1 # SPDX-License-Identifier: GPL-2.0-only 1 # SPDX-License-Identifier: GPL-2.0-only
2 menuconfig MODULES 2 menuconfig MODULES
3 bool "Enable loadable module support" 3 bool "Enable loadable module support"
4 modules 4 modules
5 select EXECMEM 5 select EXECMEM
6 help 6 help
7 Kernel modules are small pieces of c 7 Kernel modules are small pieces of compiled code which can
8 be inserted in the running kernel, r 8 be inserted in the running kernel, rather than being
9 permanently built into the kernel. 9 permanently built into the kernel. You use the "modprobe"
10 tool to add (and sometimes remove) t 10 tool to add (and sometimes remove) them. If you say Y here,
11 many parts of the kernel can be buil 11 many parts of the kernel can be built as modules (by
12 answering M instead of Y where indic 12 answering M instead of Y where indicated): this is most
13 useful for infrequently used options 13 useful for infrequently used options which are not required
14 for booting. For more information, 14 for booting. For more information, see the man pages for
15 modprobe, lsmod, modinfo, insmod and 15 modprobe, lsmod, modinfo, insmod and rmmod.
16 16
17 If you say Y here, you will need to 17 If you say Y here, you will need to run "make
18 modules_install" to put the modules 18 modules_install" to put the modules under /lib/modules/
19 where modprobe can find them (you ma 19 where modprobe can find them (you may need to be root to do
20 this). 20 this).
21 21
22 If unsure, say Y. 22 If unsure, say Y.
23 23
24 if MODULES 24 if MODULES
25 25
26 config MODULE_DEBUGFS 26 config MODULE_DEBUGFS
27 bool 27 bool
28 28
29 config MODULE_DEBUG 29 config MODULE_DEBUG
30 bool "Module debugging" 30 bool "Module debugging"
31 depends on DEBUG_FS 31 depends on DEBUG_FS
32 help 32 help
33 Allows you to enable / disable featu 33 Allows you to enable / disable features which can help you debug
34 modules. You don't need these option 34 modules. You don't need these options on production systems.
35 35
36 if MODULE_DEBUG 36 if MODULE_DEBUG
37 37
38 config MODULE_STATS 38 config MODULE_STATS
39 bool "Module statistics" 39 bool "Module statistics"
40 depends on DEBUG_FS 40 depends on DEBUG_FS
41 select MODULE_DEBUGFS 41 select MODULE_DEBUGFS
42 help 42 help
43 This option allows you to maintain a 43 This option allows you to maintain a record of module statistics.
44 For example, size of all modules, av 44 For example, size of all modules, average size, text size, a list
45 of failed modules and the size for e 45 of failed modules and the size for each of those. For failed
46 modules we keep track of modules whi 46 modules we keep track of modules which failed due to either the
47 existing module taking too long to l 47 existing module taking too long to load or that module was already
48 loaded. 48 loaded.
49 49
50 You should enable this if you are de 50 You should enable this if you are debugging production loads
51 and want to see if userspace or the 51 and want to see if userspace or the kernel is doing stupid things
52 with loading modules when it shouldn 52 with loading modules when it shouldn't or if you want to help
53 optimize userspace / kernel space mo 53 optimize userspace / kernel space module autoloading schemes.
54 You might want to do this because fa 54 You might want to do this because failed modules tend to use
55 up significant amount of memory, and 55 up significant amount of memory, and so you'd be doing everyone a
56 favor in avoiding these failures pro 56 favor in avoiding these failures proactively.
57 57
58 This functionality is also useful fo 58 This functionality is also useful for those experimenting with
59 module .text ELF section optimizatio 59 module .text ELF section optimization.
