Thinkpad-P16S-Kernel Gen.4 Kernel Profile

Trims down to:

• Permit USB BOT/UAS disks
• Keep NVMe-only internal storage
• Eliminates SATA/SAS/FC/iSCSI/virtio-scsi
• Preserve USB4/TB4
• graphics
• audio
• camera
• LAN
• WLAN
• BT

---

Hardware assumptions

• Lenovo Thinkpad P16S Generation 4
  • Internal: single M.2 NVMe. No SATA bay. No SD/MMC.
  • I/O: 2× USB-C (USB4/TB4 via UCSI), 2× USB-A, HDMI, RJ-45, audio.
  • NICs: Intel SKU = I219 + Intel BE201 Wi-Fi; AMD SKU = RTL8111 + MT7925 Wi-Fi.
  • Peripherals: HDA audio, UVC camera, ThinkPad ACPI, TrackPoint.

Kernel delta and rationale (only toggles changed)

---

Howto build a Kernel?

See here: https://kernelnewbies.org/KernelBuild

---

Storage / Block

CONFIG_SCSI=y                     # Required for USB mass storage and UAS
CONFIG_BLK_DEV_SD=y               # Create /dev/sdX
CONFIG_CHR_DEV_SG=m               # Optional: smartctl/sg tools

CONFIG_USB_STORAGE=y              # USB Mass Storage BOT
CONFIG_USB_UAS=y                  # USB Attached SCSI

CONFIG_ATA=n                      # Remove libata; platform has no SATA
CONFIG_SATA_AHCI=n                # Not present

CONFIG_NVME_CORE=y                # Internal NVMe root
CONFIG_BLK_DEV_NVME=y

CONFIG_MMC=n                      # No card reader

CONFIG_MD=y                       # Keep if you use mdraid
CONFIG_BLK_DEV_DM=y               # LVM/DM base
CONFIG_DM_CRYPT=y                 # LUKS root

Why: Keep the SCSI mid-layer strictly for USB disks. Kill unused SCSI consumers to reduce attack surface.

USB / Type-C / USB4

CONFIG_USB=y
CONFIG_USB_XHCI_HCD=y            # Only host controller type used
CONFIG_USB_EHCI_HCD=n
CONFIG_USB_OHCI_HCD=n
CONFIG_USB_UHCI_HCD=n

CONFIG_TYPEC=y
CONFIG_TYPEC_UCSI=y
CONFIG_UCSI_ACPI=y

CONFIG_USB4=y
CONFIG_THUNDERBOLT=y

CONFIG_USB_PRINTER=n
CONFIG_USBIP_CORE=n

Why: Keep modern USB stack and C-port policy. Trim legacy hosts and unused classes.

Graphics / Display

CONFIG_DRM=y
CONFIG_DRM_DP_AUX_CHARDEV=y
CONFIG_FRAMEBUFFER_CONSOLE=y
# pick by SKU:
CONFIG_DRM_AMDGPU=y              # AMD models
CONFIG_DRM_I915=y                # Intel models
# optional:
CONFIG_DRM_NOUVEAU=m             # for eGPU scenarios only

Why: Console and iGPU support, DP-Alt-Mode over USB-C.

Audio / Camera

CONFIG_SND_HDA_INTEL=y
CONFIG_SND_HDA_CODEC_REALTEK=y
CONFIG_SND_HDA_CODEC_HDMI=y

CONFIG_MEDIA_SUPPORT=y
CONFIG_VIDEO_DEV=y
CONFIG_USB_VIDEO_CLASS=y         # UVC webcam

Input / HID

CONFIG_INPUT_EVDEV=y
CONFIG_HID=y
CONFIG_USB_HID=y
CONFIG_HID_MULTITOUCH=y
CONFIG_I2C_HID_ACPI=y
CONFIG_MOUSE_PS2=y
CONFIG_MOUSE_PS2_TRACKPOINT=y
CONFIG_SERIO_I8042=y

Networking

# Wired (choose by SKU)
CONFIG_E1000E=y                  # Intel I219
CONFIG_R8169=y                   # Realtek RTL8111

# Wireless (choose by SKU)
CONFIG_IWLWIFI=m                 # Intel BE201 (firmware required)
CONFIG_MT7925E=m                 # MediaTek MT7925

# Bluetooth
CONFIG_BT=y
CONFIG_BT_BREDR=y
CONFIG_BT_LE=y
CONFIG_BT_HCIBTUSB=m
CONFIG_BT_INTEL=m

Power / Thermals / ACPI

CONFIG_ACPI=y
CONFIG_THINKPAD_ACPI=y
CONFIG_ACPI_VIDEO=y
CONFIG_CPU_FREQ=y
CONFIG_CPU_FREQ_DEFAULT_GOV_SCHEDUTIL=y
CONFIG_X86_INTEL_PSTATE=y        # Intel SKU
CONFIG_X86_AMD_PSTATE=y          # AMD SKU
CONFIG_THERMAL=y
CONFIG_X86_PLATFORM_DEVICES=y

IOMMU / DMA protection

CONFIG_IOMMU_SUPPORT=y
CONFIG_INTEL_IOMMU=y             # Intel SKU
CONFIG_AMD_IOMMU=y               # AMD SKU
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y

Why: Required for TB4 DMA protection and VFIO.

