1 # SPDX-License-Identifier: GPL-2.0-only
3 bool "Enable loadable module support"
7 Kernel modules are small pieces of compiled code which can
8 be inserted in the running kernel, rather than being
9 permanently built into the kernel. You use the "modprobe"
10 tool to add (and sometimes remove) them. If you say Y here,
11 many parts of the kernel can be built as modules (by
12 answering M instead of Y where indicated): this is most
13 useful for infrequently used options which are not required
14 for booting. For more information, see the man pages for
15 modprobe, lsmod, modinfo, insmod and rmmod.
17 If you say Y here, you will need to run "make
18 modules_install" to put the modules under /lib/modules/
19 where modprobe can find them (you may need to be root to do
30 bool "Module debugging"
33 Allows you to enable / disable features which can help you debug
34 modules. You don't need these options on production systems.
39 bool "Module statistics"
43 This option allows you to maintain a record of module statistics.
44 For example, size of all modules, average size, text size, a list
45 of failed modules and the size for each of those. For failed
46 modules we keep track of modules which failed due to either the
47 existing module taking too long to load or that module was already
50 You should enable this if you are debugging production loads
51 and want to see if userspace or the kernel is doing stupid things
52 with loading modules when it shouldn't or if you want to help
53 optimize userspace / kernel space module autoloading schemes.
54 You might want to do this because failed modules tend to use
55 up significant amount of memory, and so you'd be doing everyone a
56 favor in avoiding these failures proactively.
58 This functionality is also useful for those experimenting with
59 module .text ELF section optimization.
63 config MODULE_DEBUG_AUTOLOAD_DUPS
64 bool "Debug duplicate modules with auto-loading"
66 Module autoloading allows in-kernel code to request modules through
67 the *request_module*() API calls. This in turn just calls userspace
68 modprobe. Although modprobe checks to see if a module is already
69 loaded before trying to load a module there is a small time window in
70 which multiple duplicate requests can end up in userspace and multiple
71 modprobe calls race calling finit_module() around the same time for
72 duplicate modules. The finit_module() system call can consume in the
73 worst case more than twice the respective module size in virtual
74 memory for each duplicate module requests. Although duplicate module
75 requests are non-fatal virtual memory is a limited resource and each
76 duplicate module request ends up just unnecessarily straining virtual
79 This debugging facility will create pr_warn() splats for duplicate
80 module requests to help identify if module auto-loading may be the
81 culprit to your early boot virtual memory pressure. Since virtual
82 memory abuse caused by duplicate module requests could render a
83 system unusable this functionality will also converge races in
84 requests for the same module to a single request. You can boot with
85 the module.enable_dups_trace=1 kernel parameter to use WARN_ON()
86 instead of the pr_warn().
88 If the first module request used request_module_nowait() we cannot
89 use that as the anchor to wait for duplicate module requests, since
90 users of request_module() do want a proper return value. If a call
91 for the same module happened earlier with request_module() though,
92 then a duplicate request_module_nowait() would be detected. The
93 non-wait request_module() call is synchronous and waits until modprobe
94 completes. Subsequent auto-loading requests for the same module do
95 not trigger a new finit_module() calls and do not strain virtual
96 memory, and so as soon as modprobe successfully completes we remove
97 tracking for duplicates for that module.
99 Enable this functionality to try to debug virtual memory abuse during
100 boot on systems which are failing to boot or if you suspect you may be
101 straining virtual memory during boot, and you want to identify if the
102 abuse was due to module auto-loading. These issues are currently only
103 known to occur on systems with many CPUs (over 400) and is likely the
104 result of udev issuing duplicate module requests for each CPU, and so
105 module auto-loading is not the culprit. There may very well still be
106 many duplicate module auto-loading requests which could be optimized
107 for and this debugging facility can be used to help identify them.
109 Only enable this for debugging system functionality, never have it
110 enabled on real systems.
112 config MODULE_DEBUG_AUTOLOAD_DUPS_TRACE
113 bool "Force full stack trace when duplicates are found"
114 depends on MODULE_DEBUG_AUTOLOAD_DUPS
116 Enabling this will force a full stack trace for duplicate module
117 auto-loading requests using WARN_ON() instead of pr_warn(). You
118 should keep this disabled at all times unless you are a developer
119 and are doing a manual inspection and want to debug exactly why
120 these duplicates occur.
124 config MODULE_FORCE_LOAD
125 bool "Forced module loading"
128 Allow loading of modules without version information (ie. modprobe
129 --force). Forced module loading sets the 'F' (forced) taint flag and
130 is usually a really bad idea.
