| # SPDX-License-Identifier: GPL-2.0-only |
| menuconfig MODULES |
| bool "Enable loadable module support" |
| modules |
| help |
| Kernel modules are small pieces of compiled code which can |
| be inserted in the running kernel, rather than being |
| permanently built into the kernel. You use the "modprobe" |
| tool to add (and sometimes remove) them. If you say Y here, |
| many parts of the kernel can be built as modules (by |
| answering M instead of Y where indicated): this is most |
| useful for infrequently used options which are not required |
| for booting. For more information, see the man pages for |
| modprobe, lsmod, modinfo, insmod and rmmod. |
| |
| If you say Y here, you will need to run "make |
| modules_install" to put the modules under /lib/modules/ |
| where modprobe can find them (you may need to be root to do |
| this). |
| |
| If unsure, say Y. |
| |
| if MODULES |
| |
| config MODULE_FORCE_LOAD |
| bool "Forced module loading" |
| default n |
| help |
| Allow loading of modules without version information (ie. modprobe |
| --force). Forced module loading sets the 'F' (forced) taint flag and |
| is usually a really bad idea. |
| |
| config MODULE_UNLOAD |
| bool "Module unloading" |
| help |
| Without this option you will not be able to unload any |
| modules (note that some modules may not be unloadable |
| anyway), which makes your kernel smaller, faster |
| and simpler. If unsure, say Y. |
| |
| config MODULE_FORCE_UNLOAD |
| bool "Forced module unloading" |
| depends on MODULE_UNLOAD |
| help |
| This option allows you to force a module to unload, even if the |
| kernel believes it is unsafe: the kernel will remove the module |
| without waiting for anyone to stop using it (using the -f option to |
| rmmod). This is mainly for kernel developers and desperate users. |
| If unsure, say N. |
| |
| config MODULE_UNLOAD_TAINT_TRACKING |
| bool "Tainted module unload tracking" |
| depends on MODULE_UNLOAD |
| default n |
| help |
| This option allows you to maintain a record of each unloaded |
| module that tainted the kernel. In addition to displaying a |
| list of linked (or loaded) modules e.g. on detection of a bad |
| page (see bad_page()), the aforementioned details are also |
| shown. If unsure, say N. |
| |
| config MODVERSIONS |
| bool "Module versioning support" |
| help |
| Usually, you have to use modules compiled with your kernel. |
| Saying Y here makes it sometimes possible to use modules |
| compiled for different kernels, by adding enough information |
| to the modules to (hopefully) spot any changes which would |
| make them incompatible with the kernel you are running. If |
| unsure, say N. |
| |
| config ASM_MODVERSIONS |
| bool |
| default HAVE_ASM_MODVERSIONS && MODVERSIONS |
| help |
| This enables module versioning for exported symbols also from |
| assembly. This can be enabled only when the target architecture |
| supports it. |
| |
| config MODULE_SRCVERSION_ALL |
| bool "Source checksum for all modules" |
| help |
| Modules which contain a MODULE_VERSION get an extra "srcversion" |
| field inserted into their modinfo section, which contains a |
| sum of the source files which made it. This helps maintainers |
| see exactly which source was used to build a module (since |
| others sometimes change the module source without updating |
| the version). With this option, such a "srcversion" field |
| will be created for all modules. If unsure, say N. |
| |
| config MODULE_SCMVERSION |
| bool "SCM version for modules" |
| depends on LOCALVERSION_AUTO |
| help |
| This enables the module attribute "scmversion" which can be used |
| by developers to identify the SCM version of a given module, e.g. |
| git sha1 or hg sha1. The SCM version can be queried by modinfo or |
| via the sysfs node: /sys/modules/MODULENAME/scmversion. This is |
| useful when the kernel or kernel modules are updated separately |
| since that causes the vermagic of the kernel and the module to |
| differ. |
| |
