1 # SPDX-License-Identifier: GPL-2.0-only 1 # SPDX-License-Identifier: GPL-2.0-only 2 menuconfig MODULES 2 menuconfig MODULES 3 bool "Enable loadable module support" 3 bool "Enable loadable module support" 4 modules 4 modules 5 select EXECMEM << 6 help 5 help 7 Kernel modules are small pieces of c 6 Kernel modules are small pieces of compiled code which can 8 be inserted in the running kernel, r 7 be inserted in the running kernel, rather than being 9 permanently built into the kernel. 8 permanently built into the kernel. You use the "modprobe" 10 tool to add (and sometimes remove) t 9 tool to add (and sometimes remove) them. If you say Y here, 11 many parts of the kernel can be buil 10 many parts of the kernel can be built as modules (by 12 answering M instead of Y where indic 11 answering M instead of Y where indicated): this is most 13 useful for infrequently used options 12 useful for infrequently used options which are not required 14 for booting. For more information, 13 for booting. For more information, see the man pages for 15 modprobe, lsmod, modinfo, insmod and 14 modprobe, lsmod, modinfo, insmod and rmmod. 16 15 17 If you say Y here, you will need to 16 If you say Y here, you will need to run "make 18 modules_install" to put the modules 17 modules_install" to put the modules under /lib/modules/ 19 where modprobe can find them (you ma 18 where modprobe can find them (you may need to be root to do 20 this). 19 this). 21 20 22 If unsure, say Y. 21 If unsure, say Y. 23 22 24 if MODULES 23 if MODULES 25 24 26 config MODULE_DEBUGFS 25 config MODULE_DEBUGFS 27 bool 26 bool 28 27 29 config MODULE_DEBUG 28 config MODULE_DEBUG 30 bool "Module debugging" 29 bool "Module debugging" 31 depends on DEBUG_FS 30 depends on DEBUG_FS 32 help 31 help 33 Allows you to enable / disable featu 32 Allows you to enable / disable features which can help you debug 34 modules. You don't need these option 33 modules. You don't need these options on production systems. 35 34 36 if MODULE_DEBUG 35 if MODULE_DEBUG 37 36 38 config MODULE_STATS 37 config MODULE_STATS 39 bool "Module statistics" 38 bool "Module statistics" 40 depends on DEBUG_FS 39 depends on DEBUG_FS 41 select MODULE_DEBUGFS 40 select MODULE_DEBUGFS 42 help 41 help 43 This option allows you to maintain a 42 This option allows you to maintain a record of module statistics. 44 For example, size of all modules, av 43 For example, size of all modules, average size, text size, a list 45 of failed modules and the size for e 44 of failed modules and the size for each of those. For failed 46 modules we keep track of modules whi 45 modules we keep track of modules which failed due to either the 47 existing module taking too long to l 46 existing module taking too long to load or that module was already 48 loaded. 47 loaded. 49 48 50 You should enable this if you are de 49 You should enable this if you are debugging production loads 51 and want to see if userspace or the 50 and want to see if userspace or the kernel is doing stupid things 52 with loading modules when it shouldn 51 with loading modules when it shouldn't or if you want to help 53 optimize userspace / kernel space mo 52 optimize userspace / kernel space module autoloading schemes. 54 You might want to do this because fa 53 You might want to do this because failed modules tend to use 55 up significant amount of memory, and 54 up significant amount of memory, and so you'd be doing everyone a 56 favor in avoiding these failures pro 55 favor in avoiding these failures proactively. 57 56 58 This functionality is also useful fo 57 This functionality is also useful for those experimenting with 59 module .text ELF section optimizatio 58 module .text ELF section optimization. 