60 60
61 If unsure, say N. 61 If unsure, say N.
62 62
63 config MODULE_DEBUG_AUTOLOAD_DUPS 63 config MODULE_DEBUG_AUTOLOAD_DUPS
64 bool "Debug duplicate modules with aut 64 bool "Debug duplicate modules with auto-loading"
65 help 65 help
66 Module autoloading allows in-kernel 66 Module autoloading allows in-kernel code to request modules through
67 the *request_module*() API calls. Th 67 the *request_module*() API calls. This in turn just calls userspace
68 modprobe. Although modprobe checks t 68 modprobe. Although modprobe checks to see if a module is already
69 loaded before trying to load a modul 69 loaded before trying to load a module there is a small time window in
70 which multiple duplicate requests ca 70 which multiple duplicate requests can end up in userspace and multiple
71 modprobe calls race calling finit_mo 71 modprobe calls race calling finit_module() around the same time for
72 duplicate modules. The finit_module( 72 duplicate modules. The finit_module() system call can consume in the
73 worst case more than twice the respe 73 worst case more than twice the respective module size in virtual
74 memory for each duplicate module req 74 memory for each duplicate module requests. Although duplicate module
75 requests are non-fatal virtual memor 75 requests are non-fatal virtual memory is a limited resource and each
76 duplicate module request ends up jus 76 duplicate module request ends up just unnecessarily straining virtual
77 memory. 77 memory.
78 78
79 This debugging facility will create 79 This debugging facility will create pr_warn() splats for duplicate
80 module requests to help identify if 80 module requests to help identify if module auto-loading may be the
81 culprit to your early boot virtual m 81 culprit to your early boot virtual memory pressure. Since virtual
82 memory abuse caused by duplicate mod 82 memory abuse caused by duplicate module requests could render a
83 system unusable this functionality w 83 system unusable this functionality will also converge races in
84 requests for the same module to a si 84 requests for the same module to a single request. You can boot with
85 the module.enable_dups_trace=1 kerne 85 the module.enable_dups_trace=1 kernel parameter to use WARN_ON()
86 instead of the pr_warn(). 86 instead of the pr_warn().
87 87
88 If the first module request used req 88 If the first module request used request_module_nowait() we cannot
89 use that as the anchor to wait for d 89 use that as the anchor to wait for duplicate module requests, since
90 users of request_module() do want a 90 users of request_module() do want a proper return value. If a call
91 for the same module happened earlier 91 for the same module happened earlier with request_module() though,
92 then a duplicate request_module_nowa 92 then a duplicate request_module_nowait() would be detected. The
93 non-wait request_module() call is sy 93 non-wait request_module() call is synchronous and waits until modprobe
94 completes. Subsequent auto-loading r 94 completes. Subsequent auto-loading requests for the same module do
95 not trigger a new finit_module() cal 95 not trigger a new finit_module() calls and do not strain virtual
96 memory, and so as soon as modprobe s 96 memory, and so as soon as modprobe successfully completes we remove
97 tracking for duplicates for that mod 97 tracking for duplicates for that module.
98 98
99 Enable this functionality to try to 99 Enable this functionality to try to debug virtual memory abuse during
100 boot on systems which are failing to 100 boot on systems which are failing to boot or if you suspect you may be
101 straining virtual memory during boot 101 straining virtual memory during boot, and you want to identify if the
102 abuse was due to module auto-loading 102 abuse was due to module auto-loading. These issues are currently only
103 known to occur on systems with many 103 known to occur on systems with many CPUs (over 400) and is likely the
104 result of udev issuing duplicate mod 104 result of udev issuing duplicate module requests for each CPU, and so
105 module auto-loading is not the culpr 105 module auto-loading is not the culprit. There may very well still be
106 many duplicate module auto-loading r 106 many duplicate module auto-loading requests which could be optimized
107 for and this debugging facility can 107 for and this debugging facility can be used to help identify them.
108 108
109 Only enable this for debugging syste 109 Only enable this for debugging system functionality, never have it
110 enabled on real systems. 110 enabled on real systems.