| If unsure, say N. |
| |
| config MODULE_SIG |
| bool "Module signature verification" |
| select MODULE_SIG_FORMAT |
| help |
| Check modules for valid signatures upon load: the signature |
| is simply appended to the module. For more information see |
| <file:Documentation/admin-guide/module-signing.rst>. |
| |
| Note that this option adds the OpenSSL development packages as a |
| kernel build dependency so that the signing tool can use its crypto |
| library. |
| |
| You should enable this option if you wish to use either |
| CONFIG_SECURITY_LOCKDOWN_LSM or lockdown functionality imposed via |
| another LSM - otherwise unsigned modules will be loadable regardless |
| of the lockdown policy. |
| |
| !!!WARNING!!! If you enable this option, you MUST make sure that the |
| module DOES NOT get stripped after being signed. This includes the |
| debuginfo strip done by some packagers (such as rpmbuild) and |
| inclusion into an initramfs that wants the module size reduced. |
| |
| config MODULE_SIG_FORCE |
| bool "Require modules to be validly signed" |
| depends on MODULE_SIG |
| help |
| Reject unsigned modules or signed modules for which we don't have a |
| key. Without this, such modules will simply taint the kernel. |
| |
| config MODULE_SIG_PROTECT |
| bool "Android GKI module protection" |
| depends on MODULE_SIG && !MODULE_SIG_FORCE |
| help |
| Enables Android GKI symbol and export protection support. |
| |
| This modifies the behavior of the MODULE_SIG_FORCE as follows: |
| - Allows Android GKI Modules signed using MODULE_SIG_ALL during build. |
| - Allows other modules to load if they don't violate the access to |
| Android GKI protected symbols and do not export the symbols already |
| exported by the Android GKI modules. Loading will fail and return |
| -EACCES (Permission denied) if symbol access conditions are not met. |
| |
| config MODULE_SIG_ALL |
| bool "Automatically sign all modules" |
| default y |
| depends on MODULE_SIG || IMA_APPRAISE_MODSIG |
| help |
| Sign all modules during make modules_install. Without this option, |
| modules must be signed manually, using the scripts/sign-file tool. |
| |
| comment "Do not forget to sign required modules with scripts/sign-file" |
| depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL |
| |
| choice |
| prompt "Which hash algorithm should modules be signed with?" |
| depends on MODULE_SIG || IMA_APPRAISE_MODSIG |
| help |
| This determines which sort of hashing algorithm will be used during |
| signature generation. This algorithm _must_ be built into the kernel |
| directly so that signature verification can take place. It is not |
| possible to load a signed module containing the algorithm to check |
| the signature on that module. |
| |
| config MODULE_SIG_SHA1 |
| bool "Sign modules with SHA-1" |
| select CRYPTO_SHA1 |
| |
| config MODULE_SIG_SHA224 |
| bool "Sign modules with SHA-224" |
| select CRYPTO_SHA256 |
| |
| config MODULE_SIG_SHA256 |
| bool "Sign modules with SHA-256" |
| select CRYPTO_SHA256 |
| |
| config MODULE_SIG_SHA384 |
| bool "Sign modules with SHA-384" |
| select CRYPTO_SHA512 |
| |
| config MODULE_SIG_SHA512 |
| bool "Sign modules with SHA-512" |
| select CRYPTO_SHA512 |
| |
| endchoice |
| |
| config MODULE_SIG_HASH |
| string |
| depends on MODULE_SIG || IMA_APPRAISE_MODSIG |
| default "sha1" if MODULE_SIG_SHA1 |
| default "sha224" if MODULE_SIG_SHA224 |
| default "sha256" if MODULE_SIG_SHA256 |
| default "sha384" if MODULE_SIG_SHA384 |
| default "sha512" if MODULE_SIG_SHA512 |
| |
| choice |
| prompt "Module compression mode" |
| help |
| This option allows you to choose the algorithm which will be used to |
| compress modules when 'make modules_install' is run. (or, you can |
| choose to not compress modules at all.) |
| |
| External modules will also be compressed in the same way during the |
| installation. |
| |
| For modules inside an initrd or initramfs, it's more efficient to |
| compress the whole initrd or initramfs instead. |
| |
