Kernel Development Roadmap

Philosophy

Because it is the one place that you have total control over your computer.
— Steven Rostedt

The kernel is where networking protocols, security enforcement, and hardware interaction converge. This roadmap leverages existing expertise in Cisco ISE, 802.1X, network security, and Rust to build kernel-level competency in areas that remain essential regardless of AI advancement.

AI excels at pattern-matching on well-structured, repetitive tasks. It struggles with low-level systems work, hardware interaction, adversarial security thinking, and debugging race conditions across millions of lines of interdependent code. The deeper you go toward the hardware and the kernel, the harder your skills are to automate.

Professional Foundation

This roadmap builds on a comprehensive certification portfolio spanning networking, security, Linux systems, and automation.

Domain Certifications Kernel Relevance

Networking

CCNP Enterprise, CCNA, Network+

net/core/, net/ipv4/, routing, sk_buff, protocol internals

Security

CCNP Security, SISE, SVPN, Security+

LSM framework, Netfilter, audit subsystem, kernel hardening

Linux/Systems

Linux+, LPIC-1/2, RHCSA (pending)

Process management, VFS, syscalls, kernel modules, cgroups

Automation

DevNet (pending), ITIL

Kernel build systems, testing, CI/CD for patches

Why this matters: Kernel development is not isolated systems programming. Understanding how userspace interacts with the kernel (syscalls, procfs, sysfs), how packets traverse Netfilter hooks, and how security policies enforce access control provides essential context. The certifications above validate this foundation.

AI-Resistant Development Areas

Area 1: eBPF — Kernel-Integrated Security Tooling

Why This Area

eBPF allows writing programs that hook into the kernel from user-space without modifying kernel source or loading kernel modules. It is the foundation of modern observability, networking, and security tooling. Your networking and infosec background maps directly — think of eBPF as writing Wireshark-level inspection logic that runs inside the kernel at wire speed.

What You Build

  • Network security monitoring tools that inspect packets at the kernel level

  • Runtime security enforcement (like Falco, Cilium, Tetragon)

  • Custom tracing and observability for enterprise networks

  • XDP programs for high-performance packet processing

Why AI Cannot Replace This

eBPF programs operate under strict kernel verifier constraints, interact with live systems, and require deep understanding of kernel data structures. Debugging a verifier rejection or a subtle interaction between an eBPF map and a network namespace requires contextual reasoning that AI cannot reliably perform.

Resources

Documentation
Books

  • Brendan Gregg, BPF Performance Tools (Addison-Wesley, 2019, ISBN 9780136554820) — the definitive reference for eBPF-based observability and tracing

  • Brendan Gregg, Systems Performance, 2nd ed. (Addison-Wesley, 2020, ISBN 9780136820154) — broader systems performance context with eBPF integration

  • Liz Rice, Learning eBPF (O’Reilly, 2023, ISBN 9781098135126) — practical introduction to writing eBPF programs

  • Liz Rice, What is eBPF? (O’Reilly, free report) — www.oreilly.com/library/view/what-is-ebpf/9781492097266/

Tools to Install and Learn
Online Learning

Area 2: Kernel Module Development

Why This Area

Loadable kernel modules let you extend the kernel without touching mainline source. This is where you learn the kernel API: memory allocation, concurrency primitives, device registration, procfs/sysfs interfaces. It is the essential foundation before contributing to any subsystem.

What You Build

  • Character device drivers

  • Network device drivers

  • Custom procfs and debugfs interfaces

  • Security modules (LSM hooks)

Why AI Cannot Replace This

Kernel modules operate in kernel space where a single null pointer dereference causes a kernel panic. They require understanding of locking disciplines, memory models, interrupt contexts, and hardware behavior that AI cannot reliably reason about. Debugging a module that works on one kernel version but oopses on another requires deep contextual knowledge.

