1# SPDX-License-Identifier: GPL-2.0-only 2menuconfig MODULES 3 bool "Enable loadable module support" 4 modules 5 help 6 Kernel modules are small pieces of compiled code which can 7 be inserted in the running kernel, rather than being 8 permanently built into the kernel. You use the "modprobe" 9 tool to add (and sometimes remove) them. If you say Y here, 10 many parts of the kernel can be built as modules (by 11 answering M instead of Y where indicated): this is most 12 useful for infrequently used options which are not required 13 for booting. For more information, see the man pages for 14 modprobe, lsmod, modinfo, insmod and rmmod. 15 16 If you say Y here, you will need to run "make 17 modules_install" to put the modules under /lib/modules/ 18 where modprobe can find them (you may need to be root to do 19 this). 20 21 If unsure, say Y. 22 23if MODULES 24 25config MODULE_FORCE_LOAD 26 bool "Forced module loading" 27 default n 28 help 29 Allow loading of modules without version information (ie. modprobe 30 --force). Forced module loading sets the 'F' (forced) taint flag and 31 is usually a really bad idea. 32 33config MODULE_UNLOAD 34 bool "Module unloading" 35 help 36 Without this option you will not be able to unload any 37 modules (note that some modules may not be unloadable 38 anyway), which makes your kernel smaller, faster 39 and simpler. If unsure, say Y. 40 41config MODULE_FORCE_UNLOAD 42 bool "Forced module unloading" 43 depends on MODULE_UNLOAD 44 help 45 This option allows you to force a module to unload, even if the 46 kernel believes it is unsafe: the kernel will remove the module 47 without waiting for anyone to stop using it (using the -f option to 48 rmmod). This is mainly for kernel developers and desperate users. 49 If unsure, say N. 50 51config MODULE_UNLOAD_TAINT_TRACKING 52 bool "Tainted module unload tracking" 53 depends on MODULE_UNLOAD 54 default n 55 help 56 This option allows you to maintain a record of each unloaded 57 module that tainted the kernel. In addition to displaying a 58 list of linked (or loaded) modules e.g. on detection of a bad 59 page (see bad_page()), the aforementioned details are also 60 shown. If unsure, say N. 61 62config MODVERSIONS 63 bool "Module versioning support" 64 help 65 Usually, you have to use modules compiled with your kernel. 66 Saying Y here makes it sometimes possible to use modules 67 compiled for different kernels, by adding enough information 68 to the modules to (hopefully) spot any changes which would 69 make them incompatible with the kernel you are running. If 70 unsure, say N. 71 72config ASM_MODVERSIONS 73 bool 74 default HAVE_ASM_MODVERSIONS && MODVERSIONS 75 help 76 This enables module versioning for exported symbols also from 77 assembly. This can be enabled only when the target architecture 78 supports it. 79 80config MODULE_SRCVERSION_ALL 81 bool "Source checksum for all modules" 82 help 83 Modules which contain a MODULE_VERSION get an extra "srcversion" 84 field inserted into their modinfo section, which contains a 85 sum of the source files which made it. This helps maintainers 86 see exactly which source was used to build a module (since 87 others sometimes change the module source without updating 88 the version). With this option, such a "srcversion" field 89 will be created for all modules. If unsure, say N. 90 91config MODULE_SIG 92 bool "Module signature verification" 93 select MODULE_SIG_FORMAT 94 help 95 Check modules for valid signatures upon load: the signature 96 is simply appended to the module. For more information see 97 <file:Documentation/admin-guide/module-signing.rst>. 98 99 Note that this option adds the OpenSSL development packages as a 100 kernel build dependency so that the signing tool can use its crypto 101 library. 102 103 You should enable this option if you wish to use either 104 CONFIG_SECURITY_LOCKDOWN_LSM or lockdown functionality imposed via 105 another LSM - otherwise unsigned modules will be loadable regardless 106 of the lockdown policy. 107 108 !!!WARNING!!! If you enable this option, you MUST make sure that the 109 module DOES NOT get stripped after being signed. This includes the 110 debuginfo strip done by some packagers (such as rpmbuild) and 111 inclusion into an initramfs that wants the module size reduced. 112 113config MODULE_SIG_FORCE 114 bool "Require modules to be validly signed" 115 depends on MODULE_SIG 116 help 117 Reject unsigned modules or signed modules for which we don't have a 118 key. Without this, such modules will simply taint the kernel. 119 120config MODULE_SIG_ALL 121 bool "Automatically sign all modules" 122 default y 123 depends on MODULE_SIG || IMA_APPRAISE_MODSIG 124 help 125 Sign all modules during make modules_install. Without this option, 126 modules must be signed manually, using the scripts/sign-file tool. 127 128comment "Do not forget to sign required modules with scripts/sign-file" 129 depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL 130 131choice 132 prompt "Which hash algorithm should modules be signed with?" 133 depends on MODULE_SIG || IMA_APPRAISE_MODSIG 134 help 135 This determines which sort of hashing algorithm will be used during 136 signature generation. This algorithm _must_ be built into the kernel 137 directly so that signature verification can take place. It is not 138 possible to load a signed module containing the algorithm to check 139 the signature on that module. 