1 # SPDX-License-Identifier: GPL-2.0-only
2 menuconfig MODULES
3 bool "Enable loadable module support"
4 modules
5 select EXECMEM
6 help
7 Kernel modules are small pieces of c
8 be inserted in the running kernel, r
9 permanently built into the kernel.
10 tool to add (and sometimes remove) t
11 many parts of the kernel can be buil
12 answering M instead of Y where indic
13 useful for infrequently used options
14 for booting. For more information,
15 modprobe, lsmod, modinfo, insmod and
16
17 If you say Y here, you will need to
18 modules_install" to put the modules
19 where modprobe can find them (you ma
20 this).
21
22 If unsure, say Y.
23
24 if MODULES
25
26 config MODULE_DEBUGFS
27 bool
28
29 config MODULE_DEBUG
30 bool "Module debugging"
31 depends on DEBUG_FS
32 help
33 Allows you to enable / disable featu
34 modules. You don't need these option
35
36 if MODULE_DEBUG
37
38 config MODULE_STATS
39 bool "Module statistics"
40 depends on DEBUG_FS
41 select MODULE_DEBUGFS
42 help
43 This option allows you to maintain a
44 For example, size of all modules, av
45 of failed modules and the size for e
46 modules we keep track of modules whi
47 existing module taking too long to l
48 loaded.
49
50 You should enable this if you are de
51 and want to see if userspace or the
52 with loading modules when it shouldn
53 optimize userspace / kernel space mo
54 You might want to do this because fa
55 up significant amount of memory, and
56 favor in avoiding these failures pro
57
58 This functionality is also useful fo
59 module .text ELF section optimizatio
60
61 If unsure, say N.
62
63 config MODULE_DEBUG_AUTOLOAD_DUPS
64 bool "Debug duplicate modules with aut
65 help
66 Module autoloading allows in-kernel
67 the *request_module*() API calls. Th
68 modprobe. Although modprobe checks t
69 loaded before trying to load a modul
70 which multiple duplicate requests ca
71 modprobe calls race calling finit_mo
72 duplicate modules. The finit_module(
73 worst case more than twice the respe
74 memory for each duplicate module req
75 requests are non-fatal virtual memor
76 duplicate module request ends up jus
77 memory.
78
79 This debugging facility will create
80 module requests to help identify if
81 culprit to your early boot virtual m
82 memory abuse caused by duplicate mod
83 system unusable this functionality w
84 requests for the same module to a si
85 the module.enable_dups_trace=1 kerne
86 instead of the pr_warn().
87
88 If the first module request used req
89 use that as the anchor to wait for d
90 users of request_module() do want a
91 for the same module happened earlier
92 then a duplicate request_module_nowa
93 non-wait request_module() call is sy
94 completes. Subsequent auto-loading r
95 not trigger a new finit_module() cal
96 memory, and so as soon as modprobe s
97 tracking for duplicates for that mod
98
99 Enable this functionality to try to
100 boot on systems which are failing to
101 straining virtual memory during boot
102 abuse was due to module auto-loading
103 known to occur on systems with many
104 result of udev issuing duplicate mod
105 module auto-loading is not the culpr
106 many duplicate module auto-loading r
107 for and this debugging facility can
108
109 Only enable this for debugging syste
110 enabled on real systems.
111
112 config MODULE_DEBUG_AUTOLOAD_DUPS_TRACE
113 bool "Force full stack trace when dupl
114 depends on MODULE_DEBUG_AUTOLOAD_DUPS
115 help
116 Enabling this will force a full stac
117 auto-loading requests using WARN_ON(
118 should keep this disabled at all tim
119 and are doing a manual inspection an
120 these duplicates occur.
121
122 endif # MODULE_DEBUG
123
124 config MODULE_FORCE_LOAD
125 bool "Forced module loading"
126 default n
127 help
128 Allow loading of modules without ver
129 --force). Forced module loading set
130 is usually a really bad idea.
131
132 config MODULE_UNLOAD
133 bool "Module unloading"
134 help
135 Without this option you will not be
136 modules (note that some modules may
137 anyway), which makes your kernel sma
138 and simpler. If unsure, say Y.