Resources

Books

  • Jonathan Corbet, Alessandro Rubini, Greg Kroah-Hartman, Linux Device Drivers, 3rd ed. (O’Reilly, 2005) — free online:

  • Robert Love, Linux Kernel Development, 3rd ed. (Addison-Wesley, 2010, ISBN 9780672329463) — best general kernel introduction

  • Kaiwan N Billimoria, Linux Kernel Programming (Packt, 2021, ISBN 9781789953435) — modern, covers 5.x kernels

Online Courses
Practical References

Area 3: Netfilter / nftables

Why This Area

Netfilter is the kernel’s packet filtering framework — firewalls, NAT, connection tracking, packet mangling. Your daily work with ISE, ACLs, and network segmentation is the userspace manifestation of what Netfilter does at the kernel level. This is the most natural entry point given your background.

What You Build

  • Custom nftables extensions

  • Connection tracking helpers for proprietary protocols

  • Netfilter hook modules for deep packet inspection

  • Tests and documentation contributions (excellent first patches)

Why AI Cannot Replace This

Netfilter code handles live network traffic in interrupt context. A bug does not just crash a program — it can drop all packets for an entire network, create security holes, or corrupt connection tracking state. Understanding how a packet traverses the Netfilter hooks, interacts with conntrack, and gets NATted requires the kind of protocol-level expertise you already have.

Resources

Documentation
Books

  • Rami Rosen, Linux Kernel Networking (Apress, 2014, ISBN 9781430261964) — deep dive into sk_buff, routing, Netfilter, IPsec

  • Jan Engelhardt, Nicolas Bouliane, Writing Netfilter Modules — inai.de/documents/Netfilter_Modules.pdf

Mailing Lists

  • netfilter-devel — patches and development

  • netdev — broader kernel networking

Source Code

  • net/netfilter/ — core Netfilter code

  • net/ipv4/netfilter/ — IPv4-specific Netfilter modules

  • net/ipv6/netfilter/ — IPv6-specific Netfilter modules

  • include/uapi/linux/netfilter/ — userspace API headers

  • Browse on Elixir: elixir.bootlin.com/linux/latest/source/net/netfilter

Area 4: Kernel Security (LSM, Hardening, Audit)

Why This Area

Linux Security Modules (LSM) is the kernel framework for access control — SELinux, AppArmor, Landlock. Kernel hardening prevents exploitation of vulnerabilities. Your infosec background gives you the adversarial thinking these subsystems require.

What You Build

  • Custom LSM modules for specific security policies

  • Kernel hardening patches (stack protections, KASLR improvements)

  • Audit subsystem improvements

  • Security testing and fuzzing

Why AI Cannot Replace This

Security requires adversarial reasoning — anticipating what an attacker might do. AI generates plausible-looking security code but misses subtle attack vectors, timing side-channels, and privilege escalation paths. The kernel security community values people who can think like attackers, not just write code.

Resources

Documentation
Books & Articles
Mailing Lists

  • linux-security-module — LSM development

    • Subscribe: send blank email to linux-security-module+subscribe@vger.kernel.org

  • linux-hardening — kernel hardening

    • Subscribe: send blank email to linux-hardening+subscribe@vger.kernel.org

Area 5: Rust in the Linux Kernel

Why This Area

As of December 2025, Rust is no longer experimental in the Linux kernel. The DRM subsystem is approximately one year from requiring Rust for new drivers. Your existing Rust experience from netapi-tui positions you ahead of most kernel developers.

What You Build

  • Rust kernel modules and device drivers

  • Rust abstractions for existing C kernel APIs

  • Safety wrappers for networking subsystem interfaces

Why AI Cannot Replace This

Writing safe Rust that interfaces with unsafe C kernel code requires understanding both the Rust ownership model and the kernel’s implicit memory management contracts. The kernel Rust ecosystem is new enough that patterns are still being established — this is design work, not boilerplate.

Resources

Documentation
Getting Started
Mailing List

  • rust-for-linux — patches and development

Chat

Area 6: Kernel Tracing and Observability

Why This Area

ftrace, perf, tracepoints, kprobes — the kernel’s built-in instrumentation. This is how kernel developers actually debug and optimize. Your interest in perf and Wireshark-level analysis makes this a natural fit.

What You Build

  • Custom tracepoints for subsystems

  • trace-cmd and KernelShark contributions

  • Performance analysis tooling

  • Integration between tracing and eBPF

Resources

Documentation
Books

  • Brendan Gregg, BPF Performance Tools — covers perf, ftrace, and eBPF tracing

  • Brendan Gregg, Systems Performance, 2nd ed. — comprehensive performance methodology

Current Study Tracks (Do Not Abandon)

These are active investments that directly support kernel development. Do not drop them — they build the userspace and systems knowledge that kernel work depends on.

