1 # SPDX-License-Identifier: GPL-2.0-only 1 # SPDX-License-Identifier: GPL-2.0-only
2 menuconfig MODULES 2 menuconfig MODULES
3 bool "Enable loadable module support" 3 bool "Enable loadable module support"
4 modules 4 modules
5 select EXECMEM <<
6 help 5 help
7 Kernel modules are small pieces of c 6 Kernel modules are small pieces of compiled code which can
8 be inserted in the running kernel, r 7 be inserted in the running kernel, rather than being
9 permanently built into the kernel. 8 permanently built into the kernel. You use the "modprobe"
10 tool to add (and sometimes remove) t 9 tool to add (and sometimes remove) them. If you say Y here,
11 many parts of the kernel can be buil 10 many parts of the kernel can be built as modules (by
12 answering M instead of Y where indic 11 answering M instead of Y where indicated): this is most
13 useful for infrequently used options 12 useful for infrequently used options which are not required
14 for booting. For more information, 13 for booting. For more information, see the man pages for
15 modprobe, lsmod, modinfo, insmod and 14 modprobe, lsmod, modinfo, insmod and rmmod.
16 15
17 If you say Y here, you will need to 16 If you say Y here, you will need to run "make
18 modules_install" to put the modules 17 modules_install" to put the modules under /lib/modules/
19 where modprobe can find them (you ma 18 where modprobe can find them (you may need to be root to do
20 this). 19 this).
21 20
22 If unsure, say Y. 21 If unsure, say Y.
23 22
24 if MODULES 23 if MODULES
25 24
26 config MODULE_DEBUGFS <<
27 bool <<
28 <<
29 config MODULE_DEBUG <<
30 bool "Module debugging" <<
31 depends on DEBUG_FS <<
32 help <<
33 Allows you to enable / disable featu <<
34 modules. You don't need these option <<
35 <<
36 if MODULE_DEBUG <<
37 <<
38 config MODULE_STATS <<
39 bool "Module statistics" <<
40 depends on DEBUG_FS <<
41 select MODULE_DEBUGFS <<
42 help <<
43 This option allows you to maintain a <<
44 For example, size of all modules, av <<
45 of failed modules and the size for e <<
46 modules we keep track of modules whi <<
47 existing module taking too long to l <<
48 loaded. <<
49 <<
50 You should enable this if you are de <<
51 and want to see if userspace or the <<
52 with loading modules when it shouldn <<
53 optimize userspace / kernel space mo <<
54 You might want to do this because fa <<
55 up significant amount of memory, and <<
56 favor in avoiding these failures pro <<
57 <<
58 This functionality is also useful fo <<
59 module .text ELF section optimizatio <<
60 <<
61 If unsure, say N. <<
62 <<
63 config MODULE_DEBUG_AUTOLOAD_DUPS <<
64 bool "Debug duplicate modules with aut <<
65 help <<
66 Module autoloading allows in-kernel <<
67 the *request_module*() API calls. Th <<
68 modprobe. Although modprobe checks t <<
69 loaded before trying to load a modul <<
70 which multiple duplicate requests ca <<
71 modprobe calls race calling finit_mo <<
72 duplicate modules. The finit_module( <<
73 worst case more than twice the respe <<
74 memory for each duplicate module req <<
75 requests are non-fatal virtual memor <<
76 duplicate module request ends up jus <<
77 memory. <<
78 <<
79 This debugging facility will create <<
80 module requests to help identify if <<
81 culprit to your early boot virtual m <<
82 memory abuse caused by duplicate mod <<
83 system unusable this functionality w <<
84 requests for the same module to a si <<
85 the module.enable_dups_trace=1 kerne <<
86 instead of the pr_warn(). <<
87 <<
88 If the first module request used req <<
89 use that as the anchor to wait for d <<
90 users of request_module() do want a <<
91 for the same module happened earlier <<
92 then a duplicate request_module_nowa <<
93 non-wait request_module() call is sy <<
94 completes. Subsequent auto-loading r <<
95 not trigger a new finit_module() cal <<
96 memory, and so as soon as modprobe s <<
97 tracking for duplicates for that mod <<
98 <<
99 Enable this functionality to try to <<
