1# SPDX-License-Identifier: GPL-2.0-only 2menuconfig MODULES 3 bool "Enable loadable module support" 4 modules 5 help 6 Kernel modules are small pieces of compiled code which can 7 be inserted in the running kernel, rather than being 8 permanently built into the kernel. You use the "modprobe" 9 tool to add (and sometimes remove) them. If you say Y here, 10 many parts of the kernel can be built as modules (by 11 answering M instead of Y where indicated): this is most 12 useful for infrequently used options which are not required 13 for booting. For more information, see the man pages for 14 modprobe, lsmod, modinfo, insmod and rmmod. 15 16 If you say Y here, you will need to run "make 17 modules_install" to put the modules under /lib/modules/ 18 where modprobe can find them (you may need to be root to do 19 this). 20 21 If unsure, say Y. 22 23if MODULES 24 25config MODULE_DEBUGFS 26 bool 27 28config MODULE_DEBUG 29 bool "Module debugging" 30 depends on DEBUG_FS 31 help 32 Allows you to enable / disable features which can help you debug 33 modules. You don't need these options on production systems. 34 35if MODULE_DEBUG 36 37config MODULE_STATS 38 bool "Module statistics" 39 depends on DEBUG_FS 40 select MODULE_DEBUGFS 41 help 42 This option allows you to maintain a record of module statistics. 43 For example, size of all modules, average size, text size, a list 44 of failed modules and the size for each of those. For failed 45 modules we keep track of modules which failed due to either the 46 existing module taking too long to load or that module was already 47 loaded. 48 49 You should enable this if you are debugging production loads 50 and want to see if userspace or the kernel is doing stupid things 51 with loading modules when it shouldn't or if you want to help 52 optimize userspace / kernel space module autoloading schemes. 53 You might want to do this because failed modules tend to use 54 up significant amount of memory, and so you'd be doing everyone a 55 favor in avoiding these failures proactively. 56 57 This functionality is also useful for those experimenting with 58 module .text ELF section optimization. 59 60 If unsure, say N. 61 62endif # MODULE_DEBUG 63 64config MODULE_FORCE_LOAD 65 bool "Forced module loading" 66 default n 67 help 68 Allow loading of modules without version information (ie. modprobe 69 --force). Forced module loading sets the 'F' (forced) taint flag and 70 is usually a really bad idea. 71 72config MODULE_UNLOAD 73 bool "Module unloading" 74 help 75 Without this option you will not be able to unload any 76 modules (note that some modules may not be unloadable 77 anyway), which makes your kernel smaller, faster 78 and simpler. If unsure, say Y. 79 80config MODULE_FORCE_UNLOAD 81 bool "Forced module unloading" 82 depends on MODULE_UNLOAD 83 help 84 This option allows you to force a module to unload, even if the 85 kernel believes it is unsafe: the kernel will remove the module 86 without waiting for anyone to stop using it (using the -f option to 87 rmmod). This is mainly for kernel developers and desperate users. 88 If unsure, say N. 89 90config MODULE_UNLOAD_TAINT_TRACKING 91 bool "Tainted module unload tracking" 92 depends on MODULE_UNLOAD 93 select MODULE_DEBUGFS 94 help 95 This option allows you to maintain a record of each unloaded 96 module that tainted the kernel. In addition to displaying a 97 list of linked (or loaded) modules e.g. on detection of a bad 98 page (see bad_page()), the aforementioned details are also 99 shown. If unsure, say N. 100 101config MODVERSIONS 102 bool "Module versioning support" 103 help 104 Usually, you have to use modules compiled with your kernel. 