140 141config MODULE_SIG_SHA1 142 bool "Sign modules with SHA-1" 143 select CRYPTO_SHA1 144 145config MODULE_SIG_SHA224 146 bool "Sign modules with SHA-224" 147 select CRYPTO_SHA256 148 149config MODULE_SIG_SHA256 150 bool "Sign modules with SHA-256" 151 select CRYPTO_SHA256 152 153config MODULE_SIG_SHA384 154 bool "Sign modules with SHA-384" 155 select CRYPTO_SHA512 156 157config MODULE_SIG_SHA512 158 bool "Sign modules with SHA-512" 159 select CRYPTO_SHA512 160 161endchoice 162 163config MODULE_SIG_HASH 164 string 165 depends on MODULE_SIG || IMA_APPRAISE_MODSIG 166 default "sha1" if MODULE_SIG_SHA1 167 default "sha224" if MODULE_SIG_SHA224 168 default "sha256" if MODULE_SIG_SHA256 169 default "sha384" if MODULE_SIG_SHA384 170 default "sha512" if MODULE_SIG_SHA512 171 172choice 173 prompt "Module compression mode" 174 help 175 This option allows you to choose the algorithm which will be used to 176 compress modules when 'make modules_install' is run. (or, you can 177 choose to not compress modules at all.) 178 179 External modules will also be compressed in the same way during the 180 installation. 181 182 For modules inside an initrd or initramfs, it's more efficient to 183 compress the whole initrd or initramfs instead. 184 185 This is fully compatible with signed modules. 186 187 Please note that the tool used to load modules needs to support the 188 corresponding algorithm. module-init-tools MAY support gzip, and kmod 189 MAY support gzip, xz and zstd. 190 191 Your build system needs to provide the appropriate compression tool 192 to compress the modules. 193 194 If in doubt, select 'None'. 195 196config MODULE_COMPRESS_NONE 197 bool "None" 198 help 199 Do not compress modules. The installed modules are suffixed 200 with .ko. 201 202config MODULE_COMPRESS_GZIP 203 bool "GZIP" 204 help 205 Compress modules with GZIP. The installed modules are suffixed 206 with .ko.gz. 207 208config MODULE_COMPRESS_XZ 209 bool "XZ" 210 help 211 Compress modules with XZ. The installed modules are suffixed 212 with .ko.xz. 213 214config MODULE_COMPRESS_ZSTD 215 bool "ZSTD" 216 help 217 Compress modules with ZSTD. The installed modules are suffixed 218 with .ko.zst. 219 220endchoice 221 222config MODULE_DECOMPRESS 223 bool "Support in-kernel module decompression" 224 depends on MODULE_COMPRESS_GZIP || MODULE_COMPRESS_XZ 225 select ZLIB_INFLATE if MODULE_COMPRESS_GZIP 226 select XZ_DEC if MODULE_COMPRESS_XZ 227 help 228 229 Support for decompressing kernel modules by the kernel itself 230 instead of relying on userspace to perform this task. Useful when 231 load pinning security policy is enabled. 232 233 If unsure, say N. 234 235config MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS 236 bool "Allow loading of modules with missing namespace imports" 237 help 238 Symbols exported with EXPORT_SYMBOL_NS*() are considered exported in 239 a namespace. A module that makes use of a symbol exported with such a 240 namespace is required to import the namespace via MODULE_IMPORT_NS(). 241 There is no technical reason to enforce correct namespace imports, 242 but it creates consistency between symbols defining namespaces and 243 users importing namespaces they make use of. This option relaxes this 244 requirement and lifts the enforcement when loading a module. 245 246 If unsure, say N. 247 248config MODPROBE_PATH 249 string "Path to modprobe binary" 250 default "/sbin/modprobe" 251 help 252 When kernel code requests a module, it does so by calling 253 the "modprobe" userspace utility. This option allows you to 254 set the path where that binary is found. This can be changed 255 at runtime via the sysctl file 256 /proc/sys/kernel/modprobe. Setting this to the empty string 257 removes the kernel's ability to request modules (but 258 userspace can still load modules explicitly). 259 260config TRIM_UNUSED_KSYMS 261 bool "Trim unused exported kernel symbols" if EXPERT 262 depends on !COMPILE_TEST 263 help 264 The kernel and some modules make many symbols available for 265 other modules to use via EXPORT_SYMBOL() and variants. Depending 266 on the set of modules being selected in your kernel configuration, 267 many of those exported symbols might never be used. 268 269 This option allows for unused exported symbols to be dropped from 270 the build. In turn, this provides the compiler more opportunities 271 (especially when using LTO) for optimizing the code and reducing 272 binary size. This might have some security advantages as well. 273 274 If unsure, or if you need to build out-of-tree modules, say N. 275 276config UNUSED_KSYMS_WHITELIST 277 string "Whitelist of symbols to keep in ksymtab" 278 depends on TRIM_UNUSED_KSYMS 279 help 280 By default, all unused exported symbols will be un-exported from the 281 build when TRIM_UNUSED_KSYMS is selected. 282 283 UNUSED_KSYMS_WHITELIST allows to whitelist symbols that must be kept 284 exported at all times, even in absence of in-tree users. The value to 285 set here is the path to a text file containing the list of symbols, 286 one per line. The path can be absolute, or relative to the kernel 287 source tree. 288 289config MODULES_TREE_LOOKUP 290 def_bool y 291 depends on PERF_EVENTS || TRACING || CFI_CLANG 292 293endif # MODULES 294