~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/kernel/module/Kconfig

Version: ~ [ linux-6.11.5 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.58 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.114 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.169 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.228 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.284 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.322 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.9 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 # SPDX-License-Identifier: GPL-2.0-only
  2 menuconfig MODULES
  3         bool "Enable loadable module support"
  4         modules
  5         select EXECMEM
  6         help
  7           Kernel modules are small pieces of compiled code which can
  8           be inserted in the running kernel, rather than being
  9           permanently built into the kernel.  You use the "modprobe"
 10           tool to add (and sometimes remove) them.  If you say Y here,
 11           many parts of the kernel can be built as modules (by
 12           answering M instead of Y where indicated): this is most
 13           useful for infrequently used options which are not required
 14           for booting.  For more information, see the man pages for
 15           modprobe, lsmod, modinfo, insmod and rmmod.
 16 
 17           If you say Y here, you will need to run "make
 18           modules_install" to put the modules under /lib/modules/
 19           where modprobe can find them (you may need to be root to do
 20           this).
 21 
 22           If unsure, say Y.
 23 
 24 if MODULES
 25 
 26 config MODULE_DEBUGFS
 27         bool
 28 
 29 config MODULE_DEBUG
 30         bool "Module debugging"
 31         depends on DEBUG_FS
 32         help
 33           Allows you to enable / disable features which can help you debug
 34           modules. You don't need these options on production systems.
 35 
 36 if MODULE_DEBUG
 37 
 38 config MODULE_STATS
 39         bool "Module statistics"
 40         depends on DEBUG_FS
 41         select MODULE_DEBUGFS
 42         help
 43           This option allows you to maintain a record of module statistics.
 44           For example, size of all modules, average size, text size, a list
 45           of failed modules and the size for each of those. For failed
 46           modules we keep track of modules which failed due to either the
 47           existing module taking too long to load or that module was already
 48           loaded.
 49 
 50           You should enable this if you are debugging production loads
 51           and want to see if userspace or the kernel is doing stupid things
 52           with loading modules when it shouldn't or if you want to help
 53           optimize userspace / kernel space module autoloading schemes.
 54           You might want to do this because failed modules tend to use
 55           up significant amount of memory, and so you'd be doing everyone a
 56           favor in avoiding these failures proactively.
 57 
 58           This functionality is also useful for those experimenting with
 59           module .text ELF section optimization.
 60 
 61           If unsure, say N.
 62 
 63 config MODULE_DEBUG_AUTOLOAD_DUPS
 64         bool "Debug duplicate modules with auto-loading"
 65         help
 66           Module autoloading allows in-kernel code to request modules through
 67           the *request_module*() API calls. This in turn just calls userspace
 68           modprobe. Although modprobe checks to see if a module is already
 69           loaded before trying to load a module there is a small time window in
 70           which multiple duplicate requests can end up in userspace and multiple
 71           modprobe calls race calling finit_module() around the same time for
 72           duplicate modules. The finit_module() system call can consume in the
 73           worst case more than twice the respective module size in virtual
 74           memory for each duplicate module requests. Although duplicate module
 75           requests are non-fatal virtual memory is a limited resource and each
 76           duplicate module request ends up just unnecessarily straining virtual
 77           memory.
 78 
 79           This debugging facility will create pr_warn() splats for duplicate
 80           module requests to help identify if module auto-loading may be the
 81           culprit to your early boot virtual memory pressure. Since virtual
 82           memory abuse caused by duplicate module requests could render a
 83           system unusable this functionality will also converge races in
 84           requests for the same module to a single request. You can boot with
 85           the module.enable_dups_trace=1 kernel parameter to use WARN_ON()
 86           instead of the pr_warn().
 87 
 88           If the first module request used request_module_nowait() we cannot
 89           use that as the anchor to wait for duplicate module requests, since
 90           users of request_module() do want a proper return value. If a call
 91           for the same module happened earlier with request_module() though,
 92           then a duplicate request_module_nowait() would be detected. The
 93           non-wait request_module() call is synchronous and waits until modprobe
 94           completes. Subsequent auto-loading requests for the same module do
 95           not trigger a new finit_module() calls and do not strain virtual
 96           memory, and so as soon as modprobe successfully completes we remove
 97           tracking for duplicates for that module.