105 Saying Y here makes it sometimes possible to use modules 106 compiled for different kernels, by adding enough information 107 to the modules to (hopefully) spot any changes which would 108 make them incompatible with the kernel you are running. If 109 unsure, say N. 110 111config ASM_MODVERSIONS 112 bool 113 default HAVE_ASM_MODVERSIONS && MODVERSIONS 114 help 115 This enables module versioning for exported symbols also from 116 assembly. This can be enabled only when the target architecture 117 supports it. 118 119config MODULE_SRCVERSION_ALL 120 bool "Source checksum for all modules" 121 help 122 Modules which contain a MODULE_VERSION get an extra "srcversion" 123 field inserted into their modinfo section, which contains a 124 sum of the source files which made it. This helps maintainers 125 see exactly which source was used to build a module (since 126 others sometimes change the module source without updating 127 the version). With this option, such a "srcversion" field 128 will be created for all modules. If unsure, say N. 129 130config MODULE_SIG 131 bool "Module signature verification" 132 select MODULE_SIG_FORMAT 133 help 134 Check modules for valid signatures upon load: the signature 135 is simply appended to the module. For more information see 136 <file:Documentation/admin-guide/module-signing.rst>. 137 138 Note that this option adds the OpenSSL development packages as a 139 kernel build dependency so that the signing tool can use its crypto 140 library. 141 142 You should enable this option if you wish to use either 143 CONFIG_SECURITY_LOCKDOWN_LSM or lockdown functionality imposed via 144 another LSM - otherwise unsigned modules will be loadable regardless 145 of the lockdown policy. 146 147 !!!WARNING!!! If you enable this option, you MUST make sure that the 148 module DOES NOT get stripped after being signed. This includes the 149 debuginfo strip done by some packagers (such as rpmbuild) and 150 inclusion into an initramfs that wants the module size reduced. 151 152config MODULE_SIG_FORCE 153 bool "Require modules to be validly signed" 154 depends on MODULE_SIG 155 help 156 Reject unsigned modules or signed modules for which we don't have a 157 key. Without this, such modules will simply taint the kernel. 158 159config MODULE_SIG_ALL 160 bool "Automatically sign all modules" 161 default y 162 depends on MODULE_SIG || IMA_APPRAISE_MODSIG 163 help 164 Sign all modules during make modules_install. Without this option, 165 modules must be signed manually, using the scripts/sign-file tool. 166 167comment "Do not forget to sign required modules with scripts/sign-file" 168 depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL 169 170choice 171 prompt "Which hash algorithm should modules be signed with?" 172 depends on MODULE_SIG || IMA_APPRAISE_MODSIG 173 help 174 This determines which sort of hashing algorithm will be used during 175 signature generation. This algorithm _must_ be built into the kernel 176 directly so that signature verification can take place. It is not 177 possible to load a signed module containing the algorithm to check 178 the signature on that module. 179 180config MODULE_SIG_SHA1 181 bool "Sign modules with SHA-1" 182 select CRYPTO_SHA1 183 184config MODULE_SIG_SHA224 185 bool "Sign modules with SHA-224" 186 select CRYPTO_SHA256 187 188config MODULE_SIG_SHA256 189 bool "Sign modules with SHA-256" 190 select CRYPTO_SHA256 191 192config MODULE_SIG_SHA384 193 bool "Sign modules with SHA-384" 194 select CRYPTO_SHA512 195 196config MODULE_SIG_SHA512 197 bool "Sign modules with SHA-512" 198 select CRYPTO_SHA512 199 200endchoice 201 202config MODULE_SIG_HASH 203 string 204 depends on MODULE_SIG || IMA_APPRAISE_MODSIG 205 default "sha1" if MODULE_SIG_SHA1 206 default "sha224" if MODULE_SIG_SHA224 207 default "sha256" if MODULE_SIG_SHA256 208 default "sha384" if MODULE_SIG_SHA384 209 default "sha512" if MODULE_SIG_SHA512 210 211choice 212 prompt "Module compression mode" 213 help 214 This option allows you to choose the algorithm which will be used to 215 compress modules when 'make modules_install' is run. (or, you can 216 choose to not compress modules at all.) 217 218 External modules will also be compressed in the same way during the 219 installation. 220 221 For modules inside an initrd or initramfs, it's more efficient to 222 compress the whole initrd or initramfs instead. 223 224 This is fully compatible with signed modules. 