}/arch/x86/boot/bzImage -initrd ../rootfs.cpio.gz -S -s -nographic -append \"console=ttyS0\"","presentation": {"echo": true,"clear": true,"group": "vm"},"isBackground": true,"problemMatcher": [{"pattern": [{"regexp": ".","file": 1,"location": 2,"message": 3}],"background": {"activeOnStart": true,"beginsPattern": ".","endsPattern": ".",}}]},{"label": "build linux","type": "shell","command": "make","group": {"kind": "build","isDefault": true},"presentation": {"echo": false,"group": "build"}}]
}

settings.json

{"search.exclude": {"**/.git": true,"**/.svn": true,"**/.DS_Store": true,"**/drivers": true,"**/sound": true,"**/tools": true,"**/arch/alpha": true,"**/arch/arc": true,"**/arch/c6x": true,"**/arch/h8300": true,"**/arch/hexagon": true,"**/arch/ia64": true,"**/arch/m32r": true,"**/arch/m68k": true,"**/arch/microblaze": true,"**/arch/mn10300": true,"**/arch/nds32": true,"**/arch/nios2": true,"**/arch/parisc": true,"**/arch/powerpc": true,"**/arch/s390": true,"**/arch/sparc": true,"**/arch/score": true,"**/arch/sh": true,"**/arch/um": true,"**/arch/unicore32": true,"**/arch/xtensa": true},"files.exclude": {"**/.*.*.cmd": true,"**/.*.d": true,"**/.*.o": true,"**/.*.S": true,"**/.git": true,"**/.svn": true,"**/.DS_Store": true,"**/drivers": true,"**/sound": true,"**/tools": true,"**/arch/alpha": true,"**/arch/arc": true,"**/arch/c6x": true,"**/arch/h8300": true,"**/arch/hexagon": true,"**/arch/ia64": true,"**/arch/m32r": true,"**/arch/m68k": true,"**/arch/microblaze": true,"**/arch/mn10300": true,"**/arch/nds32": true,"**/arch/nios2": true,"**/arch/parisc": true,"**/arch/powerpc": true,"**/arch/s390": true,"**/arch/sparc": true,"**/arch/score": true,"**/arch/sh": true,"**/arch/um": true,"**/arch/unicore32": true,"**/arch/xtensa": true},"[c]": {"editor.detectIndentation": false,"editor.tabSize": 8,"editor.insertSpaces": false},"C_Cpp.errorSquiggles": "disabled"
}

现在可以启动调试了，在init/main.c中的start_kernel()函数内添加断点，在终端中输入

qemu-system-x86_64 -kernel linux-5.4.34/arch/x86/boot/bzImage -initrd rootfs.cpio.gz -S -s -nographic -append \"console=ttyS0\"

然后在VSCode中按下F5进行调试

跟踪Linux内核的启动过程

init_task位于init/init_task.c文件夹下，是手动创建的静态进程，是linux系统中所有进程的祖先。

init_task是Linux内核中的第一个线程，它贯穿于整个Linux系统的初始化过程中，该进程也是Linux系统中唯一一个没有用kernel_thread()函数创建的内核态进程（内核线程）。

接下来start_kernel依次执行内核各个重要子系统的初始化，比如mm, cpu, sched, irq等等。最后会调用一个rest_init剩余部分初始化。

asmlinkage __visible void __init start_kernel(void)
{char *command_line;char *after_dashes;set_task_stack_end_magic(&init_task);smp_setup_processor_id();debug_objects_early_init();cgroup_init_early();local_irq_disable();..........
//剩余初始化arch_call_rest_init();
}void __init __weak arch_call_rest_init(void)
{rest_init();
}

noinline void __ref rest_init(void)
{struct task_struct *tsk;int pid;rcu_scheduler_starting();/** We need to spawn init first so that it obtains pid 1, however* the init task will end up wanting to create kthreads, which, if* we schedule it before we create kthreadd, will OOPS.*/pid = kernel_thread(kernel_init, NULL, CLONE_FS);/** Pin init on the boot CPU. Task migration is not properly working* until sched_init_smp() has been run. It will set the allowed* CPUs for init to the non isolated CPUs.*/rcu_read_lock();tsk = find_task_by_pid_ns(pid, &init_pid_ns);set_cpus_allowed_ptr(tsk, cpumask_of(smp_processor_id()));rcu_read_unlock();numa_default_policy();pid = kernel_thread(kthreadd, NULL, CLONE_FS | CLONE_FILES);rcu_read_lock();kthreadd_task = find_task_by_pid_ns(pid, &init_pid_ns);rcu_read_unlock();/** Enable might_sleep() and smp_processor_id() checks.* They cannot be enabled earlier because with CONFIG_PREEMPTION=y* kernel_thread() would trigger might_sleep() splats. With* CONFIG_PREEMPT_VOLUNTARY=y the init task might have scheduled* already, but it's stuck on the kthreadd_done completion.*/system_state = SYSTEM_SCHEDULING;complete(&kthreadd_done);/** The boot idle thread must execute schedule()* at least once to get things moving:*/schedule_preempt_disabled();/* Call into cpu_idle with preempt disabled */cpu_startup_entry(CPUHP_ONLINE);
}

在rest_init中实际只需关心两行

//第12行
pid = kernel_thread(kernel_init, NULL, CLONE_FS);
//第24行
pid = kernel_thread(kthreadd, NULL, CLONE_FS | CLONE_FILES);