See Linux/Systems Certifications for detailed tracking.

RHCSA EX200 (Primary Track)

The Red Hat Certified System Administrator exam validates skills you use daily at CHLA and strengthens your position for DevOps/platform engineering transition. It also builds essential kernel-adjacent knowledge: process management, filesystems, SELinux, systemd, networking configuration, firewalld.

See RHCSA Study Section for chapter notes and hands-on exercises.

LPIC-2 (Renewal Needed)

Your LPIC-1/2 certifications provide the Linux systems foundation. Exam 201 covers kernel management, system startup, filesystems, storage (LVM), and networking — directly relevant to kernel development. The kernel compilation and module management sections (Topic 201) are a direct on-ramp to kernel development work.

Book: Christine Bresnahan & Richard Blum, LPIC-2: Linux Professional Institute Certification Study Guide, Sybex

LFD103: A Beginner’s Guide to Linux Kernel Development (Free Course)

training.linuxfoundation.org/training/a-beginners-guide-to-linux-kernel-development-lfd103/

  • Free, self-paced, 12-16 hours

  • Developed by Linux Foundation Fellow Shuah Khan

  • Covers: dev environment setup, git for kernel workflow, building a kernel, writing patches, testing, submitting, community interaction

  • Prerequisites: proficiency in C and Shell (start K&R C book first, Shell you already know)

  • Begin this course once you have basic C proficiency (K&R chapters 1-5)

  • Completing this course also streamlines application to the Linux Kernel Mentorship Program

Foundation Prerequisites

C Programming

You need C to read kernel source. You do not need to be a C expert before starting — you need to be fluent enough to follow along.

Primary Text

  • Brian Kernighan & Dennis Ritchie, The C Programming Language, 2nd ed. (Prentice Hall, 1988, ISBN 9780131103627) — the canonical reference, short and dense

Supplementary

  • Ben Klemens, 21st Century C, 2nd ed. (O’Reilly, 2014, ISBN 9781491903896) — modern C practices, tooling, debugging

  • Robert Seacord, Effective C (No Starch Press, 2020, ISBN 9781718501041) — focuses on safety and correctness

Practice

  • Write userspace C programs first: a packet parser, a simple network server, a linked list implementation

  • Read kernel source on Elixir while learning — elixir.bootlin.com/linux/latest/source

  • Focus on chapters 1-6 of K&R (types, control flow, functions, pointers, structures, I/O) before starting kernel work

Kernel Architecture

Primary Text

  • Robert Love, Linux Kernel Development, 3rd ed. (Addison-Wesley, 2010, ISBN 9780672329463)

Covers: process management, scheduling, system calls, memory management, VFS, block I/O, interrupts, synchronization, timers. Read this after getting basic C proficiency.

Linux Kernel Networking (Your Specialization)

Primary Text

  • Rami Rosen, Linux Kernel Networking (Apress, 2014, ISBN 9781430261964)

Covers: sk_buff, routing subsystem, Netfilter, IPsec, IPv4/IPv6, neighboring subsystem, InfiniBand, wireless. This bridges your protocol knowledge directly to kernel internals.

Essential Tools and References

Kernel Source Browsing

Kernel Documentation

Journalism and Community

Mailing List Infrastructure

How to Subscribe

Send a blank email (no subject or body needed) to:

List Subscribe Address

netdev

netdev+subscribe@vger.kernel.org

netfilter-devel

netfilter-devel+subscribe@vger.kernel.org

rust-for-linux

rust-for-linux+subscribe@vger.kernel.org

live-patching

live-patching+subscribe@vger.kernel.org

bpf

bpf+subscribe@vger.kernel.org

linux-security-module

linux-security-module+subscribe@vger.kernel.org

linux-hardening

linux-hardening+subscribe@vger.kernel.org

linux-kernel (LKML)