60 59 61 If unsure, say N. 60 If unsure, say N. 62 61 63 config MODULE_DEBUG_AUTOLOAD_DUPS 62 config MODULE_DEBUG_AUTOLOAD_DUPS 64 bool "Debug duplicate modules with aut 63 bool "Debug duplicate modules with auto-loading" 65 help 64 help 66 Module autoloading allows in-kernel 65 Module autoloading allows in-kernel code to request modules through 67 the *request_module*() API calls. Th 66 the *request_module*() API calls. This in turn just calls userspace 68 modprobe. Although modprobe checks t 67 modprobe. Although modprobe checks to see if a module is already 69 loaded before trying to load a modul 68 loaded before trying to load a module there is a small time window in 70 which multiple duplicate requests ca 69 which multiple duplicate requests can end up in userspace and multiple 71 modprobe calls race calling finit_mo 70 modprobe calls race calling finit_module() around the same time for 72 duplicate modules. The finit_module( 71 duplicate modules. The finit_module() system call can consume in the 73 worst case more than twice the respe 72 worst case more than twice the respective module size in virtual 74 memory for each duplicate module req 73 memory for each duplicate module requests. Although duplicate module 75 requests are non-fatal virtual memor 74 requests are non-fatal virtual memory is a limited resource and each 76 duplicate module request ends up jus 75 duplicate module request ends up just unnecessarily straining virtual 77 memory. 76 memory. 78 77 79 This debugging facility will create 78 This debugging facility will create pr_warn() splats for duplicate 80 module requests to help identify if 79 module requests to help identify if module auto-loading may be the 81 culprit to your early boot virtual m 80 culprit to your early boot virtual memory pressure. Since virtual 82 memory abuse caused by duplicate mod 81 memory abuse caused by duplicate module requests could render a 83 system unusable this functionality w 82 system unusable this functionality will also converge races in 84 requests for the same module to a si 83 requests for the same module to a single request. You can boot with 85 the module.enable_dups_trace=1 kerne 84 the module.enable_dups_trace=1 kernel parameter to use WARN_ON() 86 instead of the pr_warn(). 85 instead of the pr_warn(). 87 86 88 If the first module request used req 87 If the first module request used request_module_nowait() we cannot 89 use that as the anchor to wait for d 88 use that as the anchor to wait for duplicate module requests, since 90 users of request_module() do want a 89 users of request_module() do want a proper return value. If a call 91 for the same module happened earlier 90 for the same module happened earlier with request_module() though, 92 then a duplicate request_module_nowa 91 then a duplicate request_module_nowait() would be detected. The 93 non-wait request_module() call is sy 92 non-wait request_module() call is synchronous and waits until modprobe 94 completes. Subsequent auto-loading r 93 completes. Subsequent auto-loading requests for the same module do 95 not trigger a new finit_module() cal 94 not trigger a new finit_module() calls and do not strain virtual 96 memory, and so as soon as modprobe s 95 memory, and so as soon as modprobe successfully completes we remove 97 tracking for duplicates for that mod 96 tracking for duplicates for that module. 98 97 99 Enable this functionality to try to 98 Enable this functionality to try to debug virtual memory abuse during 100 boot on systems which are failing to 99 boot on systems which are failing to boot or if you suspect you may be 101 straining virtual memory during boot 100 straining virtual memory during boot, and you want to identify if the 102 abuse was due to module auto-loading 101 abuse was due to module auto-loading. These issues are currently only 103 known to occur on systems with many 102 known to occur on systems with many CPUs (over 400) and is likely the 104 result of udev issuing duplicate mod 103 result of udev issuing duplicate module requests for each CPU, and so 105 module auto-loading is not the culpr 104 module auto-loading is not the culprit. There may very well still be 106 many duplicate module auto-loading r 105 many duplicate module auto-loading requests which could be optimized 107 for and this debugging facility can 106 for and this debugging facility can be used to help identify them. 108 107 109 Only enable this for debugging syste 108 Only enable this for debugging system functionality, never have it 110 enabled on real systems. 