0001 # SPDX-License-Identifier: GPL-2.0-only
0002 menuconfig MODULES
0003 bool "Enable loadable module support"
0004 modules
0005 help
0006 Kernel modules are small pieces of compiled code which can
0007 be inserted in the running kernel, rather than being
0008 permanently built into the kernel. You use the "modprobe"
0009 tool to add (and sometimes remove) them. If you say Y here,
0010 many parts of the kernel can be built as modules (by
0011 answering M instead of Y where indicated): this is most
0012 useful for infrequently used options which are not required
0013 for booting. For more information, see the man pages for
0014 modprobe, lsmod, modinfo, insmod and rmmod.
0015
0016 If you say Y here, you will need to run "make
0017 modules_install" to put the modules under /lib/modules/
0018 where modprobe can find them (you may need to be root to do
0019 this).
0020
0021 If unsure, say Y.
0022
0023 if MODULES
0024
0025 config MODULE_FORCE_LOAD
0026 bool "Forced module loading"
0027 default n
0028 help
0029 Allow loading of modules without version information (ie. modprobe
0030 --force). Forced module loading sets the 'F' (forced) taint flag and
0031 is usually a really bad idea.
0032
0033 config MODULE_UNLOAD
0034 bool "Module unloading"
0035 help
0036 Without this option you will not be able to unload any
0037 modules (note that some modules may not be unloadable
0038 anyway), which makes your kernel smaller, faster
0039 and simpler. If unsure, say Y.
0040
0041 config MODULE_FORCE_UNLOAD
0042 bool "Forced module unloading"
0043 depends on MODULE_UNLOAD
0044 help
0045 This option allows you to force a module to unload, even if the
0046 kernel believes it is unsafe: the kernel will remove the module
0047 without waiting for anyone to stop using it (using the -f option to
0048 rmmod). This is mainly for kernel developers and desperate users.
0049 If unsure, say N.
0050
0051 config MODULE_UNLOAD_TAINT_TRACKING
0052 bool "Tainted module unload tracking"
0053 depends on MODULE_UNLOAD
0054 default n
0055 help
0056 This option allows you to maintain a record of each unloaded
0057 module that tainted the kernel. In addition to displaying a
0058 list of linked (or loaded) modules e.g. on detection of a bad
0059 page (see bad_page()), the aforementioned details are also
0060 shown. If unsure, say N.
0061
0062 config MODVERSIONS
0063 bool "Module versioning support"
0064 help
0065 Usually, you have to use modules compiled with your kernel.
0066 Saying Y here makes it sometimes possible to use modules
0067 compiled for different kernels, by adding enough information
0068 to the modules to (hopefully) spot any changes which would
0069 make them incompatible with the kernel you are running. If
0070 unsure, say N.
0071
0072 config ASM_MODVERSIONS
0073 bool
0074 default HAVE_ASM_MODVERSIONS && MODVERSIONS
0075 help
0076 This enables module versioning for exported symbols also from
0077 assembly. This can be enabled only when the target architecture
0078 supports it.
0079
0080 config MODULE_SRCVERSION_ALL
0081 bool "Source checksum for all modules"
0082 help
0083 Modules which contain a MODULE_VERSION get an extra "srcversion"
0084 field inserted into their modinfo section, which contains a
0085 sum of the source files which made it. This helps maintainers
0086 see exactly which source was used to build a module (since
0087 others sometimes change the module source without updating
0088 the version). With this option, such a "srcversion" field
0089 will be created for all modules. If unsure, say N.
0090
0091 config MODULE_SIG
0092 bool "Module signature verification"
0093 select MODULE_SIG_FORMAT
0094 help
0095 Check modules for valid signatures upon load: the signature
0096 is simply appended to the module. For more information see
0097 <file:Documentation/admin-guide/module-signing.rst>.
0098
0099 Note that this option adds the OpenSSL development packages as a
0100 kernel build dependency so that the signing tool can use its crypto
0101 library.
0102
0103 You should enable this option if you wish to use either
0104 CONFIG_SECURITY_LOCKDOWN_LSM or lockdown functionality imposed via
0105 another LSM - otherwise unsigned modules will be loadable regardless
0106 of the lockdown policy.
0107
0108 !!!WARNING!!! If you enable this option, you MUST make sure that the
0109 module DOES NOT get stripped after being signed. This includes the
0110 debuginfo strip done by some packagers (such as rpmbuild) and
0111 inclusion into an initramfs that wants the module size reduced.
0112
0113 config MODULE_SIG_FORCE
0114 bool "Require modules to be validly signed"
0115 depends on MODULE_SIG
0116 help
0117 Reject unsigned modules or signed modules for which we don't have a
0118 key. Without this, such modules will simply taint the kernel.
0119
0120 config MODULE_SIG_ALL
0121 bool "Automatically sign all modules"
0122 default y
0123 depends on MODULE_SIG || IMA_APPRAISE_MODSIG
0124 help
0125 Sign all modules during make modules_install. Without this option,
0126 modules must be signed manually, using the scripts/sign-file tool.
0127
0128 comment "Do not forget to sign required modules with scripts/sign-file"
0129 depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL
0130
0131 choice
0132 prompt "Which hash algorithm should modules be signed with?"
0133 depends on MODULE_SIG || IMA_APPRAISE_MODSIG
0134 help
0135 This determines which sort of hashing algorithm will be used during
0136 signature generation. This algorithm _must_ be built into the kernel
0137 directly so that signature verification can take place. It is not
0138 possible to load a signed module containing the algorithm to check
0139 the signature on that module.