100 boot on systems which are failing to <<
101 straining virtual memory during boot <<
102 abuse was due to module auto-loading <<
103 known to occur on systems with many <<
104 result of udev issuing duplicate mod <<
105 module auto-loading is not the culpr <<
106 many duplicate module auto-loading r <<
107 for and this debugging facility can <<
108 <<
109 Only enable this for debugging syste <<
110 enabled on real systems. <<
111 <<
112 config MODULE_DEBUG_AUTOLOAD_DUPS_TRACE <<
113 bool "Force full stack trace when dupl <<
114 depends on MODULE_DEBUG_AUTOLOAD_DUPS <<
115 help <<
116 Enabling this will force a full stac <<
117 auto-loading requests using WARN_ON( <<
118 should keep this disabled at all tim <<
119 and are doing a manual inspection an <<
120 these duplicates occur. <<
121 <<
122 endif # MODULE_DEBUG <<
123 <<
124 config MODULE_FORCE_LOAD 25 config MODULE_FORCE_LOAD
125 bool "Forced module loading" 26 bool "Forced module loading"
126 default n 27 default n
127 help 28 help
128 Allow loading of modules without ver 29 Allow loading of modules without version information (ie. modprobe
129 --force). Forced module loading set 30 --force). Forced module loading sets the 'F' (forced) taint flag and
130 is usually a really bad idea. 31 is usually a really bad idea.
131 32
132 config MODULE_UNLOAD 33 config MODULE_UNLOAD
133 bool "Module unloading" 34 bool "Module unloading"
134 help 35 help
135 Without this option you will not be 36 Without this option you will not be able to unload any
136 modules (note that some modules may 37 modules (note that some modules may not be unloadable
137 anyway), which makes your kernel sma 38 anyway), which makes your kernel smaller, faster
138 and simpler. If unsure, say Y. 39 and simpler. If unsure, say Y.
139 40
140 config MODULE_FORCE_UNLOAD 41 config MODULE_FORCE_UNLOAD
141 bool "Forced module unloading" 42 bool "Forced module unloading"
142 depends on MODULE_UNLOAD 43 depends on MODULE_UNLOAD
143 help 44 help
144 This option allows you to force a mo 45 This option allows you to force a module to unload, even if the
145 kernel believes it is unsafe: the ke 46 kernel believes it is unsafe: the kernel will remove the module
146 without waiting for anyone to stop u 47 without waiting for anyone to stop using it (using the -f option to
147 rmmod). This is mainly for kernel d 48 rmmod). This is mainly for kernel developers and desperate users.
148 If unsure, say N. 49 If unsure, say N.
149 50
150 config MODULE_UNLOAD_TAINT_TRACKING 51 config MODULE_UNLOAD_TAINT_TRACKING
151 bool "Tainted module unload tracking" 52 bool "Tainted module unload tracking"
152 depends on MODULE_UNLOAD 53 depends on MODULE_UNLOAD
153 select MODULE_DEBUGFS !! 54 default n
154 help 55 help
155 This option allows you to maintain a 56 This option allows you to maintain a record of each unloaded
156 module that tainted the kernel. In a 57 module that tainted the kernel. In addition to displaying a
157 list of linked (or loaded) modules e 58 list of linked (or loaded) modules e.g. on detection of a bad
158 page (see bad_page()), the aforement 59 page (see bad_page()), the aforementioned details are also
159 shown. If unsure, say N. 60 shown. If unsure, say N.
160 61
161 config MODVERSIONS 62 config MODVERSIONS
162 bool "Module versioning support" 63 bool "Module versioning support"
163 depends on !COMPILE_TEST <<
164 help 64 help
165 Usually, you have to use modules com 65 Usually, you have to use modules compiled with your kernel.
166 Saying Y here makes it sometimes pos 66 Saying Y here makes it sometimes possible to use modules
167 compiled for different kernels, by a 67 compiled for different kernels, by adding enough information
168 to the modules to (hopefully) spot a 68 to the modules to (hopefully) spot any changes which would
169 make them incompatible with the kern 69 make them incompatible with the kernel you are running. If
170 unsure, say N. 70 unsure, say N.