109 enabled on real systems. 111 110 112 config MODULE_DEBUG_AUTOLOAD_DUPS_TRACE 111 config MODULE_DEBUG_AUTOLOAD_DUPS_TRACE 113 bool "Force full stack trace when dupl 112 bool "Force full stack trace when duplicates are found" 114 depends on MODULE_DEBUG_AUTOLOAD_DUPS 113 depends on MODULE_DEBUG_AUTOLOAD_DUPS 115 help 114 help 116 Enabling this will force a full stac 115 Enabling this will force a full stack trace for duplicate module 117 auto-loading requests using WARN_ON( 116 auto-loading requests using WARN_ON() instead of pr_warn(). You 118 should keep this disabled at all tim 117 should keep this disabled at all times unless you are a developer 119 and are doing a manual inspection an 118 and are doing a manual inspection and want to debug exactly why 120 these duplicates occur. 119 these duplicates occur. 121 120 122 endif # MODULE_DEBUG 121 endif # MODULE_DEBUG 123 122 124 config MODULE_FORCE_LOAD 123 config MODULE_FORCE_LOAD 125 bool "Forced module loading" 124 bool "Forced module loading" 126 default n 125 default n 127 help 126 help 128 Allow loading of modules without ver 127 Allow loading of modules without version information (ie. modprobe 129 --force). Forced module loading set 128 --force). Forced module loading sets the 'F' (forced) taint flag and 130 is usually a really bad idea. 129 is usually a really bad idea. 131 130 132 config MODULE_UNLOAD 131 config MODULE_UNLOAD 133 bool "Module unloading" 132 bool "Module unloading" 134 help 133 help 135 Without this option you will not be 134 Without this option you will not be able to unload any 136 modules (note that some modules may 135 modules (note that some modules may not be unloadable 137 anyway), which makes your kernel sma 136 anyway), which makes your kernel smaller, faster 138 and simpler. If unsure, say Y. 137 and simpler. If unsure, say Y. 139 138 140 config MODULE_FORCE_UNLOAD 139 config MODULE_FORCE_UNLOAD 141 bool "Forced module unloading" 140 bool "Forced module unloading" 142 depends on MODULE_UNLOAD 141 depends on MODULE_UNLOAD 143 help 142 help 144 This option allows you to force a mo 143 This option allows you to force a module to unload, even if the 145 kernel believes it is unsafe: the ke 144 kernel believes it is unsafe: the kernel will remove the module 146 without waiting for anyone to stop u 145 without waiting for anyone to stop using it (using the -f option to 147 rmmod). This is mainly for kernel d 146 rmmod). This is mainly for kernel developers and desperate users. 148 If unsure, say N. 147 If unsure, say N. 149 148 150 config MODULE_UNLOAD_TAINT_TRACKING 149 config MODULE_UNLOAD_TAINT_TRACKING 151 bool "Tainted module unload tracking" 150 bool "Tainted module unload tracking" 152 depends on MODULE_UNLOAD 151 depends on MODULE_UNLOAD 153 select MODULE_DEBUGFS 152 select MODULE_DEBUGFS 154 help 153 help 155 This option allows you to maintain a 154 This option allows you to maintain a record of each unloaded 156 module that tainted the kernel. In a 155 module that tainted the kernel. In addition to displaying a 157 list of linked (or loaded) modules e 156 list of linked (or loaded) modules e.g. on detection of a bad 158 page (see bad_page()), the aforement 157 page (see bad_page()), the aforementioned details are also 159 shown. If unsure, say N. 158 shown. If unsure, say N. 160 159 161 config MODVERSIONS 160 config MODVERSIONS 162 bool "Module versioning support" 161 bool "Module versioning support" 163 depends on !COMPILE_TEST << 164 help 162 help 165 Usually, you have to use modules com 163 Usually, you have to use modules compiled with your kernel. 