111 111
112 config MODULE_DEBUG_AUTOLOAD_DUPS_TRACE 112 config MODULE_DEBUG_AUTOLOAD_DUPS_TRACE
113 bool "Force full stack trace when dupl 113 bool "Force full stack trace when duplicates are found"
114 depends on MODULE_DEBUG_AUTOLOAD_DUPS 114 depends on MODULE_DEBUG_AUTOLOAD_DUPS
115 help 115 help
116 Enabling this will force a full stac 116 Enabling this will force a full stack trace for duplicate module
117 auto-loading requests using WARN_ON( 117 auto-loading requests using WARN_ON() instead of pr_warn(). You
118 should keep this disabled at all tim 118 should keep this disabled at all times unless you are a developer
119 and are doing a manual inspection an 119 and are doing a manual inspection and want to debug exactly why
120 these duplicates occur. 120 these duplicates occur.
121 121
122 endif # MODULE_DEBUG 122 endif # MODULE_DEBUG
123 123
124 config MODULE_FORCE_LOAD 124 config MODULE_FORCE_LOAD
125 bool "Forced module loading" 125 bool "Forced module loading"
126 default n 126 default n
127 help 127 help
128 Allow loading of modules without ver 128 Allow loading of modules without version information (ie. modprobe
129 --force). Forced module loading set 129 --force). Forced module loading sets the 'F' (forced) taint flag and
130 is usually a really bad idea. 130 is usually a really bad idea.
131 131
132 config MODULE_UNLOAD 132 config MODULE_UNLOAD
133 bool "Module unloading" 133 bool "Module unloading"
134 help 134 help
135 Without this option you will not be 135 Without this option you will not be able to unload any
136 modules (note that some modules may 136 modules (note that some modules may not be unloadable
137 anyway), which makes your kernel sma 137 anyway), which makes your kernel smaller, faster
138 and simpler. If unsure, say Y. 138 and simpler. If unsure, say Y.
139 139
140 config MODULE_FORCE_UNLOAD 140 config MODULE_FORCE_UNLOAD
141 bool "Forced module unloading" 141 bool "Forced module unloading"
142 depends on MODULE_UNLOAD 142 depends on MODULE_UNLOAD
143 help 143 help
144 This option allows you to force a mo 144 This option allows you to force a module to unload, even if the
145 kernel believes it is unsafe: the ke 145 kernel believes it is unsafe: the kernel will remove the module
146 without waiting for anyone to stop u 146 without waiting for anyone to stop using it (using the -f option to
147 rmmod). This is mainly for kernel d 147 rmmod). This is mainly for kernel developers and desperate users.
148 If unsure, say N. 148 If unsure, say N.
149 149
150 config MODULE_UNLOAD_TAINT_TRACKING 150 config MODULE_UNLOAD_TAINT_TRACKING
151 bool "Tainted module unload tracking" 151 bool "Tainted module unload tracking"
152 depends on MODULE_UNLOAD 152 depends on MODULE_UNLOAD
153 select MODULE_DEBUGFS 153 select MODULE_DEBUGFS
154 help 154 help
155 This option allows you to maintain a 155 This option allows you to maintain a record of each unloaded
156 module that tainted the kernel. In a 156 module that tainted the kernel. In addition to displaying a
157 list of linked (or loaded) modules e 157 list of linked (or loaded) modules e.g. on detection of a bad
158 page (see bad_page()), the aforement 158 page (see bad_page()), the aforementioned details are also
159 shown. If unsure, say N. 159 shown. If unsure, say N.
160 160
161 config MODVERSIONS 161 config MODVERSIONS
162 bool "Module versioning support" 162 bool "Module versioning support"
163 depends on !COMPILE_TEST <<
164 help 163 help
165 Usually, you have to use modules com 164 Usually, you have to use modules compiled with your kernel.
166 Saying Y here makes it sometimes pos 165 Saying Y here makes it sometimes possible to use modules
167 compiled for different kernels, by a 166 compiled for different kernels, by adding enough information
168 to the modules to (hopefully) spot a 167 to the modules to (hopefully) spot any changes which would
169 make them incompatible with the kern 168 make them incompatible with the kernel you are running. If
170 unsure, say N. 169 unsure, say N.