查看kernel_thread函数

/** Create a kernel thread.*/
pid_t kernel_thread(int (*fn)(void *), void *arg, unsigned long flags)
{struct kernel_clone_args args = {.flags        = ((flags | CLONE_VM | CLONE_UNTRACED) & ~CSIGNAL),.exit_signal    = (flags & CSIGNAL),.stack        = (unsigned long)fn,.stack_size    = (unsigned long)arg,};return _do_fork(&args);
}

查看_do_fork()函数

/**  Ok, this is the main fork-routine.** It copies the process, and if successful kick-starts* it and waits for it to finish using the VM if required.** args->exit_signal is expected to be checked for sanity by the caller.*/
long _do_fork(struct kernel_clone_args *args)
{u64 clone_flags = args->flags;struct completion vfork;struct pid *pid;struct task_struct *p;int trace = 0;long nr;/** Determine whether and which event to report to ptracer.  When* called from kernel_thread or CLONE_UNTRACED is explicitly* requested, no event is reported; otherwise, report if the event* for the type of forking is enabled.*/if (!(clone_flags & CLONE_UNTRACED)) {if (clone_flags & CLONE_VFORK)trace = PTRACE_EVENT_VFORK;else if (args->exit_signal != SIGCHLD)trace = PTRACE_EVENT_CLONE;elsetrace = PTRACE_EVENT_FORK;if (likely(!ptrace_event_enabled(current, trace)))trace = 0;}p = copy_process(NULL, trace, NUMA_NO_NODE, args);add_latent_entropy();if (IS_ERR(p))return PTR_ERR(p);/** Do this prior waking up the new thread - the thread pointer* might get invalid after that point, if the thread exits quickly.*/trace_sched_process_fork(current, p);pid = get_task_pid(p, PIDTYPE_PID);nr = pid_vnr(pid);if (clone_flags & CLONE_PARENT_SETTID)put_user(nr, args->parent_tid);if (clone_flags & CLONE_VFORK) {p->vfork_done = &vfork;init_completion(&vfork);get_task_struct(p);}wake_up_new_task(p);/* forking complete and child started to run, tell ptracer */if (unlikely(trace))ptrace_event_pid(trace, pid);if (clone_flags & CLONE_VFORK) {if (!wait_for_vfork_done(p, &vfork))ptrace_event_pid(PTRACE_EVENT_VFORK_DONE, pid);}put_pid(pid);return nr;
}

_do_fork()调用copy_process()，执行生成子进程的实际工作，并根据指定的标志复制父进程的数据。在子进程生成后，调用 wake_up_new_task 将子进程加入调度器，为之分配 CPU。最后返回子进程pid。

接下来查看kernel_init()和kthreadd()函数，这两个函数作为进程被启动。

static int __ref kernel_init(void *unused)
{int ret;kernel_init_freeable();/* need to finish all async __init code before freeing the memory */async_synchronize_full();ftrace_free_init_mem();free_initmem();mark_readonly();/** Kernel mappings are now finalized - update the userspace page-table* to finalize PTI.*/pti_finalize();system_state = SYSTEM_RUNNING;numa_default_policy();rcu_end_inkernel_boot();if (ramdisk_execute_command) {ret = run_init_process(ramdisk_execute_command);if (!ret)return 0;pr_err("Failed to execute %s (error %d)\n",ramdisk_execute_command, ret);}/** We try each of these until one succeeds.** The Bourne shell can be used instead of init if we are* trying to recover a really broken machine.*/if (execute_command) {ret = run_init_process(execute_command);if (!ret)return 0;panic("Requested init %s failed (error %d).",execute_command, ret);}if (!try_to_run_init_process("/sbin/init") ||!try_to_run_init_process("/etc/init") ||!try_to_run_init_process("/bin/init") ||!try_to_run_init_process("/bin/sh"))return 0;panic("No working init found.  Try passing init= option to kernel. ""See Linux Documentation/admin-guide/init.rst for guidance.");
}

执行各种外设驱动的初始化，挂载根文件系统，按顺序执行/init可以执行文件，完成用户态初始化。

int kthreadd(void *unused)
{struct task_struct *tsk = current;/* Setup a clean context for our children to inherit. */set_task_comm(tsk, "kthreadd");ignore_signals(tsk);set_cpus_allowed_ptr(tsk, cpu_all_mask);set_mems_allowed(node_states[N_MEMORY]);current->flags |= PF_NOFREEZE;cgroup_init_kthreadd();for (;;) {set_current_state(TASK_INTERRUPTIBLE);if (list_empty(&kthread_create_list))schedule();__set_current_state(TASK_RUNNING);spin_lock(&kthread_create_lock);while (!list_empty(&kthread_create_list)) {struct kthread_create_info *create;create = list_entry(kthread_create_list.next,struct kthread_create_info, list);list_del_init(&create->list);spin_unlock(&kthread_create_lock);create_kthread(create);spin_lock(&kthread_create_lock);}spin_unlock(&kthread_create_lock);}return 0;
}

设置当前进程的名字为"kthreadd"，循环设置当前的进程的状态是TASK_INTERRUPTIBLE是可以中断的，判断kthread_create_list链表是不是空，如果是空则就调度出去，让出cpu，如果不是空，则从链表中取出一个，然后调用kthread_create去创建一个内核线程。所以说所有的内核线程的父进程都是kthreadd。