133 bool "Module unloading"
135 Without this option you will not be able to unload any
136 modules (note that some modules may not be unloadable
137 anyway), which makes your kernel smaller, faster
138 and simpler. If unsure, say Y.
140 config MODULE_FORCE_UNLOAD
141 bool "Forced module unloading"
142 depends on MODULE_UNLOAD
144 This option allows you to force a module to unload, even if the
145 kernel believes it is unsafe: the kernel will remove the module
146 without waiting for anyone to stop using it (using the -f option to
147 rmmod). This is mainly for kernel developers and desperate users.
150 config MODULE_UNLOAD_TAINT_TRACKING
151 bool "Tainted module unload tracking"
152 depends on MODULE_UNLOAD
153 select MODULE_DEBUGFS
155 This option allows you to maintain a record of each unloaded
156 module that tainted the kernel. In addition to displaying a
157 list of linked (or loaded) modules e.g. on detection of a bad
158 page (see bad_page()), the aforementioned details are also
159 shown. If unsure, say N.
162 bool "Module versioning support"
164 Usually, you have to use modules compiled with your kernel.
165 Saying Y here makes it sometimes possible to use modules
166 compiled for different kernels, by adding enough information
167 to the modules to (hopefully) spot any changes which would
168 make them incompatible with the kernel you are running. If
171 config ASM_MODVERSIONS
173 default HAVE_ASM_MODVERSIONS && MODVERSIONS
175 This enables module versioning for exported symbols also from
176 assembly. This can be enabled only when the target architecture
179 config MODULE_SRCVERSION_ALL
180 bool "Source checksum for all modules"
182 Modules which contain a MODULE_VERSION get an extra "srcversion"
183 field inserted into their modinfo section, which contains a
184 sum of the source files which made it. This helps maintainers
185 see exactly which source was used to build a module (since
186 others sometimes change the module source without updating
187 the version). With this option, such a "srcversion" field
188 will be created for all modules. If unsure, say N.
191 bool "Module signature verification"
192 select MODULE_SIG_FORMAT
194 Check modules for valid signatures upon load: the signature
195 is simply appended to the module. For more information see
196 <file:Documentation/admin-guide/module-signing.rst>.
198 Note that this option adds the OpenSSL development packages as a
199 kernel build dependency so that the signing tool can use its crypto
202 You should enable this option if you wish to use either
203 CONFIG_SECURITY_LOCKDOWN_LSM or lockdown functionality imposed via
204 another LSM - otherwise unsigned modules will be loadable regardless
205 of the lockdown policy.
207 !!!WARNING!!! If you enable this option, you MUST make sure that the
208 module DOES NOT get stripped after being signed. This includes the
209 debuginfo strip done by some packagers (such as rpmbuild) and
210 inclusion into an initramfs that wants the module size reduced.
212 config MODULE_SIG_FORCE
213 bool "Require modules to be validly signed"
214 depends on MODULE_SIG
216 Reject unsigned modules or signed modules for which we don't have a
217 key. Without this, such modules will simply taint the kernel.
219 config MODULE_SIG_ALL
220 bool "Automatically sign all modules"
222 depends on MODULE_SIG || IMA_APPRAISE_MODSIG
224 Sign all modules during make modules_install. Without this option,
225 modules must be signed manually, using the scripts/sign-file tool.
227 comment "Do not forget to sign required modules with scripts/sign-file"
228 depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL
231 prompt "Which hash algorithm should modules be signed with?"
232 depends on MODULE_SIG || IMA_APPRAISE_MODSIG
234 This determines which sort of hashing algorithm will be used during
235 signature generation. This algorithm _must_ be built into the kernel
236 directly so that signature verification can take place. It is not
237 possible to load a signed module containing the algorithm to check
238 the signature on that module.