| This is fully compatible with signed modules. |
| |
| Please note that the tool used to load modules needs to support the |
| corresponding algorithm. module-init-tools MAY support gzip, and kmod |
| MAY support gzip, xz and zstd. |
| |
| Your build system needs to provide the appropriate compression tool |
| to compress the modules. |
| |
| If in doubt, select 'None'. |
| |
| config MODULE_COMPRESS_NONE |
| bool "None" |
| help |
| Do not compress modules. The installed modules are suffixed |
| with .ko. |
| |
| config MODULE_COMPRESS_GZIP |
| bool "GZIP" |
| help |
| Compress modules with GZIP. The installed modules are suffixed |
| with .ko.gz. |
| |
| config MODULE_COMPRESS_XZ |
| bool "XZ" |
| help |
| Compress modules with XZ. The installed modules are suffixed |
| with .ko.xz. |
| |
| config MODULE_COMPRESS_ZSTD |
| bool "ZSTD" |
| help |
| Compress modules with ZSTD. The installed modules are suffixed |
| with .ko.zst. |
| |
| endchoice |
| |
| config MODULE_DECOMPRESS |
| bool "Support in-kernel module decompression" |
| depends on MODULE_COMPRESS_GZIP || MODULE_COMPRESS_XZ |
| select ZLIB_INFLATE if MODULE_COMPRESS_GZIP |
| select XZ_DEC if MODULE_COMPRESS_XZ |
| help |
| |
| Support for decompressing kernel modules by the kernel itself |
| instead of relying on userspace to perform this task. Useful when |
| load pinning security policy is enabled. |
| |
| If unsure, say N. |
| |
| config MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS |
| bool "Allow loading of modules with missing namespace imports" |
| help |
| Symbols exported with EXPORT_SYMBOL_NS*() are considered exported in |
| a namespace. A module that makes use of a symbol exported with such a |
| namespace is required to import the namespace via MODULE_IMPORT_NS(). |
| There is no technical reason to enforce correct namespace imports, |
| but it creates consistency between symbols defining namespaces and |
| users importing namespaces they make use of. This option relaxes this |
| requirement and lifts the enforcement when loading a module. |
| |
| If unsure, say N. |
| |
| config MODPROBE_PATH |
| string "Path to modprobe binary" |
| default "/sbin/modprobe" |
| help |
| When kernel code requests a module, it does so by calling |
| the "modprobe" userspace utility. This option allows you to |
| set the path where that binary is found. This can be changed |
| at runtime via the sysctl file |
| /proc/sys/kernel/modprobe. Setting this to the empty string |
| removes the kernel's ability to request modules (but |
| userspace can still load modules explicitly). |
| |
| config TRIM_UNUSED_KSYMS |
| bool "Trim unused exported kernel symbols" if EXPERT |
| depends on !COMPILE_TEST |
| help |
| The kernel and some modules make many symbols available for |
| other modules to use via EXPORT_SYMBOL() and variants. Depending |
| on the set of modules being selected in your kernel configuration, |
| many of those exported symbols might never be used. |
| |
| This option allows for unused exported symbols to be dropped from |
| the build. In turn, this provides the compiler more opportunities |
| (especially when using LTO) for optimizing the code and reducing |
| binary size. This might have some security advantages as well. |
| |
| If unsure, or if you need to build out-of-tree modules, say N. |
| |
| config UNUSED_KSYMS_WHITELIST |
| string "Whitelist of symbols to keep in ksymtab" |
| depends on TRIM_UNUSED_KSYMS |
| help |
| By default, all unused exported symbols will be un-exported from the |
| build when TRIM_UNUSED_KSYMS is selected. |
| |
| UNUSED_KSYMS_WHITELIST allows to whitelist symbols that must be kept |
| exported at all times, even in absence of in-tree users. The value to |
| set here is the path to a text file containing the list of symbols, |
| one per line. The path can be absolute, or relative to the kernel |
| source tree. |
| |
| config MODULES_TREE_LOOKUP |
| def_bool y |
| depends on PERF_EVENTS || TRACING || CFI_CLANG |
| |
| endif # MODULES |