Security posture

CONFIG_TCG_TPM=y
CONFIG_TCG_TIS=y
CONFIG_TCG_CRB=y

CONFIG_LOCK_DOWN_KERNEL=y        # Enforce under Secure Boot
CONFIG_MODULE_SIG_FORCE=y        # Only signed modules when SB enabled
CONFIG_KEXEC=n                   # Reduce attack surface (enable only if needed)
CONFIG_RANDOM_TRUST_CPU=y
# Optional per policy:
# CONFIG_IMA_APPRAISE=y

Virtualization

CONFIG_KVM=y
CONFIG_KVM_INTEL=y               # Intel SKU
CONFIG_KVM_AMD=y                 # AMD SKU
CONFIG_VIRTIO_PCI=m
CONFIG_VHOST_NET=m
CONFIG_VIRTIO_BALLOON=m

Filesystems

CONFIG_EXT4_FS=y
CONFIG_BTRFS_FS=m
CONFIG_XFS_FS=m
CONFIG_VFAT_FS=m
CONFIG_EXFAT_FS=m
CONFIG_NTFS3_FS=m
CONFIG_OVERLAY_FS=m
CONFIG_FUSE_FS=m

---

Initramfs

• If root on NVMe: include nvme nvme_core dm_mod dm_crypt and your Wi-Fi/BT firmware.
• If you boot from USB disk: also include scsi_mod sd_mod usb-storage uas xhci_pci.
• Exclude libata and other SCSI HBAs.

---

Operational impact

• Works: USB thumb drives and external HDD/SSD (BOT/UAS), NVMe, USB HID, USB networking, UVC, HDA, TB4 docks.
• Removed: SATA/libata, SAS, FC, iSCSI, virtio-scsi, MMC/SD.
• Risk: If root was on /dev/sd* via SATA, it will not boot. Use NVMe or explicit UUIDs.

---

Validation checklist

# Storage paths
lsblk
dmesg | egrep -i 'nvme|usb|uas|usb-storage'
lsmod | egrep 'scsi_mod|sd_mod|usb_storage|uas'

# USB disk hotplug
udevadm monitor --udev
plug/unplug → expect sdX events

# No SATA stack
lsmod | egrep 'ahci|libata'       # expect empty

---

Rollback

Keep a prior kernel in GRUB.

• If a host fails to find root due to device naming, select the previous entry and restore the SCSI- flags in the config or adjust the boot args to UUID.Permit USB BOT/UAS disks. Keep NVMe-only internal storage. Eliminate SATA/SAS/FC/iSCSI/virtio-scsi. Preserve USB4/TB4, graphics, audio, camera, LAN, WLAN, BT.

---

Hardware assumptions

• Internal: single M.2 NVMe. No SATA bay. No SD/MMC.
• I/O: 2× USB-C (USB4/TB4 via UCSI), 2× USB-A, HDMI, RJ-45, audio.
• NICs: Intel SKU = I219 + Intel BE201 Wi-Fi; AMD SKU = RTL8111 + MT7925 Wi-Fi.
• Peripherals: HDA audio, UVC camera, ThinkPad ACPI, TrackPoint.

Kernel delta and rationale (only toggles changed)

---

Storage / Block

CONFIG_SCSI=y                     # Required for USB mass storage and UAS
CONFIG_BLK_DEV_SD=y               # Create /dev/sdX
CONFIG_CHR_DEV_SG=m               # Optional: smartctl/sg tools

CONFIG_USB_STORAGE=y              # USB Mass Storage BOT
CONFIG_USB_UAS=y                  # USB Attached SCSI

CONFIG_ATA=n                      # Remove libata; platform has no SATA
CONFIG_SATA_AHCI=n                # Not present

CONFIG_NVME_CORE=y                # Internal NVMe root
CONFIG_BLK_DEV_NVME=y

CONFIG_MMC=n                      # No card reader

CONFIG_MD=y                       # Keep if you use mdraid
CONFIG_BLK_DEV_DM=y               # LVM/DM base
CONFIG_DM_CRYPT=y                 # LUKS root

Why: Keep the SCSI mid-layer strictly for USB disks. Kill unused SCSI consumers to reduce attack surface.

USB / Type-C / USB4

CONFIG_USB=y
CONFIG_USB_XHCI_HCD=y            # Only host controller type used
CONFIG_USB_EHCI_HCD=n
CONFIG_USB_OHCI_HCD=n
CONFIG_USB_UHCI_HCD=n

CONFIG_TYPEC=y
CONFIG_TYPEC_UCSI=y
CONFIG_UCSI_ACPI=y

CONFIG_USB4=y
CONFIG_THUNDERBOLT=y

CONFIG_USB_PRINTER=n
CONFIG_USBIP_CORE=n

Why: Keep modern USB stack and C-port policy. Trim legacy hosts and unused classes.