139
140 config MODULE_FORCE_UNLOAD
141 bool "Forced module unloading"
142 depends on MODULE_UNLOAD
143 help
144 This option allows you to force a mo
145 kernel believes it is unsafe: the ke
146 without waiting for anyone to stop u
147 rmmod). This is mainly for kernel d
148 If unsure, say N.
149
150 config MODULE_UNLOAD_TAINT_TRACKING
151 bool "Tainted module unload tracking"
152 depends on MODULE_UNLOAD
153 select MODULE_DEBUGFS
154 help
155 This option allows you to maintain a
156 module that tainted the kernel. In a
157 list of linked (or loaded) modules e
158 page (see bad_page()), the aforement
159 shown. If unsure, say N.
160
161 config MODVERSIONS
162 bool "Module versioning support"
163 depends on !COMPILE_TEST
164 help
165 Usually, you have to use modules com
166 Saying Y here makes it sometimes pos
167 compiled for different kernels, by a
168 to the modules to (hopefully) spot a
169 make them incompatible with the kern
170 unsure, say N.
171
172 config ASM_MODVERSIONS
173 bool
174 default HAVE_ASM_MODVERSIONS && MODVER
175 help
176 This enables module versioning for e
177 assembly. This can be enabled only w
178 supports it.
179
180 config MODULE_SRCVERSION_ALL
181 bool "Source checksum for all modules"
182 help
183 Modules which contain a MODULE_VERSI
184 field inserted into their modinfo se
185 sum of the source files which made i
186 see exactly which source was used to
187 others sometimes change the module s
188 the version). With this option, suc
189 will be created for all modules. If
190
191 config MODULE_SIG
192 bool "Module signature verification"
193 select MODULE_SIG_FORMAT
194 help
195 Check modules for valid signatures u
196 is simply appended to the module. Fo
197 <file:Documentation/admin-guide/modu
198
199 Note that this option adds the OpenS
200 kernel build dependency so that the
201 library.
202
203 You should enable this option if you
204 CONFIG_SECURITY_LOCKDOWN_LSM or lock
205 another LSM - otherwise unsigned mod
206 of the lockdown policy.
207
208 !!!WARNING!!! If you enable this op
209 module DOES NOT get stripped after b
210 debuginfo strip done by some package
211 inclusion into an initramfs that wan
212
213 config MODULE_SIG_FORCE
214 bool "Require modules to be validly si
215 depends on MODULE_SIG
216 help
217 Reject unsigned modules or signed mo
218 key. Without this, such modules wil
219
220 config MODULE_SIG_ALL
221 bool "Automatically sign all modules"
222 default y
223 depends on MODULE_SIG || IMA_APPRAISE_
224 help
225 Sign all modules during make modules
226 modules must be signed manually, usi
227
228 comment "Do not forget to sign required module
229 depends on MODULE_SIG_FORCE && !MODULE
230
231 choice
232 prompt "Hash algorithm to sign modules
233 depends on MODULE_SIG || IMA_APPRAISE_
234 help
235 This determines which sort of hashin
236 signature generation. This algorith
237 directly so that signature verificat
238 possible to load a signed module con
239 the signature on that module.
240
241 config MODULE_SIG_SHA1
242 bool "SHA-1"
243 select CRYPTO_SHA1
244
245 config MODULE_SIG_SHA256
246 bool "SHA-256"
247 select CRYPTO_SHA256
248
249 config MODULE_SIG_SHA384
250 bool "SHA-384"
251 select CRYPTO_SHA512
252
253 config MODULE_SIG_SHA512
254 bool "SHA-512"
255 select CRYPTO_SHA512
256
257 config MODULE_SIG_SHA3_256
258 bool "SHA3-256"
259 select CRYPTO_SHA3
260
261 config MODULE_SIG_SHA3_384
262 bool "SHA3-384"
263 select CRYPTO_SHA3
264
265 config MODULE_SIG_SHA3_512
266 bool "SHA3-512"
267 select CRYPTO_SHA3
268
269 endchoice
270
271 config MODULE_SIG_HASH
272 string
273 depends on MODULE_SIG || IMA_APPRAISE_
274 default "sha1" if MODULE_SIG_SHA1
275 default "sha256" if MODULE_SIG_SHA256
276 default "sha384" if MODULE_SIG_SHA384
277 default "sha512" if MODULE_SIG_SHA512
278 default "sha3-256" if MODULE_SIG_SHA3_
279 default "sha3-384" if MODULE_SIG_SHA3_
280 default "sha3-512" if MODULE_SIG_SHA3_
281
282 config MODULE_COMPRESS
283 bool "Module compression"