225 226 Please note that the tool used to load modules needs to support the 227 corresponding algorithm. module-init-tools MAY support gzip, and kmod 228 MAY support gzip, xz and zstd. 229 230 Your build system needs to provide the appropriate compression tool 231 to compress the modules. 232 233 If in doubt, select 'None'. 234 235config MODULE_COMPRESS_NONE 236 bool "None" 237 help 238 Do not compress modules. The installed modules are suffixed 239 with .ko. 240 241config MODULE_COMPRESS_GZIP 242 bool "GZIP" 243 help 244 Compress modules with GZIP. The installed modules are suffixed 245 with .ko.gz. 246 247config MODULE_COMPRESS_XZ 248 bool "XZ" 249 help 250 Compress modules with XZ. The installed modules are suffixed 251 with .ko.xz. 252 253config MODULE_COMPRESS_ZSTD 254 bool "ZSTD" 255 help 256 Compress modules with ZSTD. The installed modules are suffixed 257 with .ko.zst. 258 259endchoice 260 261config MODULE_DECOMPRESS 262 bool "Support in-kernel module decompression" 263 depends on MODULE_COMPRESS_GZIP || MODULE_COMPRESS_XZ || MODULE_COMPRESS_ZSTD 264 select ZLIB_INFLATE if MODULE_COMPRESS_GZIP 265 select XZ_DEC if MODULE_COMPRESS_XZ 266 select ZSTD_DECOMPRESS if MODULE_COMPRESS_ZSTD 267 help 268 269 Support for decompressing kernel modules by the kernel itself 270 instead of relying on userspace to perform this task. Useful when 271 load pinning security policy is enabled. 272 273 If unsure, say N. 274 275config MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS 276 bool "Allow loading of modules with missing namespace imports" 277 help 278 Symbols exported with EXPORT_SYMBOL_NS*() are considered exported in 279 a namespace. A module that makes use of a symbol exported with such a 280 namespace is required to import the namespace via MODULE_IMPORT_NS(). 281 There is no technical reason to enforce correct namespace imports, 282 but it creates consistency between symbols defining namespaces and 283 users importing namespaces they make use of. This option relaxes this 284 requirement and lifts the enforcement when loading a module. 285 286 If unsure, say N. 287 288config MODPROBE_PATH 289 string "Path to modprobe binary" 290 default "/sbin/modprobe" 291 help 292 When kernel code requests a module, it does so by calling 293 the "modprobe" userspace utility. This option allows you to 294 set the path where that binary is found. This can be changed 295 at runtime via the sysctl file 296 /proc/sys/kernel/modprobe. Setting this to the empty string 297 removes the kernel's ability to request modules (but 298 userspace can still load modules explicitly). 299 300config TRIM_UNUSED_KSYMS 301 bool "Trim unused exported kernel symbols" if EXPERT 302 depends on !COMPILE_TEST 303 help 304 The kernel and some modules make many symbols available for 305 other modules to use via EXPORT_SYMBOL() and variants. Depending 306 on the set of modules being selected in your kernel configuration, 307 many of those exported symbols might never be used. 308 309 This option allows for unused exported symbols to be dropped from 310 the build. In turn, this provides the compiler more opportunities 311 (especially when using LTO) for optimizing the code and reducing 312 binary size. This might have some security advantages as well. 313 314 If unsure, or if you need to build out-of-tree modules, say N. 315 316config UNUSED_KSYMS_WHITELIST 317 string "Whitelist of symbols to keep in ksymtab" 318 depends on TRIM_UNUSED_KSYMS 319 help 320 By default, all unused exported symbols will be un-exported from the 321 build when TRIM_UNUSED_KSYMS is selected. 322 323 UNUSED_KSYMS_WHITELIST allows to whitelist symbols that must be kept 324 exported at all times, even in absence of in-tree users. The value to 325 set here is the path to a text file containing the list of symbols, 326 one per line. The path can be absolute, or relative to the kernel 327 source tree. 328 329config MODULES_TREE_LOOKUP 330 def_bool y 331 depends on PERF_EVENTS || TRACING || CFI_CLANG 332 333endif # MODULES 334