 98 
 99           Enable this functionality to try to debug virtual memory abuse during
100           boot on systems which are failing to boot or if you suspect you may be
101           straining virtual memory during boot, and you want to identify if the
102           abuse was due to module auto-loading. These issues are currently only
103           known to occur on systems with many CPUs (over 400) and is likely the
104           result of udev issuing duplicate module requests for each CPU, and so
105           module auto-loading is not the culprit. There may very well still be
106           many duplicate module auto-loading requests which could be optimized
107           for and this debugging facility can be used to help identify them.
108 
109           Only enable this for debugging system functionality, never have it
110           enabled on real systems.
111 
112 config MODULE_DEBUG_AUTOLOAD_DUPS_TRACE
113         bool "Force full stack trace when duplicates are found"
114         depends on MODULE_DEBUG_AUTOLOAD_DUPS
115         help
116           Enabling this will force a full stack trace for duplicate module
117           auto-loading requests using WARN_ON() instead of pr_warn(). You
118           should keep this disabled at all times unless you are a developer
119           and are doing a manual inspection and want to debug exactly why
120           these duplicates occur.
121 
122 endif # MODULE_DEBUG
123 
124 config MODULE_FORCE_LOAD
125         bool "Forced module loading"
126         default n
127         help
128           Allow loading of modules without version information (ie. modprobe
129           --force).  Forced module loading sets the 'F' (forced) taint flag and
130           is usually a really bad idea.
131 
132 config MODULE_UNLOAD
133         bool "Module unloading"
134         help
135           Without this option you will not be able to unload any
136           modules (note that some modules may not be unloadable
137           anyway), which makes your kernel smaller, faster
138           and simpler.  If unsure, say Y.
139 
140 config MODULE_FORCE_UNLOAD
141         bool "Forced module unloading"
142         depends on MODULE_UNLOAD
143         help
144           This option allows you to force a module to unload, even if the
145           kernel believes it is unsafe: the kernel will remove the module
146           without waiting for anyone to stop using it (using the -f option to
147           rmmod).  This is mainly for kernel developers and desperate users.
148           If unsure, say N.
149 
150 config MODULE_UNLOAD_TAINT_TRACKING
151         bool "Tainted module unload tracking"
152         depends on MODULE_UNLOAD
153         select MODULE_DEBUGFS
154         help
155           This option allows you to maintain a record of each unloaded
156           module that tainted the kernel. In addition to displaying a
157           list of linked (or loaded) modules e.g. on detection of a bad
158           page (see bad_page()), the aforementioned details are also
159           shown. If unsure, say N.
160 
161 config MODVERSIONS
162         bool "Module versioning support"
163         help
164           Usually, you have to use modules compiled with your kernel.
165           Saying Y here makes it sometimes possible to use modules
166           compiled for different kernels, by adding enough information
167           to the modules to (hopefully) spot any changes which would
168           make them incompatible with the kernel you are running.  If
169           unsure, say N.
170 
171 config ASM_MODVERSIONS
172         bool
173         default HAVE_ASM_MODVERSIONS && MODVERSIONS
174         help
175           This enables module versioning for exported symbols also from
176           assembly. This can be enabled only when the target architecture
177           supports it.
178 
179 config MODULE_SRCVERSION_ALL
180         bool "Source checksum for all modules"
181         help
182           Modules which contain a MODULE_VERSION get an extra "srcversion"
183           field inserted into their modinfo section, which contains a
184           sum of the source files which made it.  This helps maintainers
185           see exactly which source was used to build a module (since
186           others sometimes change the module source without updating
187           the version).  With this option, such a "srcversion" field
188           will be created for all modules.  If unsure, say N.