166 Saying Y here makes it sometimes pos 164 Saying Y here makes it sometimes possible to use modules 167 compiled for different kernels, by a 165 compiled for different kernels, by adding enough information 168 to the modules to (hopefully) spot a 166 to the modules to (hopefully) spot any changes which would 169 make them incompatible with the kern 167 make them incompatible with the kernel you are running. If 170 unsure, say N. 168 unsure, say N. 171 169 172 config ASM_MODVERSIONS 170 config ASM_MODVERSIONS 173 bool 171 bool 174 default HAVE_ASM_MODVERSIONS && MODVER 172 default HAVE_ASM_MODVERSIONS && MODVERSIONS 175 help 173 help 176 This enables module versioning for e 174 This enables module versioning for exported symbols also from 177 assembly. This can be enabled only w 175 assembly. This can be enabled only when the target architecture 178 supports it. 176 supports it. 179 177 180 config MODULE_SRCVERSION_ALL 178 config MODULE_SRCVERSION_ALL 181 bool "Source checksum for all modules" 179 bool "Source checksum for all modules" 182 help 180 help 183 Modules which contain a MODULE_VERSI 181 Modules which contain a MODULE_VERSION get an extra "srcversion" 184 field inserted into their modinfo se 182 field inserted into their modinfo section, which contains a 185 sum of the source files which made i 183 sum of the source files which made it. This helps maintainers 186 see exactly which source was used to 184 see exactly which source was used to build a module (since 187 others sometimes change the module s 185 others sometimes change the module source without updating 188 the version). With this option, suc 186 the version). With this option, such a "srcversion" field 189 will be created for all modules. If 187 will be created for all modules. If unsure, say N. 190 188 191 config MODULE_SIG 189 config MODULE_SIG 192 bool "Module signature verification" 190 bool "Module signature verification" 193 select MODULE_SIG_FORMAT 191 select MODULE_SIG_FORMAT 194 help 192 help 195 Check modules for valid signatures u 193 Check modules for valid signatures upon load: the signature 196 is simply appended to the module. Fo 194 is simply appended to the module. For more information see 197 <file:Documentation/admin-guide/modu 195 <file:Documentation/admin-guide/module-signing.rst>. 198 196 199 Note that this option adds the OpenS 197 Note that this option adds the OpenSSL development packages as a 200 kernel build dependency so that the 198 kernel build dependency so that the signing tool can use its crypto 201 library. 199 library. 202 200 203 You should enable this option if you 201 You should enable this option if you wish to use either 204 CONFIG_SECURITY_LOCKDOWN_LSM or lock 202 CONFIG_SECURITY_LOCKDOWN_LSM or lockdown functionality imposed via 205 another LSM - otherwise unsigned mod 203 another LSM - otherwise unsigned modules will be loadable regardless 206 of the lockdown policy. 204 of the lockdown policy. 207 205 208 !!!WARNING!!! If you enable this op 206 !!!WARNING!!! If you enable this option, you MUST make sure that the 209 module DOES NOT get stripped after b 207 module DOES NOT get stripped after being signed. This includes the 210 debuginfo strip done by some package 208 debuginfo strip done by some packagers (such as rpmbuild) and 211 inclusion into an initramfs that wan 209 inclusion into an initramfs that wants the module size reduced. 212 210 213 config MODULE_SIG_FORCE 211 config MODULE_SIG_FORCE 214 bool "Require modules to be validly si 212 bool "Require modules to be validly signed" 215 depends on MODULE_SIG 213 depends on MODULE_SIG 216 help 214 help 217 Reject unsigned modules or signed mo 215 Reject unsigned modules or signed modules for which we don't have a 218 key. Without this, such modules wil 216 key. Without this, such modules will simply taint the kernel. 