284 help
285 Enable module compression to reduce
286 This is fully compatible with signed
287
288 The tool used to work with modules n
289 compression type. kmod MAY support g
290 might have a limited selection of th
291
292 Note that for modules inside an init
293 efficient to compress the whole ramd
294
295 If unsure, say N.
296
297 choice
298 prompt "Module compression type"
299 depends on MODULE_COMPRESS
300 help
301 Choose the supported algorithm for m
302
303 config MODULE_COMPRESS_GZIP
304 bool "GZIP"
305 help
306 Support modules compressed with GZIP
307 suffixed with .ko.gz.
308
309 config MODULE_COMPRESS_XZ
310 bool "XZ"
311 help
312 Support modules compressed with XZ.
313 suffixed with .ko.xz.
314
315 config MODULE_COMPRESS_ZSTD
316 bool "ZSTD"
317 help
318 Support modules compressed with ZSTD
319 suffixed with .ko.zst.
320
321 endchoice
322
323 config MODULE_COMPRESS_ALL
324 bool "Automatically compress all modul
325 default y
326 depends on MODULE_COMPRESS
327 help
328 Compress all modules during 'make mo
329
330 Your build system needs to provide t
331 for the selected compression type. E
332 compressed in the same way during th
333
334 config MODULE_DECOMPRESS
335 bool "Support in-kernel module decompr
336 depends on MODULE_COMPRESS
337 select ZLIB_INFLATE if MODULE_COMPRESS
338 select XZ_DEC if MODULE_COMPRESS_XZ
339 select ZSTD_DECOMPRESS if MODULE_COMPR
340 help
341 Support for decompressing kernel mod
342 instead of relying on userspace to p
343 load pinning security policy is enab
344
345 If unsure, say N.
346
347 config MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS
348 bool "Allow loading of modules with mi
349 help
350 Symbols exported with EXPORT_SYMBOL_
351 a namespace. A module that makes use
352 namespace is required to import the
353 There is no technical reason to enfo
354 but it creates consistency between s
355 users importing namespaces they make
356 requirement and lifts the enforcemen
357
358 If unsure, say N.
359
360 config MODPROBE_PATH
361 string "Path to modprobe binary"
362 default "/sbin/modprobe"
363 help
364 When kernel code requests a module,
365 the "modprobe" userspace utility. Th
366 set the path where that binary is fo
367 at runtime via the sysctl file
368 /proc/sys/kernel/modprobe. Setting t
369 removes the kernel's ability to requ
370 userspace can still load modules exp
371
372 config TRIM_UNUSED_KSYMS
373 bool "Trim unused exported kernel symb
374 help
375 The kernel and some modules make man
376 other modules to use via EXPORT_SYMB
377 on the set of modules being selected
378 many of those exported symbols might
379
380 This option allows for unused export
381 the build. In turn, this provides th
382 (especially when using LTO) for opti
383 binary size. This might have some s
384
385 If unsure, or if you need to build o
386
387 config UNUSED_KSYMS_WHITELIST
388 string "Whitelist of symbols to keep i
389 depends on TRIM_UNUSED_KSYMS
390 help
391 By default, all unused exported symb
392 build when TRIM_UNUSED_KSYMS is sele
393
394 UNUSED_KSYMS_WHITELIST allows to whi
395 exported at all times, even in absen
396 set here is the path to a text file
397 one per line. The path can be absolu
398 source or obj tree.
399
400 config MODULES_TREE_LOOKUP
401 def_bool y
402 depends on PERF_EVENTS || TRACING || C
403
404 endif # MODULES
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.