171 71
172 config ASM_MODVERSIONS 72 config ASM_MODVERSIONS
173 bool 73 bool
174 default HAVE_ASM_MODVERSIONS && MODVER 74 default HAVE_ASM_MODVERSIONS && MODVERSIONS
175 help 75 help
176 This enables module versioning for e 76 This enables module versioning for exported symbols also from
177 assembly. This can be enabled only w 77 assembly. This can be enabled only when the target architecture
178 supports it. 78 supports it.
179 79
180 config MODULE_SRCVERSION_ALL 80 config MODULE_SRCVERSION_ALL
181 bool "Source checksum for all modules" 81 bool "Source checksum for all modules"
182 help 82 help
183 Modules which contain a MODULE_VERSI 83 Modules which contain a MODULE_VERSION get an extra "srcversion"
184 field inserted into their modinfo se 84 field inserted into their modinfo section, which contains a
185 sum of the source files which made i 85 sum of the source files which made it. This helps maintainers
186 see exactly which source was used to 86 see exactly which source was used to build a module (since
187 others sometimes change the module s 87 others sometimes change the module source without updating
188 the version). With this option, suc 88 the version). With this option, such a "srcversion" field
189 will be created for all modules. If 89 will be created for all modules. If unsure, say N.
190 90
191 config MODULE_SIG 91 config MODULE_SIG
192 bool "Module signature verification" 92 bool "Module signature verification"
193 select MODULE_SIG_FORMAT 93 select MODULE_SIG_FORMAT
194 help 94 help
195 Check modules for valid signatures u 95 Check modules for valid signatures upon load: the signature
196 is simply appended to the module. Fo 96 is simply appended to the module. For more information see
197 <file:Documentation/admin-guide/modu 97 <file:Documentation/admin-guide/module-signing.rst>.
198 98
199 Note that this option adds the OpenS 99 Note that this option adds the OpenSSL development packages as a
200 kernel build dependency so that the 100 kernel build dependency so that the signing tool can use its crypto
201 library. 101 library.
202 102
203 You should enable this option if you 103 You should enable this option if you wish to use either
204 CONFIG_SECURITY_LOCKDOWN_LSM or lock 104 CONFIG_SECURITY_LOCKDOWN_LSM or lockdown functionality imposed via
205 another LSM - otherwise unsigned mod 105 another LSM - otherwise unsigned modules will be loadable regardless
206 of the lockdown policy. 106 of the lockdown policy.
207 107
208 !!!WARNING!!! If you enable this op 108 !!!WARNING!!! If you enable this option, you MUST make sure that the
209 module DOES NOT get stripped after b 109 module DOES NOT get stripped after being signed. This includes the
210 debuginfo strip done by some package 110 debuginfo strip done by some packagers (such as rpmbuild) and
211 inclusion into an initramfs that wan 111 inclusion into an initramfs that wants the module size reduced.
212 112
213 config MODULE_SIG_FORCE 113 config MODULE_SIG_FORCE
214 bool "Require modules to be validly si 114 bool "Require modules to be validly signed"
215 depends on MODULE_SIG 115 depends on MODULE_SIG
216 help 116 help
217 Reject unsigned modules or signed mo 117 Reject unsigned modules or signed modules for which we don't have a
218 key. Without this, such modules wil 118 key. Without this, such modules will simply taint the kernel.
219 119
220 config MODULE_SIG_ALL 120 config MODULE_SIG_ALL
221 bool "Automatically sign all modules" 121 bool "Automatically sign all modules"
222 default y 122 default y
223 depends on MODULE_SIG || IMA_APPRAISE_ 123 depends on MODULE_SIG || IMA_APPRAISE_MODSIG
224 help 124 help
225 Sign all modules during make modules 125 Sign all modules during make modules_install. Without this option,
226 modules must be signed manually, usi 126 modules must be signed manually, using the scripts/sign-file tool.