Graphics / Display

CONFIG_DRM=y
CONFIG_DRM_DP_AUX_CHARDEV=y
CONFIG_FRAMEBUFFER_CONSOLE=y
# pick by SKU:
CONFIG_DRM_AMDGPU=y              # AMD models
CONFIG_DRM_I915=y                # Intel models
# optional:
CONFIG_DRM_NOUVEAU=m             # for eGPU scenarios only

Why: Console and iGPU support, DP-Alt-Mode over USB-C.

Audio / Camera

CONFIG_SND_HDA_INTEL=y
CONFIG_SND_HDA_CODEC_REALTEK=y
CONFIG_SND_HDA_CODEC_HDMI=y

CONFIG_MEDIA_SUPPORT=y
CONFIG_VIDEO_DEV=y
CONFIG_USB_VIDEO_CLASS=y         # UVC webcam

Input / HID

CONFIG_INPUT_EVDEV=y
CONFIG_HID=y
CONFIG_USB_HID=y
CONFIG_HID_MULTITOUCH=y
CONFIG_I2C_HID_ACPI=y
CONFIG_MOUSE_PS2=y
CONFIG_MOUSE_PS2_TRACKPOINT=y
CONFIG_SERIO_I8042=y

Networking

# Wired (choose by SKU)
CONFIG_E1000E=y                  # Intel I219
CONFIG_R8169=y                   # Realtek RTL8111

# Wireless (choose by SKU)
CONFIG_IWLWIFI=m                 # Intel BE201 (firmware required)
CONFIG_MT7925E=m                 # MediaTek MT7925

# Bluetooth
CONFIG_BT=y
CONFIG_BT_BREDR=y
CONFIG_BT_LE=y
CONFIG_BT_HCIBTUSB=m
CONFIG_BT_INTEL=m

Power / Thermals / ACPI

CONFIG_ACPI=y
CONFIG_THINKPAD_ACPI=y
CONFIG_ACPI_VIDEO=y
CONFIG_CPU_FREQ=y
CONFIG_CPU_FREQ_DEFAULT_GOV_SCHEDUTIL=y
CONFIG_X86_INTEL_PSTATE=y        # Intel SKU
CONFIG_X86_AMD_PSTATE=y          # AMD SKU
CONFIG_THERMAL=y
CONFIG_X86_PLATFORM_DEVICES=y

IOMMU / DMA protection

CONFIG_IOMMU_SUPPORT=y
CONFIG_INTEL_IOMMU=y             # Intel SKU
CONFIG_AMD_IOMMU=y               # AMD SKU
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y

Why: Required for TB4 DMA protection and VFIO.

Security posture

CONFIG_TCG_TPM=y
CONFIG_TCG_TIS=y
CONFIG_TCG_CRB=y

CONFIG_LOCK_DOWN_KERNEL=y        # Enforce under Secure Boot
CONFIG_MODULE_SIG_FORCE=y        # Only signed modules when SB enabled
CONFIG_KEXEC=n                   # Reduce attack surface (enable only if needed)
CONFIG_RANDOM_TRUST_CPU=y
# Optional per policy:
# CONFIG_IMA_APPRAISE=y

Virtualization

CONFIG_KVM=y
CONFIG_KVM_INTEL=y               # Intel SKU
CONFIG_KVM_AMD=y                 # AMD SKU
CONFIG_VIRTIO_PCI=m
CONFIG_VHOST_NET=m
CONFIG_VIRTIO_BALLOON=m

Filesystems

CONFIG_EXT4_FS=y
CONFIG_BTRFS_FS=m
CONFIG_XFS_FS=m
CONFIG_VFAT_FS=m
CONFIG_EXFAT_FS=m
CONFIG_NTFS3_FS=m
CONFIG_OVERLAY_FS=m
CONFIG_FUSE_FS=m

---

Initramfs

• If root on NVMe: include nvme nvme_core dm_mod dm_crypt and your Wi-Fi/BT firmware.
• If you boot from USB disk: also include scsi_mod sd_mod usb-storage uas xhci_pci.
• Exclude libata and other SCSI HBAs.

---

Operational impact

• Works: USB thumb drives and external HDD/SSD (BOT/UAS), NVMe, USB HID, USB networking, UVC, HDA, TB4 docks.
• Removed: SATA/libata, SAS, FC, iSCSI, virtio-scsi, MMC/SD.
• Risk: If root was on /dev/sd* via SATA, it will not boot. Use NVMe or explicit UUIDs.

---

Validation checklist

# Storage paths
lsblk
dmesg | egrep -i 'nvme|usb|uas|usb-storage'
lsmod | egrep 'scsi_mod|sd_mod|usb_storage|uas'

# USB disk hotplug
udevadm monitor --udev
plug/unplug → expect sdX events

# No SATA stack
lsmod | egrep 'ahci|libata'       # expect empty

---

Rollback

• Keep a prior kernel in GRUB.
• If a host fails to find root due to device naming, select the previous entry and restore the SCSI- flags in the config or adjust the boot args to UUID.