0140
0141 config MODULE_SIG_SHA1
0142 bool "Sign modules with SHA-1"
0143 select CRYPTO_SHA1
0144
0145 config MODULE_SIG_SHA224
0146 bool "Sign modules with SHA-224"
0147 select CRYPTO_SHA256
0148
0149 config MODULE_SIG_SHA256
0150 bool "Sign modules with SHA-256"
0151 select CRYPTO_SHA256
0152
0153 config MODULE_SIG_SHA384
0154 bool "Sign modules with SHA-384"
0155 select CRYPTO_SHA512
0156
0157 config MODULE_SIG_SHA512
0158 bool "Sign modules with SHA-512"
0159 select CRYPTO_SHA512
0160
0161 endchoice
0162
0163 config MODULE_SIG_HASH
0164 string
0165 depends on MODULE_SIG || IMA_APPRAISE_MODSIG
0166 default "sha1" if MODULE_SIG_SHA1
0167 default "sha224" if MODULE_SIG_SHA224
0168 default "sha256" if MODULE_SIG_SHA256
0169 default "sha384" if MODULE_SIG_SHA384
0170 default "sha512" if MODULE_SIG_SHA512
0171
0172 choice
0173 prompt "Module compression mode"
0174 help
0175 This option allows you to choose the algorithm which will be used to
0176 compress modules when 'make modules_install' is run. (or, you can
0177 choose to not compress modules at all.)
0178
0179 External modules will also be compressed in the same way during the
0180 installation.
0181
0182 For modules inside an initrd or initramfs, it's more efficient to
0183 compress the whole initrd or initramfs instead.
0184
0185 This is fully compatible with signed modules.
0186
0187 Please note that the tool used to load modules needs to support the
0188 corresponding algorithm. module-init-tools MAY support gzip, and kmod
0189 MAY support gzip, xz and zstd.
0190
0191 Your build system needs to provide the appropriate compression tool
0192 to compress the modules.
0193
0194 If in doubt, select 'None'.
0195
0196 config MODULE_COMPRESS_NONE
0197 bool "None"
0198 help
0199 Do not compress modules. The installed modules are suffixed
0200 with .ko.
0201
0202 config MODULE_COMPRESS_GZIP
0203 bool "GZIP"
0204 help
0205 Compress modules with GZIP. The installed modules are suffixed
0206 with .ko.gz.
0207
0208 config MODULE_COMPRESS_XZ
0209 bool "XZ"
0210 help
0211 Compress modules with XZ. The installed modules are suffixed
0212 with .ko.xz.
0213
0214 config MODULE_COMPRESS_ZSTD
0215 bool "ZSTD"
0216 help
0217 Compress modules with ZSTD. The installed modules are suffixed
0218 with .ko.zst.
0219
0220 endchoice
0221
0222 config MODULE_DECOMPRESS
0223 bool "Support in-kernel module decompression"
0224 depends on MODULE_COMPRESS_GZIP || MODULE_COMPRESS_XZ
0225 select ZLIB_INFLATE if MODULE_COMPRESS_GZIP
0226 select XZ_DEC if MODULE_COMPRESS_XZ
0227 help
0228
0229 Support for decompressing kernel modules by the kernel itself
0230 instead of relying on userspace to perform this task. Useful when
0231 load pinning security policy is enabled.
0232
0233 If unsure, say N.
0234
0235 config MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS
0236 bool "Allow loading of modules with missing namespace imports"
0237 help
0238 Symbols exported with EXPORT_SYMBOL_NS*() are considered exported in
0239 a namespace. A module that makes use of a symbol exported with such a
0240 namespace is required to import the namespace via MODULE_IMPORT_NS().
0241 There is no technical reason to enforce correct namespace imports,
0242 but it creates consistency between symbols defining namespaces and
0243 users importing namespaces they make use of. This option relaxes this
0244 requirement and lifts the enforcement when loading a module.
0245
0246 If unsure, say N.
0247
0248 config MODPROBE_PATH
0249 string "Path to modprobe binary"
0250 default "/sbin/modprobe"
0251 help
0252 When kernel code requests a module, it does so by calling
0253 the "modprobe" userspace utility. This option allows you to
0254 set the path where that binary is found. This can be changed
0255 at runtime via the sysctl file
0256 /proc/sys/kernel/modprobe. Setting this to the empty string
0257 removes the kernel's ability to request modules (but
0258 userspace can still load modules explicitly).
0259
0260 config TRIM_UNUSED_KSYMS
0261 bool "Trim unused exported kernel symbols" if EXPERT
0262 depends on !COMPILE_TEST
0263 help
0264 The kernel and some modules make many symbols available for
0265 other modules to use via EXPORT_SYMBOL() and variants. Depending
0266 on the set of modules being selected in your kernel configuration,
0267 many of those exported symbols might never be used.
0268
0269 This option allows for unused exported symbols to be dropped from
0270 the build. In turn, this provides the compiler more opportunities
0271 (especially when using LTO) for optimizing the code and reducing
0272 binary size. This might have some security advantages as well.
0273
0274 If unsure, or if you need to build out-of-tree modules, say N.
0275
0276 config UNUSED_KSYMS_WHITELIST
0277 string "Whitelist of symbols to keep in ksymtab"
0278 depends on TRIM_UNUSED_KSYMS
0279 help
0280 By default, all unused exported symbols will be un-exported from the
0281 build when TRIM_UNUSED_KSYMS is selected.
0282
0283 UNUSED_KSYMS_WHITELIST allows to whitelist symbols that must be kept
0284 exported at all times, even in absence of in-tree users. The value to
0285 set here is the path to a text file containing the list of symbols,
0286 one per line. The path can be absolute, or relative to the kernel
0287 source tree.
0288
0289 config MODULES_TREE_LOOKUP
0290 def_bool y
0291 depends on PERF_EVENTS || TRACING || CFI_CLANG
0292
0293 endif # MODULES