171 170
172 config ASM_MODVERSIONS 171 config ASM_MODVERSIONS
173 bool 172 bool
174 default HAVE_ASM_MODVERSIONS && MODVER 173 default HAVE_ASM_MODVERSIONS && MODVERSIONS
175 help 174 help
176 This enables module versioning for e 175 This enables module versioning for exported symbols also from
177 assembly. This can be enabled only w 176 assembly. This can be enabled only when the target architecture
178 supports it. 177 supports it.
179 178
180 config MODULE_SRCVERSION_ALL 179 config MODULE_SRCVERSION_ALL
181 bool "Source checksum for all modules" 180 bool "Source checksum for all modules"
182 help 181 help
183 Modules which contain a MODULE_VERSI 182 Modules which contain a MODULE_VERSION get an extra "srcversion"
184 field inserted into their modinfo se 183 field inserted into their modinfo section, which contains a
185 sum of the source files which made i 184 sum of the source files which made it. This helps maintainers
186 see exactly which source was used to 185 see exactly which source was used to build a module (since
187 others sometimes change the module s 186 others sometimes change the module source without updating
188 the version). With this option, suc 187 the version). With this option, such a "srcversion" field
189 will be created for all modules. If 188 will be created for all modules. If unsure, say N.
190 189
191 config MODULE_SIG 190 config MODULE_SIG
192 bool "Module signature verification" 191 bool "Module signature verification"
193 select MODULE_SIG_FORMAT 192 select MODULE_SIG_FORMAT
194 help 193 help
195 Check modules for valid signatures u 194 Check modules for valid signatures upon load: the signature
196 is simply appended to the module. Fo 195 is simply appended to the module. For more information see
197 <file:Documentation/admin-guide/modu 196 <file:Documentation/admin-guide/module-signing.rst>.
198 197
199 Note that this option adds the OpenS 198 Note that this option adds the OpenSSL development packages as a
200 kernel build dependency so that the 199 kernel build dependency so that the signing tool can use its crypto
201 library. 200 library.
202 201
203 You should enable this option if you 202 You should enable this option if you wish to use either
204 CONFIG_SECURITY_LOCKDOWN_LSM or lock 203 CONFIG_SECURITY_LOCKDOWN_LSM or lockdown functionality imposed via
205 another LSM - otherwise unsigned mod 204 another LSM - otherwise unsigned modules will be loadable regardless
206 of the lockdown policy. 205 of the lockdown policy.
207 206
208 !!!WARNING!!! If you enable this op 207 !!!WARNING!!! If you enable this option, you MUST make sure that the
209 module DOES NOT get stripped after b 208 module DOES NOT get stripped after being signed. This includes the
210 debuginfo strip done by some package 209 debuginfo strip done by some packagers (such as rpmbuild) and
211 inclusion into an initramfs that wan 210 inclusion into an initramfs that wants the module size reduced.
212 211
213 config MODULE_SIG_FORCE 212 config MODULE_SIG_FORCE
214 bool "Require modules to be validly si 213 bool "Require modules to be validly signed"
215 depends on MODULE_SIG 214 depends on MODULE_SIG
216 help 215 help
217 Reject unsigned modules or signed mo 216 Reject unsigned modules or signed modules for which we don't have a
218 key. Without this, such modules wil 217 key. Without this, such modules will simply taint the kernel.
219 218
220 config MODULE_SIG_ALL 219 config MODULE_SIG_ALL
221 bool "Automatically sign all modules" 220 bool "Automatically sign all modules"
222 default y 221 default y
223 depends on MODULE_SIG || IMA_APPRAISE_ 222 depends on MODULE_SIG || IMA_APPRAISE_MODSIG
224 help 223 help
225 Sign all modules during make modules 224 Sign all modules during make modules_install. Without this option,
226 modules must be signed manually, usi 225 modules must be signed manually, using the scripts/sign-file tool.
227 226
228 comment "Do not forget to sign required module 227 comment "Do not forget to sign required modules with scripts/sign-file"
229 depends on MODULE_SIG_FORCE && !MODULE 228 depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL
230 229
231 choice 230 choice
232 prompt "Hash algorithm to sign modules !! 231 prompt "Which hash algorithm should modules be signed with?"