240 config MODULE_SIG_SHA1
241 bool "Sign modules with SHA-1"
244 config MODULE_SIG_SHA256
245 bool "Sign modules with SHA-256"
248 config MODULE_SIG_SHA384
249 bool "Sign modules with SHA-384"
252 config MODULE_SIG_SHA512
253 bool "Sign modules with SHA-512"
256 config MODULE_SIG_SHA3_256
257 bool "Sign modules with SHA3-256"
260 config MODULE_SIG_SHA3_384
261 bool "Sign modules with SHA3-384"
264 config MODULE_SIG_SHA3_512
265 bool "Sign modules with SHA3-512"
270 config MODULE_SIG_HASH
272 depends on MODULE_SIG || IMA_APPRAISE_MODSIG
273 default "sha1" if MODULE_SIG_SHA1
274 default "sha256" if MODULE_SIG_SHA256
275 default "sha384" if MODULE_SIG_SHA384
276 default "sha512" if MODULE_SIG_SHA512
277 default "sha3-256" if MODULE_SIG_SHA3_256
278 default "sha3-384" if MODULE_SIG_SHA3_384
279 default "sha3-512" if MODULE_SIG_SHA3_512
282 prompt "Module compression mode"
284 This option allows you to choose the algorithm which will be used to
285 compress modules when 'make modules_install' is run. (or, you can
286 choose to not compress modules at all.)
288 External modules will also be compressed in the same way during the
291 For modules inside an initrd or initramfs, it's more efficient to
292 compress the whole initrd or initramfs instead.
294 This is fully compatible with signed modules.
296 Please note that the tool used to load modules needs to support the
297 corresponding algorithm. module-init-tools MAY support gzip, and kmod
298 MAY support gzip, xz and zstd.
300 Your build system needs to provide the appropriate compression tool
301 to compress the modules.
303 If in doubt, select 'None'.
305 config MODULE_COMPRESS_NONE
308 Do not compress modules. The installed modules are suffixed
311 config MODULE_COMPRESS_GZIP
314 Compress modules with GZIP. The installed modules are suffixed
317 config MODULE_COMPRESS_XZ
320 Compress modules with XZ. The installed modules are suffixed
323 config MODULE_COMPRESS_ZSTD
326 Compress modules with ZSTD. The installed modules are suffixed
331 config MODULE_DECOMPRESS
332 bool "Support in-kernel module decompression"
333 depends on MODULE_COMPRESS_GZIP || MODULE_COMPRESS_XZ || MODULE_COMPRESS_ZSTD
334 select ZLIB_INFLATE if MODULE_COMPRESS_GZIP
335 select XZ_DEC if MODULE_COMPRESS_XZ
336 select ZSTD_DECOMPRESS if MODULE_COMPRESS_ZSTD
339 Support for decompressing kernel modules by the kernel itself
340 instead of relying on userspace to perform this task. Useful when
341 load pinning security policy is enabled.
345 config MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS
346 bool "Allow loading of modules with missing namespace imports"
348 Symbols exported with EXPORT_SYMBOL_NS*() are considered exported in
349 a namespace. A module that makes use of a symbol exported with such a
350 namespace is required to import the namespace via MODULE_IMPORT_NS().
351 There is no technical reason to enforce correct namespace imports,
352 but it creates consistency between symbols defining namespaces and
353 users importing namespaces they make use of. This option relaxes this
354 requirement and lifts the enforcement when loading a module.
359 string "Path to modprobe binary"
360 default "/sbin/modprobe"
362 When kernel code requests a module, it does so by calling
363 the "modprobe" userspace utility. This option allows you to
364 set the path where that binary is found. This can be changed
365 at runtime via the sysctl file
366 /proc/sys/kernel/modprobe. Setting this to the empty string
367 removes the kernel's ability to request modules (but
368 userspace can still load modules explicitly).
370 config TRIM_UNUSED_KSYMS
371 bool "Trim unused exported kernel symbols"
373 The kernel and some modules make many symbols available for
374 other modules to use via EXPORT_SYMBOL() and variants. Depending
375 on the set of modules being selected in your kernel configuration,
376 many of those exported symbols might never be used.
378 This option allows for unused exported symbols to be dropped from
379 the build. In turn, this provides the compiler more opportunities
380 (especially when using LTO) for optimizing the code and reducing
381 binary size. This might have some security advantages as well.
383 If unsure, or if you need to build out-of-tree modules, say N.
385 config UNUSED_KSYMS_WHITELIST
386 string "Whitelist of symbols to keep in ksymtab"
387 depends on TRIM_UNUSED_KSYMS
389 By default, all unused exported symbols will be un-exported from the
390 build when TRIM_UNUSED_KSYMS is selected.
392 UNUSED_KSYMS_WHITELIST allows to whitelist symbols that must be kept
393 exported at all times, even in absence of in-tree users. The value to
394 set here is the path to a text file containing the list of symbols,
395 one per line. The path can be absolute, or relative to the kernel
398 config MODULES_TREE_LOOKUP
400 depends on PERF_EVENTS || TRACING || CFI_CLANG
projects / J-linux.git / blob