227 127
228 comment "Do not forget to sign required module 128 comment "Do not forget to sign required modules with scripts/sign-file"
229 depends on MODULE_SIG_FORCE && !MODULE 129 depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL
230 130
231 choice 131 choice
232 prompt "Hash algorithm to sign modules !! 132 prompt "Which hash algorithm should modules be signed with?"
233 depends on MODULE_SIG || IMA_APPRAISE_ 133 depends on MODULE_SIG || IMA_APPRAISE_MODSIG
234 help 134 help
235 This determines which sort of hashin 135 This determines which sort of hashing algorithm will be used during
236 signature generation. This algorith 136 signature generation. This algorithm _must_ be built into the kernel
237 directly so that signature verificat 137 directly so that signature verification can take place. It is not
238 possible to load a signed module con 138 possible to load a signed module containing the algorithm to check
239 the signature on that module. 139 the signature on that module.
240 140
241 config MODULE_SIG_SHA1 141 config MODULE_SIG_SHA1
242 bool "SHA-1" !! 142 bool "Sign modules with SHA-1"
243 select CRYPTO_SHA1 143 select CRYPTO_SHA1
244 144
>> 145 config MODULE_SIG_SHA224
>> 146 bool "Sign modules with SHA-224"
>> 147 select CRYPTO_SHA256
>> 148
245 config MODULE_SIG_SHA256 149 config MODULE_SIG_SHA256
246 bool "SHA-256" !! 150 bool "Sign modules with SHA-256"
247 select CRYPTO_SHA256 151 select CRYPTO_SHA256
248 152
249 config MODULE_SIG_SHA384 153 config MODULE_SIG_SHA384
250 bool "SHA-384" !! 154 bool "Sign modules with SHA-384"
251 select CRYPTO_SHA512 155 select CRYPTO_SHA512
252 156
253 config MODULE_SIG_SHA512 157 config MODULE_SIG_SHA512
254 bool "SHA-512" !! 158 bool "Sign modules with SHA-512"
255 select CRYPTO_SHA512 159 select CRYPTO_SHA512
256 160
257 config MODULE_SIG_SHA3_256 <<
258 bool "SHA3-256" <<
259 select CRYPTO_SHA3 <<
260 <<
261 config MODULE_SIG_SHA3_384 <<
262 bool "SHA3-384" <<
263 select CRYPTO_SHA3 <<
264 <<
265 config MODULE_SIG_SHA3_512 <<
266 bool "SHA3-512" <<
267 select CRYPTO_SHA3 <<
268 <<
269 endchoice 161 endchoice
270 162
271 config MODULE_SIG_HASH 163 config MODULE_SIG_HASH
272 string 164 string
273 depends on MODULE_SIG || IMA_APPRAISE_ 165 depends on MODULE_SIG || IMA_APPRAISE_MODSIG
274 default "sha1" if MODULE_SIG_SHA1 166 default "sha1" if MODULE_SIG_SHA1
>> 167 default "sha224" if MODULE_SIG_SHA224
275 default "sha256" if MODULE_SIG_SHA256 168 default "sha256" if MODULE_SIG_SHA256
276 default "sha384" if MODULE_SIG_SHA384 169 default "sha384" if MODULE_SIG_SHA384
277 default "sha512" if MODULE_SIG_SHA512 170 default "sha512" if MODULE_SIG_SHA512
278 default "sha3-256" if MODULE_SIG_SHA3_ <<
279 default "sha3-384" if MODULE_SIG_SHA3_ <<
280 default "sha3-512" if MODULE_SIG_SHA3_ <<
281 171
282 config MODULE_COMPRESS !! 172 choice
283 bool "Module compression" !! 173 prompt "Module compression mode"
284 help 174 help
285 Enable module compression to reduce !! 175 This option allows you to choose the algorithm which will be used to
>> 176 compress modules when 'make modules_install' is run. (or, you can
>> 177 choose to not compress modules at all.)
>> 178
>> 179 External modules will also be compressed in the same way during the
>> 180 installation.