233 depends on MODULE_SIG || IMA_APPRAISE_ 232 depends on MODULE_SIG || IMA_APPRAISE_MODSIG
234 help 233 help
235 This determines which sort of hashin 234 This determines which sort of hashing algorithm will be used during
236 signature generation. This algorith 235 signature generation. This algorithm _must_ be built into the kernel
237 directly so that signature verificat 236 directly so that signature verification can take place. It is not
238 possible to load a signed module con 237 possible to load a signed module containing the algorithm to check
239 the signature on that module. 238 the signature on that module.
240 239
241 config MODULE_SIG_SHA1 240 config MODULE_SIG_SHA1
242 bool "SHA-1" !! 241 bool "Sign modules with SHA-1"
243 select CRYPTO_SHA1 242 select CRYPTO_SHA1
244 243
245 config MODULE_SIG_SHA256 244 config MODULE_SIG_SHA256
246 bool "SHA-256" !! 245 bool "Sign modules with SHA-256"
247 select CRYPTO_SHA256 246 select CRYPTO_SHA256
248 247
249 config MODULE_SIG_SHA384 248 config MODULE_SIG_SHA384
250 bool "SHA-384" !! 249 bool "Sign modules with SHA-384"
251 select CRYPTO_SHA512 250 select CRYPTO_SHA512
252 251
253 config MODULE_SIG_SHA512 252 config MODULE_SIG_SHA512
254 bool "SHA-512" !! 253 bool "Sign modules with SHA-512"
255 select CRYPTO_SHA512 254 select CRYPTO_SHA512
256 255
257 config MODULE_SIG_SHA3_256 256 config MODULE_SIG_SHA3_256
258 bool "SHA3-256" !! 257 bool "Sign modules with SHA3-256"
259 select CRYPTO_SHA3 258 select CRYPTO_SHA3
260 259
261 config MODULE_SIG_SHA3_384 260 config MODULE_SIG_SHA3_384
262 bool "SHA3-384" !! 261 bool "Sign modules with SHA3-384"
263 select CRYPTO_SHA3 262 select CRYPTO_SHA3
264 263
265 config MODULE_SIG_SHA3_512 264 config MODULE_SIG_SHA3_512
266 bool "SHA3-512" !! 265 bool "Sign modules with SHA3-512"
267 select CRYPTO_SHA3 266 select CRYPTO_SHA3
268 267
269 endchoice 268 endchoice
270 269
271 config MODULE_SIG_HASH 270 config MODULE_SIG_HASH
272 string 271 string
273 depends on MODULE_SIG || IMA_APPRAISE_ 272 depends on MODULE_SIG || IMA_APPRAISE_MODSIG
274 default "sha1" if MODULE_SIG_SHA1 273 default "sha1" if MODULE_SIG_SHA1
275 default "sha256" if MODULE_SIG_SHA256 274 default "sha256" if MODULE_SIG_SHA256
276 default "sha384" if MODULE_SIG_SHA384 275 default "sha384" if MODULE_SIG_SHA384
277 default "sha512" if MODULE_SIG_SHA512 276 default "sha512" if MODULE_SIG_SHA512
278 default "sha3-256" if MODULE_SIG_SHA3_ 277 default "sha3-256" if MODULE_SIG_SHA3_256
279 default "sha3-384" if MODULE_SIG_SHA3_ 278 default "sha3-384" if MODULE_SIG_SHA3_384
280 default "sha3-512" if MODULE_SIG_SHA3_ 279 default "sha3-512" if MODULE_SIG_SHA3_512
281 280
282 config MODULE_COMPRESS !! 281 choice
283 bool "Module compression" !! 282 prompt "Module compression mode"
284 help 283 help
285 Enable module compression to reduce !! 284 This option allows you to choose the algorithm which will be used to
>> 285 compress modules when 'make modules_install' is run. (or, you can
>> 286 choose to not compress modules at all.)