219 217 220 config MODULE_SIG_ALL 218 config MODULE_SIG_ALL 221 bool "Automatically sign all modules" 219 bool "Automatically sign all modules" 222 default y 220 default y 223 depends on MODULE_SIG || IMA_APPRAISE_ 221 depends on MODULE_SIG || IMA_APPRAISE_MODSIG 224 help 222 help 225 Sign all modules during make modules 223 Sign all modules during make modules_install. Without this option, 226 modules must be signed manually, usi 224 modules must be signed manually, using the scripts/sign-file tool. 227 225 228 comment "Do not forget to sign required module 226 comment "Do not forget to sign required modules with scripts/sign-file" 229 depends on MODULE_SIG_FORCE && !MODULE 227 depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL 230 228 231 choice 229 choice 232 prompt "Hash algorithm to sign modules !! 230 prompt "Which hash algorithm should modules be signed with?" 233 depends on MODULE_SIG || IMA_APPRAISE_ 231 depends on MODULE_SIG || IMA_APPRAISE_MODSIG 234 help 232 help 235 This determines which sort of hashin 233 This determines which sort of hashing algorithm will be used during 236 signature generation. This algorith 234 signature generation. This algorithm _must_ be built into the kernel 237 directly so that signature verificat 235 directly so that signature verification can take place. It is not 238 possible to load a signed module con 236 possible to load a signed module containing the algorithm to check 239 the signature on that module. 237 the signature on that module. 240 238 241 config MODULE_SIG_SHA1 239 config MODULE_SIG_SHA1 242 bool "SHA-1" !! 240 bool "Sign modules with SHA-1" 243 select CRYPTO_SHA1 241 select CRYPTO_SHA1 244 242 245 config MODULE_SIG_SHA256 243 config MODULE_SIG_SHA256 246 bool "SHA-256" !! 244 bool "Sign modules with SHA-256" 247 select CRYPTO_SHA256 245 select CRYPTO_SHA256 248 246 249 config MODULE_SIG_SHA384 247 config MODULE_SIG_SHA384 250 bool "SHA-384" !! 248 bool "Sign modules with SHA-384" 251 select CRYPTO_SHA512 249 select CRYPTO_SHA512 252 250 253 config MODULE_SIG_SHA512 251 config MODULE_SIG_SHA512 254 bool "SHA-512" !! 252 bool "Sign modules with SHA-512" 255 select CRYPTO_SHA512 253 select CRYPTO_SHA512 256 254 257 config MODULE_SIG_SHA3_256 255 config MODULE_SIG_SHA3_256 258 bool "SHA3-256" !! 256 bool "Sign modules with SHA3-256" 259 select CRYPTO_SHA3 257 select CRYPTO_SHA3 260 258 261 config MODULE_SIG_SHA3_384 259 config MODULE_SIG_SHA3_384 262 bool "SHA3-384" !! 260 bool "Sign modules with SHA3-384" 263 select CRYPTO_SHA3 261 select CRYPTO_SHA3 264 262 265 config MODULE_SIG_SHA3_512 263 config MODULE_SIG_SHA3_512 266 bool "SHA3-512" !! 264 bool "Sign modules with SHA3-512" 267 select CRYPTO_SHA3 265 select CRYPTO_SHA3 268 266 269 endchoice 267 endchoice 270 268 271 config MODULE_SIG_HASH 269 config MODULE_SIG_HASH 272 string 270 string 273 depends on MODULE_SIG || IMA_APPRAISE_ 271 depends on MODULE_SIG || IMA_APPRAISE_MODSIG 274 default "sha1" if MODULE_SIG_SHA1 272 default "sha1" if MODULE_SIG_SHA1 275 default "sha256" if MODULE_SIG_SHA256 273 default "sha256" if MODULE_SIG_SHA256 276 default "sha384" if MODULE_SIG_SHA384 274 default "sha384" if MODULE_SIG_SHA384 277 default "sha512" if MODULE_SIG_SHA512 275 default "sha512" if MODULE_SIG_SHA512 278 default "sha3-256" if MODULE_SIG_SHA3_ 276 default "sha3-256" if MODULE_SIG_SHA3_256 279 default "sha3-384" if MODULE_SIG_SHA3_ 277 default "sha3-384" if MODULE_SIG_SHA3_384 280 default "sha3-512" if MODULE_SIG_SHA3_ 278 default "sha3-512" if MODULE_SIG_SHA3_512 281 279 282 config MODULE_COMPRESS !! 280 choice 283 bool "Module compression" !! 281 prompt "Module compression mode" 284 help 282 help 285 Enable module compression to reduce !! 