>> 181
>> 182 For modules inside an initrd or initramfs, it's more efficient to
>> 183 compress the whole initrd or initramfs instead.
>> 184
286 This is fully compatible with signed 185 This is fully compatible with signed modules.
287 186
288 The tool used to work with modules n !! 187 Please note that the tool used to load modules needs to support the
289 compression type. kmod MAY support g !! 188 corresponding algorithm. module-init-tools MAY support gzip, and kmod
290 might have a limited selection of th !! 189 MAY support gzip, xz and zstd.
291 190
292 Note that for modules inside an init !! 191 Your build system needs to provide the appropriate compression tool
293 efficient to compress the whole ramd !! 192 to compress the modules.
294 193
295 If unsure, say N. !! 194 If in doubt, select 'None'.
296 195
297 choice !! 196 config MODULE_COMPRESS_NONE
298 prompt "Module compression type" !! 197 bool "None"
299 depends on MODULE_COMPRESS <<
300 help 198 help
301 Choose the supported algorithm for m !! 199 Do not compress modules. The installed modules are suffixed
>> 200 with .ko.
302 201
303 config MODULE_COMPRESS_GZIP 202 config MODULE_COMPRESS_GZIP
304 bool "GZIP" 203 bool "GZIP"
305 help 204 help
306 Support modules compressed with GZIP !! 205 Compress modules with GZIP. The installed modules are suffixed
307 suffixed with .ko.gz. !! 206 with .ko.gz.
308 207
309 config MODULE_COMPRESS_XZ 208 config MODULE_COMPRESS_XZ
310 bool "XZ" 209 bool "XZ"
311 help 210 help
312 Support modules compressed with XZ. !! 211 Compress modules with XZ. The installed modules are suffixed
313 suffixed with .ko.xz. !! 212 with .ko.xz.
314 213
315 config MODULE_COMPRESS_ZSTD 214 config MODULE_COMPRESS_ZSTD
316 bool "ZSTD" 215 bool "ZSTD"
317 help 216 help
318 Support modules compressed with ZSTD !! 217 Compress modules with ZSTD. The installed modules are suffixed
319 suffixed with .ko.zst. !! 218 with .ko.zst.
320 219
321 endchoice 220 endchoice
322 221
323 config MODULE_COMPRESS_ALL <<
324 bool "Automatically compress all modul <<
325 default y <<
326 depends on MODULE_COMPRESS <<
327 help <<
328 Compress all modules during 'make mo <<
329 <<
330 Your build system needs to provide t <<
331 for the selected compression type. E <<
332 compressed in the same way during th <<
333 <<
334 config MODULE_DECOMPRESS 222 config MODULE_DECOMPRESS
335 bool "Support in-kernel module decompr 223 bool "Support in-kernel module decompression"
336 depends on MODULE_COMPRESS !! 224 depends on MODULE_COMPRESS_GZIP || MODULE_COMPRESS_XZ || MODULE_COMPRESS_ZSTD
337 select ZLIB_INFLATE if MODULE_COMPRESS 225 select ZLIB_INFLATE if MODULE_COMPRESS_GZIP
338 select XZ_DEC if MODULE_COMPRESS_XZ 226 select XZ_DEC if MODULE_COMPRESS_XZ
339 select ZSTD_DECOMPRESS if MODULE_COMPR 227 select ZSTD_DECOMPRESS if MODULE_COMPRESS_ZSTD
340 help 228 help
>> 229
341 Support for decompressing kernel mod 230 Support for decompressing kernel modules by the kernel itself
342 instead of relying on userspace to p 231 instead of relying on userspace to perform this task. Useful when
343 load pinning security policy is enab 232 load pinning security policy is enabled.
344 233
345 If unsure, say N. 234 If unsure, say N.
346 235
347 config MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS 236 config MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS
348 bool "Allow loading of modules with mi 237 bool "Allow loading of modules with missing namespace imports"
349 help 238 help
350 Symbols exported with EXPORT_SYMBOL_ 239 Symbols exported with EXPORT_SYMBOL_NS*() are considered exported in
351 a namespace. A module that makes use 240 a namespace. A module that makes use of a symbol exported with such a
352 namespace is required to import the 241 namespace is required to import the namespace via MODULE_IMPORT_NS().