>> 287
>> 288 External modules will also be compressed in the same way during the
>> 289 installation.
>> 290
>> 291 For modules inside an initrd or initramfs, it's more efficient to
>> 292 compress the whole initrd or initramfs instead.
>> 293
286 This is fully compatible with signed 294 This is fully compatible with signed modules.
287 295
288 The tool used to work with modules n !! 296 Please note that the tool used to load modules needs to support the
289 compression type. kmod MAY support g !! 297 corresponding algorithm. module-init-tools MAY support gzip, and kmod
290 might have a limited selection of th !! 298 MAY support gzip, xz and zstd.
291 299
292 Note that for modules inside an init !! 300 Your build system needs to provide the appropriate compression tool
293 efficient to compress the whole ramd !! 301 to compress the modules.
294 302
295 If unsure, say N. !! 303 If in doubt, select 'None'.
296 304
297 choice !! 305 config MODULE_COMPRESS_NONE
298 prompt "Module compression type" !! 306 bool "None"
299 depends on MODULE_COMPRESS <<
300 help 307 help
301 Choose the supported algorithm for m !! 308 Do not compress modules. The installed modules are suffixed
>> 309 with .ko.
302 310
303 config MODULE_COMPRESS_GZIP 311 config MODULE_COMPRESS_GZIP
304 bool "GZIP" 312 bool "GZIP"
305 help 313 help
306 Support modules compressed with GZIP !! 314 Compress modules with GZIP. The installed modules are suffixed
307 suffixed with .ko.gz. !! 315 with .ko.gz.
308 316
309 config MODULE_COMPRESS_XZ 317 config MODULE_COMPRESS_XZ
310 bool "XZ" 318 bool "XZ"
311 help 319 help
312 Support modules compressed with XZ. !! 320 Compress modules with XZ. The installed modules are suffixed
313 suffixed with .ko.xz. !! 321 with .ko.xz.
314 322
315 config MODULE_COMPRESS_ZSTD 323 config MODULE_COMPRESS_ZSTD
316 bool "ZSTD" 324 bool "ZSTD"
317 help 325 help
318 Support modules compressed with ZSTD !! 326 Compress modules with ZSTD. The installed modules are suffixed
319 suffixed with .ko.zst. !! 327 with .ko.zst.
320 328
321 endchoice 329 endchoice
322 330
323 config MODULE_COMPRESS_ALL <<
324 bool "Automatically compress all modul <<
325 default y <<
326 depends on MODULE_COMPRESS <<
327 help <<
328 Compress all modules during 'make mo <<
329 <<
330 Your build system needs to provide t <<
331 for the selected compression type. E <<
332 compressed in the same way during th <<
333 <<
334 config MODULE_DECOMPRESS 331 config MODULE_DECOMPRESS
335 bool "Support in-kernel module decompr 332 bool "Support in-kernel module decompression"
336 depends on MODULE_COMPRESS !! 333 depends on MODULE_COMPRESS_GZIP || MODULE_COMPRESS_XZ || MODULE_COMPRESS_ZSTD
337 select ZLIB_INFLATE if MODULE_COMPRESS 334 select ZLIB_INFLATE if MODULE_COMPRESS_GZIP
338 select XZ_DEC if MODULE_COMPRESS_XZ 335 select XZ_DEC if MODULE_COMPRESS_XZ
339 select ZSTD_DECOMPRESS if MODULE_COMPR 336 select ZSTD_DECOMPRESS if MODULE_COMPRESS_ZSTD
340 help 337 help
>> 338
341 Support for decompressing kernel mod 339 Support for decompressing kernel modules by the kernel itself
342 instead of relying on userspace to p 340 instead of relying on userspace to perform this task. Useful when
343 load pinning security policy is enab 341 load pinning security policy is enabled.