283 This option allows you to choose the algorithm which will be used to >> 284 compress modules when 'make modules_install' is run. (or, you can >> 285 choose to not compress modules at all.) >> 286 >> 287 External modules will also be compressed in the same way during the >> 288 installation. >> 289 >> 290 For modules inside an initrd or initramfs, it's more efficient to >> 291 compress the whole initrd or initramfs instead. >> 292 286 This is fully compatible with signed 293 This is fully compatible with signed modules. 287 294 288 The tool used to work with modules n !! 295 Please note that the tool used to load modules needs to support the 289 compression type. kmod MAY support g !! 296 corresponding algorithm. module-init-tools MAY support gzip, and kmod 290 might have a limited selection of th !! 297 MAY support gzip, xz and zstd. 291 298 292 Note that for modules inside an init !! 299 Your build system needs to provide the appropriate compression tool 293 efficient to compress the whole ramd !! 300 to compress the modules. 294 301 295 If unsure, say N. !! 302 If in doubt, select 'None'. 296 303 297 choice !! 304 config MODULE_COMPRESS_NONE 298 prompt "Module compression type" !! 305 bool "None" 299 depends on MODULE_COMPRESS << 300 help 306 help 301 Choose the supported algorithm for m !! 307 Do not compress modules. The installed modules are suffixed >> 308 with .ko. 302 309 303 config MODULE_COMPRESS_GZIP 310 config MODULE_COMPRESS_GZIP 304 bool "GZIP" 311 bool "GZIP" 305 help 312 help 306 Support modules compressed with GZIP !! 313 Compress modules with GZIP. The installed modules are suffixed 307 suffixed with .ko.gz. !! 314 with .ko.gz. 308 315 309 config MODULE_COMPRESS_XZ 316 config MODULE_COMPRESS_XZ 310 bool "XZ" 317 bool "XZ" 311 help 318 help 312 Support modules compressed with XZ. !! 319 Compress modules with XZ. The installed modules are suffixed 313 suffixed with .ko.xz. !! 320 with .ko.xz. 314 321 315 config MODULE_COMPRESS_ZSTD 322 config MODULE_COMPRESS_ZSTD 316 bool "ZSTD" 323 bool "ZSTD" 317 help 324 help 318 Support modules compressed with ZSTD !! 325 Compress modules with ZSTD. The installed modules are suffixed 319 suffixed with .ko.zst. !! 326 with .ko.zst. 320 327 321 endchoice 328 endchoice 322 329 323 config MODULE_COMPRESS_ALL << 324 bool "Automatically compress all modul << 325 default y << 326 depends on MODULE_COMPRESS << 327 help << 328 Compress all modules during 'make mo << 329 << 330 Your build system needs to provide t << 331 for the selected compression type. E << 332 compressed in the same way during th << 333 << 334 config MODULE_DECOMPRESS 330 config MODULE_DECOMPRESS 335 bool "Support in-kernel module decompr 331 bool "Support in-kernel module decompression" 336 depends on MODULE_COMPRESS !! 332 depends on MODULE_COMPRESS_GZIP || MODULE_COMPRESS_XZ || MODULE_COMPRESS_ZSTD 337 select ZLIB_INFLATE if MODULE_COMPRESS 333 select ZLIB_INFLATE if MODULE_COMPRESS_GZIP 338 select XZ_DEC if MODULE_COMPRESS_XZ 334 select XZ_DEC if MODULE_COMPRESS_XZ 339 select ZSTD_DECOMPRESS if MODULE_COMPR 335 select ZSTD_DECOMPRESS if MODULE_COMPRESS_ZSTD 340 help 336 help >> 337 341 Support for decompressing kernel mod 338 Support for decompressing kernel modules by the kernel itself 342 instead of relying on userspace to p 339 instead of relying on userspace to perform this task. Useful when 343 load pinning security policy is enab 340 load pinning security policy is enabled. 344 341 345 If unsure, say N. 342 If unsure, say N. 346 343 347 config MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS 344 config MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS 348 bool "Allow loading of modules with mi 345 bool "Allow loading of modules with missing namespace imports" 349 help 346 help 350 Symbols exported with EXPORT_SYMBOL_ 347 Symbols exported with EXPORT_SYMBOL_NS*() are considered exported in 351 a namespace. A module that makes use 348 a namespace. A module that makes use of a symbol exported with such a 352 namespace is required to import the 349 namespace is required to import the namespace via MODULE_IMPORT_NS(). 