353 There is no technical reason to enfo 242 There is no technical reason to enforce correct namespace imports,
354 but it creates consistency between s 243 but it creates consistency between symbols defining namespaces and
355 users importing namespaces they make 244 users importing namespaces they make use of. This option relaxes this
356 requirement and lifts the enforcemen 245 requirement and lifts the enforcement when loading a module.
357 246
358 If unsure, say N. 247 If unsure, say N.
359 248
360 config MODPROBE_PATH 249 config MODPROBE_PATH
361 string "Path to modprobe binary" 250 string "Path to modprobe binary"
362 default "/sbin/modprobe" 251 default "/sbin/modprobe"
363 help 252 help
364 When kernel code requests a module, 253 When kernel code requests a module, it does so by calling
365 the "modprobe" userspace utility. Th 254 the "modprobe" userspace utility. This option allows you to
366 set the path where that binary is fo 255 set the path where that binary is found. This can be changed
367 at runtime via the sysctl file 256 at runtime via the sysctl file
368 /proc/sys/kernel/modprobe. Setting t 257 /proc/sys/kernel/modprobe. Setting this to the empty string
369 removes the kernel's ability to requ 258 removes the kernel's ability to request modules (but
370 userspace can still load modules exp 259 userspace can still load modules explicitly).
371 260
372 config TRIM_UNUSED_KSYMS 261 config TRIM_UNUSED_KSYMS
373 bool "Trim unused exported kernel symb !! 262 bool "Trim unused exported kernel symbols" if EXPERT
>> 263 depends on !COMPILE_TEST
374 help 264 help
375 The kernel and some modules make man 265 The kernel and some modules make many symbols available for
376 other modules to use via EXPORT_SYMB 266 other modules to use via EXPORT_SYMBOL() and variants. Depending
377 on the set of modules being selected 267 on the set of modules being selected in your kernel configuration,
378 many of those exported symbols might 268 many of those exported symbols might never be used.
379 269
380 This option allows for unused export 270 This option allows for unused exported symbols to be dropped from
381 the build. In turn, this provides th 271 the build. In turn, this provides the compiler more opportunities
382 (especially when using LTO) for opti 272 (especially when using LTO) for optimizing the code and reducing
383 binary size. This might have some s 273 binary size. This might have some security advantages as well.
384 274
385 If unsure, or if you need to build o 275 If unsure, or if you need to build out-of-tree modules, say N.
386 276
387 config UNUSED_KSYMS_WHITELIST 277 config UNUSED_KSYMS_WHITELIST
388 string "Whitelist of symbols to keep i 278 string "Whitelist of symbols to keep in ksymtab"
389 depends on TRIM_UNUSED_KSYMS 279 depends on TRIM_UNUSED_KSYMS
390 help 280 help
391 By default, all unused exported symb 281 By default, all unused exported symbols will be un-exported from the
392 build when TRIM_UNUSED_KSYMS is sele 282 build when TRIM_UNUSED_KSYMS is selected.
393 283
394 UNUSED_KSYMS_WHITELIST allows to whi 284 UNUSED_KSYMS_WHITELIST allows to whitelist symbols that must be kept
395 exported at all times, even in absen 285 exported at all times, even in absence of in-tree users. The value to
396 set here is the path to a text file 286 set here is the path to a text file containing the list of symbols,
397 one per line. The path can be absolu 287 one per line. The path can be absolute, or relative to the kernel
398 source or obj tree. !! 288 source tree.
399 289
400 config MODULES_TREE_LOOKUP 290 config MODULES_TREE_LOOKUP
401 def_bool y 291 def_bool y
402 depends on PERF_EVENTS || TRACING || C 292 depends on PERF_EVENTS || TRACING || CFI_CLANG
403 293
404 endif # MODULES 294 endif # MODULES
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.