344 342
345 If unsure, say N. 343 If unsure, say N.
346 344
347 config MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS 345 config MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS
348 bool "Allow loading of modules with mi 346 bool "Allow loading of modules with missing namespace imports"
349 help 347 help
350 Symbols exported with EXPORT_SYMBOL_ 348 Symbols exported with EXPORT_SYMBOL_NS*() are considered exported in
351 a namespace. A module that makes use 349 a namespace. A module that makes use of a symbol exported with such a
352 namespace is required to import the 350 namespace is required to import the namespace via MODULE_IMPORT_NS().
353 There is no technical reason to enfo 351 There is no technical reason to enforce correct namespace imports,
354 but it creates consistency between s 352 but it creates consistency between symbols defining namespaces and
355 users importing namespaces they make 353 users importing namespaces they make use of. This option relaxes this
356 requirement and lifts the enforcemen 354 requirement and lifts the enforcement when loading a module.
357 355
358 If unsure, say N. 356 If unsure, say N.
359 357
360 config MODPROBE_PATH 358 config MODPROBE_PATH
361 string "Path to modprobe binary" 359 string "Path to modprobe binary"
362 default "/sbin/modprobe" 360 default "/sbin/modprobe"
363 help 361 help
364 When kernel code requests a module, 362 When kernel code requests a module, it does so by calling
365 the "modprobe" userspace utility. Th 363 the "modprobe" userspace utility. This option allows you to
366 set the path where that binary is fo 364 set the path where that binary is found. This can be changed
367 at runtime via the sysctl file 365 at runtime via the sysctl file
368 /proc/sys/kernel/modprobe. Setting t 366 /proc/sys/kernel/modprobe. Setting this to the empty string
369 removes the kernel's ability to requ 367 removes the kernel's ability to request modules (but
370 userspace can still load modules exp 368 userspace can still load modules explicitly).
371 369
372 config TRIM_UNUSED_KSYMS 370 config TRIM_UNUSED_KSYMS
373 bool "Trim unused exported kernel symb 371 bool "Trim unused exported kernel symbols"
374 help 372 help
375 The kernel and some modules make man 373 The kernel and some modules make many symbols available for
376 other modules to use via EXPORT_SYMB 374 other modules to use via EXPORT_SYMBOL() and variants. Depending
377 on the set of modules being selected 375 on the set of modules being selected in your kernel configuration,
378 many of those exported symbols might 376 many of those exported symbols might never be used.
379 377
380 This option allows for unused export 378 This option allows for unused exported symbols to be dropped from
381 the build. In turn, this provides th 379 the build. In turn, this provides the compiler more opportunities
382 (especially when using LTO) for opti 380 (especially when using LTO) for optimizing the code and reducing
383 binary size. This might have some s 381 binary size. This might have some security advantages as well.
384 382
385 If unsure, or if you need to build o 383 If unsure, or if you need to build out-of-tree modules, say N.
386 384
387 config UNUSED_KSYMS_WHITELIST 385 config UNUSED_KSYMS_WHITELIST
388 string "Whitelist of symbols to keep i 386 string "Whitelist of symbols to keep in ksymtab"
389 depends on TRIM_UNUSED_KSYMS 387 depends on TRIM_UNUSED_KSYMS
390 help 388 help
391 By default, all unused exported symb 389 By default, all unused exported symbols will be un-exported from the
392 build when TRIM_UNUSED_KSYMS is sele 390 build when TRIM_UNUSED_KSYMS is selected.
393 391
394 UNUSED_KSYMS_WHITELIST allows to whi 392 UNUSED_KSYMS_WHITELIST allows to whitelist symbols that must be kept
395 exported at all times, even in absen 393 exported at all times, even in absence of in-tree users. The value to
396 set here is the path to a text file 394 set here is the path to a text file containing the list of symbols,
397 one per line. The path can be absolu 395 one per line. The path can be absolute, or relative to the kernel
398 source or obj tree. 396 source or obj tree.
399 397
400 config MODULES_TREE_LOOKUP 398 config MODULES_TREE_LOOKUP
401 def_bool y 399 def_bool y
402 depends on PERF_EVENTS || TRACING || C 400 depends on PERF_EVENTS || TRACING || CFI_CLANG
403 401
404 endif # MODULES 402 endif # MODULES
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.