Read via Lore only — do not subscribe for delivery

Archives

All archives available at lore.kernel.org/

Subscription Info

subspace.kernel.org/subscribing.html

Development Environment

Already In Place

  • Arch Linux with Hyprland tiling WM

  • Neovim with LSP and completion

  • tmux for session management

  • KVM/QEMU on Supermicro server (home enterprise)

  • Git proficiency

Add for Kernel Work

  • gcc and binutils — kernel compilation

  • make menuconfig / make nconfig — kernel configuration

  • qemu — quick kernel testing without full VM (virtme-ng recommended)

  • sparse — kernel static analysis (make C=1)

  • coccinelle — semantic patching tool (make coccicheck)

  • checkpatch.pl — patch style checker (in kernel source: scripts/checkpatch.pl)

  • b4 — tool for working with kernel mailing list patches — b4.docs.kernel.org/

  • lei (public-inbox) — local email interface for Lore archives

  • neomutt or aerc — terminal email client for mailing list participation

Learning Sequence

Phase 1: Foundation (Months 1-2)

  1. Continue RHCSA EX200 preparation (primary track — do not drop)

  2. Continue LPIC-2 Sybex book in parallel (Topic 201 kernel sections are directly relevant)

  3. Start K&R C book — chapters 1-6 (secondary, 30 min/day)

  4. Begin LFD103 course once comfortable with basic C (free, self-paced) — training.linuxfoundation.org/training/a-beginners-guide-to-linux-kernel-development-lfd103/

  5. Subscribe to netdev and rust-for-linux — lurk and read

Phase 2: First Kernel Build (Months 2-3)

  1. Build and boot a custom kernel in QEMU on your home enterprise

  2. Write a hello-world kernel module (character device)

  3. Read Robert Love’s Linux Kernel Development

  4. Start reading kernel source on Elixir alongside the book

Phase 3: Networking Focus (Months 3-5)

  1. Read Rami Rosen’s Linux Kernel Networking

  2. Read through net/core/dev.c and net/ipv4/tcp_input.c on Elixir

  3. Write a simple Netfilter hook module

  4. Start using perf and ftrace to trace kernel networking paths

  5. Begin Brendan Gregg’s BPF Performance Tools

Phase 4: eBPF and Tooling (Months 5-7)

  1. Work through Liz Rice’s Learning eBPF

  2. Write eBPF programs with Aya (Rust) and bpftrace

  3. Build a network monitoring tool using XDP

  4. Contribute documentation or tests to Netfilter or eBPF subsystems

Phase 5: First Contributions (Months 7-12)

  1. Submit first patches — start with documentation, tests, or small fixes

  2. Write a Rust kernel module using the out-of-tree template

  3. Engage on mailing lists with informed review comments

  4. Consider the Linux Kernel Mentorship Program — wiki.linuxfoundation.org/lkmp

Phase 6: Sustained Development (Year 2+)

  1. Regular patch submissions to netdev or netfilter-devel

  2. Deeper specialization in eBPF security tooling or Rust networking abstractions

  3. Conference participation: Linux Plumbers, Netdev, Kernel Recipes

  4. Maintain documentation in domus as you learn

Key People to Follow

  • Steven Rostedt — ftrace maintainer, PREEMPT_RT developer

  • Greg Kroah-Hartman — stable kernel maintainer, Rust advocate

  • Miguel Ojeda — Rust for Linux project lead

  • Brendan Gregg — performance and eBPF expert

  • Pablo Neira Ayuso — Netfilter/nftables maintainer

  • Daniel Borkmann — eBPF/XDP co-maintainer

  • Alexei Starovoitov — eBPF co-maintainer

  • Linus Torvalds — well, obviously

Hands-On Deep Dives

Structured curriculum modules that trace real bugs from userspace down to kernel source:

  • Kernel IPC Mastery — tmpfs, AF_UNIX sockets, SCM_RIGHTS, SO_PEERCRED, environment variable discovery. Born from a tmux clipboard debugging session.

Documentation Strategy

All learning notes go into the domus private instance using existing Antora spoke architecture. Consider adding a kernel spoke under Technology alongside Linux, Networking, and Security. Use AsciiDoc includes for shared attributes and cross-references to prevent duplication across spokes. Reserve reStructuredText only for upstream kernel documentation contributions.

Yo sé quién soy, y sé que puedo ser…​
— Don Quijote