353 There is no technical reason to enfo 350 There is no technical reason to enforce correct namespace imports, 354 but it creates consistency between s 351 but it creates consistency between symbols defining namespaces and 355 users importing namespaces they make 352 users importing namespaces they make use of. This option relaxes this 356 requirement and lifts the enforcemen 353 requirement and lifts the enforcement when loading a module. 357 354 358 If unsure, say N. 355 If unsure, say N. 359 356 360 config MODPROBE_PATH 357 config MODPROBE_PATH 361 string "Path to modprobe binary" 358 string "Path to modprobe binary" 362 default "/sbin/modprobe" 359 default "/sbin/modprobe" 363 help 360 help 364 When kernel code requests a module, 361 When kernel code requests a module, it does so by calling 365 the "modprobe" userspace utility. Th 362 the "modprobe" userspace utility. This option allows you to 366 set the path where that binary is fo 363 set the path where that binary is found. This can be changed 367 at runtime via the sysctl file 364 at runtime via the sysctl file 368 /proc/sys/kernel/modprobe. Setting t 365 /proc/sys/kernel/modprobe. Setting this to the empty string 369 removes the kernel's ability to requ 366 removes the kernel's ability to request modules (but 370 userspace can still load modules exp 367 userspace can still load modules explicitly). 371 368 372 config TRIM_UNUSED_KSYMS 369 config TRIM_UNUSED_KSYMS 373 bool "Trim unused exported kernel symb 370 bool "Trim unused exported kernel symbols" 374 help 371 help 375 The kernel and some modules make man 372 The kernel and some modules make many symbols available for 376 other modules to use via EXPORT_SYMB 373 other modules to use via EXPORT_SYMBOL() and variants. Depending 377 on the set of modules being selected 374 on the set of modules being selected in your kernel configuration, 378 many of those exported symbols might 375 many of those exported symbols might never be used. 379 376 380 This option allows for unused export 377 This option allows for unused exported symbols to be dropped from 381 the build. In turn, this provides th 378 the build. In turn, this provides the compiler more opportunities 382 (especially when using LTO) for opti 379 (especially when using LTO) for optimizing the code and reducing 383 binary size. This might have some s 380 binary size. This might have some security advantages as well. 384 381 385 If unsure, or if you need to build o 382 If unsure, or if you need to build out-of-tree modules, say N. 386 383 387 config UNUSED_KSYMS_WHITELIST 384 config UNUSED_KSYMS_WHITELIST 388 string "Whitelist of symbols to keep i 385 string "Whitelist of symbols to keep in ksymtab" 389 depends on TRIM_UNUSED_KSYMS 386 depends on TRIM_UNUSED_KSYMS 390 help 387 help 391 By default, all unused exported symb 388 By default, all unused exported symbols will be un-exported from the 392 build when TRIM_UNUSED_KSYMS is sele 389 build when TRIM_UNUSED_KSYMS is selected. 393 390 394 UNUSED_KSYMS_WHITELIST allows to whi 391 UNUSED_KSYMS_WHITELIST allows to whitelist symbols that must be kept 395 exported at all times, even in absen 392 exported at all times, even in absence of in-tree users. The value to 396 set here is the path to a text file 393 set here is the path to a text file containing the list of symbols, 397 one per line. The path can be absolu 394 one per line. The path can be absolute, or relative to the kernel 398 source or obj tree. !! 395 source tree. 399 396 400 config MODULES_TREE_LOOKUP 397 config MODULES_TREE_LOOKUP 401 def_bool y 398 def_bool y 402 depends on PERF_EVENTS || TRACING || C 399 depends on PERF_EVENTS || TRACING || CFI_CLANG 403 400 404 endif # MODULES 401 endif # MODULES
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.