189 
190 config MODULE_SIG
191         bool "Module signature verification"
192         select MODULE_SIG_FORMAT
193         help
194           Check modules for valid signatures upon load: the signature
195           is simply appended to the module. For more information see
196           <file:Documentation/admin-guide/module-signing.rst>.
197 
198           Note that this option adds the OpenSSL development packages as a
199           kernel build dependency so that the signing tool can use its crypto
200           library.
201 
202           You should enable this option if you wish to use either
203           CONFIG_SECURITY_LOCKDOWN_LSM or lockdown functionality imposed via
204           another LSM - otherwise unsigned modules will be loadable regardless
205           of the lockdown policy.
206 
207           !!!WARNING!!!  If you enable this option, you MUST make sure that the
208           module DOES NOT get stripped after being signed.  This includes the
209           debuginfo strip done by some packagers (such as rpmbuild) and
210           inclusion into an initramfs that wants the module size reduced.
211 
212 config MODULE_SIG_FORCE
213         bool "Require modules to be validly signed"
214         depends on MODULE_SIG
215         help
216           Reject unsigned modules or signed modules for which we don't have a
217           key.  Without this, such modules will simply taint the kernel.
218 
219 config MODULE_SIG_ALL
220         bool "Automatically sign all modules"
221         default y
222         depends on MODULE_SIG || IMA_APPRAISE_MODSIG
223         help
224           Sign all modules during make modules_install. Without this option,
225           modules must be signed manually, using the scripts/sign-file tool.
226 
227 comment "Do not forget to sign required modules with scripts/sign-file"
228         depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL
229 
230 choice
231         prompt "Which hash algorithm should modules be signed with?"
232         depends on MODULE_SIG || IMA_APPRAISE_MODSIG
233         help
234           This determines which sort of hashing algorithm will be used during
235           signature generation.  This algorithm _must_ be built into the kernel
236           directly so that signature verification can take place.  It is not
237           possible to load a signed module containing the algorithm to check
238           the signature on that module.
239 
240 config MODULE_SIG_SHA1
241         bool "Sign modules with SHA-1"
242         select CRYPTO_SHA1
243 
244 config MODULE_SIG_SHA256
245         bool "Sign modules with SHA-256"
246         select CRYPTO_SHA256
247 
248 config MODULE_SIG_SHA384
249         bool "Sign modules with SHA-384"
250         select CRYPTO_SHA512
251 
252 config MODULE_SIG_SHA512
253         bool "Sign modules with SHA-512"
254         select CRYPTO_SHA512
255 
256 config MODULE_SIG_SHA3_256
257         bool "Sign modules with SHA3-256"
258         select CRYPTO_SHA3
259 
260 config MODULE_SIG_SHA3_384
261         bool "Sign modules with SHA3-384"
262         select CRYPTO_SHA3
263 
264 config MODULE_SIG_SHA3_512
265         bool "Sign modules with SHA3-512"
266         select CRYPTO_SHA3
267 
268 endchoice
269 
270 config MODULE_SIG_HASH
271         string
272         depends on MODULE_SIG || IMA_APPRAISE_MODSIG
273         default "sha1" if MODULE_SIG_SHA1
274         default "sha256" if MODULE_SIG_SHA256
275         default "sha384" if MODULE_SIG_SHA384
276         default "sha512" if MODULE_SIG_SHA512
277         default "sha3-256" if MODULE_SIG_SHA3_256
278         default "sha3-384" if MODULE_SIG_SHA3_384
279         default "sha3-512" if MODULE_SIG_SHA3_512
280 
281 choice
282         prompt "Module compression mode"
283         help
284           This option allows you to choose the algorithm which will be used to
285           compress modules when 'make modules_install' is run. (or, you can
286           choose to not compress modules at all.)
287 
288           External modules will also be compressed in the same way during the
289           installation.
290 
291           For modules inside an initrd or initramfs, it's more efficient to
292           compress the whole initrd or initramfs instead.
293 
294           This is fully compatible with signed modules.
295 
296           Please note that the tool used to load modules needs to support the
297           corresponding algorithm. module-init-tools MAY support gzip, and kmod
298           MAY support gzip, xz and zstd.
299 
300           Your build system needs to provide the appropriate compression tool
301           to compress the modules.
302 
303           If in doubt, select 'None'.
304 
305 config MODULE_COMPRESS_NONE
306         bool "None"
307         help
308           Do not compress modules. The installed modules are suffixed
309           with .ko.
310 
311 config MODULE_COMPRESS_GZIP
312         bool "GZIP"
313         help
314           Compress modules with GZIP. The installed modules are suffixed
315           with .ko.gz.
316 
317 config MODULE_COMPRESS_XZ
318         bool "XZ"
319         help
320           Compress modules with XZ. The installed modules are suffixed
321           with .ko.xz.
322 
323 config MODULE_COMPRESS_ZSTD
324         bool "ZSTD"
325         help
326           Compress modules with ZSTD. The installed modules are suffixed
327           with .ko.zst.
328 
329 endchoice
330 
331 config MODULE_DECOMPRESS
332         bool "Support in-kernel module decompression"
333         depends on MODULE_COMPRESS_GZIP || MODULE_COMPRESS_XZ || MODULE_COMPRESS_ZSTD
334         select ZLIB_INFLATE if MODULE_COMPRESS_GZIP
335         select XZ_DEC if MODULE_COMPRESS_XZ
336         select ZSTD_DECOMPRESS if MODULE_COMPRESS_ZSTD
337         help
338 
339           Support for decompressing kernel modules by the kernel itself
340           instead of relying on userspace to perform this task. Useful when
341           load pinning security policy is enabled.
342 
343           If unsure, say N.
344 
345 config MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS
346         bool "Allow loading of modules with missing namespace imports"
347         help
348           Symbols exported with EXPORT_SYMBOL_NS*() are considered exported in
349           a namespace. A module that makes use of a symbol exported with such a
350           namespace is required to import the namespace via MODULE_IMPORT_NS().
351           There is no technical reason to enforce correct namespace imports,
352           but it creates consistency between symbols defining namespaces and
353           users importing namespaces they make use of. This option relaxes this
354           requirement and lifts the enforcement when loading a module.
355 
356           If unsure, say N.
357 
358 config MODPROBE_PATH
359         string "Path to modprobe binary"
360         default "/sbin/modprobe"
361         help
362           When kernel code requests a module, it does so by calling
363           the "modprobe" userspace utility. This option allows you to
364           set the path where that binary is found. This can be changed
365           at runtime via the sysctl file
366           /proc/sys/kernel/modprobe. Setting this to the empty string
367           removes the kernel's ability to request modules (but
368           userspace can still load modules explicitly).
369 
370 config TRIM_UNUSED_KSYMS
371         bool "Trim unused exported kernel symbols"
372         help
373           The kernel and some modules make many symbols available for
374           other modules to use via EXPORT_SYMBOL() and variants. Depending
375           on the set of modules being selected in your kernel configuration,
376           many of those exported symbols might never be used.
377 
378           This option allows for unused exported symbols to be dropped from
379           the build. In turn, this provides the compiler more opportunities
380           (especially when using LTO) for optimizing the code and reducing
381           binary size.  This might have some security advantages as well.
382 
383           If unsure, or if you need to build out-of-tree modules, say N.
384 
385 config UNUSED_KSYMS_WHITELIST
386         string "Whitelist of symbols to keep in ksymtab"
387         depends on TRIM_UNUSED_KSYMS
388         help
389           By default, all unused exported symbols will be un-exported from the
390           build when TRIM_UNUSED_KSYMS is selected.
391 
392           UNUSED_KSYMS_WHITELIST allows to whitelist symbols that must be kept
393           exported at all times, even in absence of in-tree users. The value to
394           set here is the path to a text file containing the list of symbols,
395           one per line. The path can be absolute, or relative to the kernel
396           source or obj tree.
397 
398 config MODULES_TREE_LOOKUP
399         def_bool y
400         depends on PERF_EVENTS || TRACING || CFI_CLANG
401 
402 endif # MODULES

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php