aboutsummaryrefslogtreecommitdiff
path: root/kernel/module/Kconfig
blob: 26ea5d04f56c2d6150e9aeee3764907c1da6cca4 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
# SPDX-License-Identifier: GPL-2.0-only
menuconfig MODULES
	bool "Enable loadable module support"
	modules
	help
	  Kernel modules are small pieces of compiled code which can
	  be inserted in the running kernel, rather than being
	  permanently built into the kernel.  You use the "modprobe"
	  tool to add (and sometimes remove) them.  If you say Y here,
	  many parts of the kernel can be built as modules (by
	  answering M instead of Y where indicated): this is most
	  useful for infrequently used options which are not required
	  for booting.  For more information, see the man pages for
	  modprobe, lsmod, modinfo, insmod and rmmod.

	  If you say Y here, you will need to run "make
	  modules_install" to put the modules under /lib/modules/
	  where modprobe can find them (you may need to be root to do
	  this).

	  If unsure, say Y.

if MODULES

config MODULE_FORCE_LOAD
	bool "Forced module loading"
	default n
	help
	  Allow loading of modules without version information (ie. modprobe
	  --force).  Forced module loading sets the 'F' (forced) taint flag and
	  is usually a really bad idea.

config MODULE_UNLOAD
	bool "Module unloading"
	help
	  Without this option you will not be able to unload any
	  modules (note that some modules may not be unloadable
	  anyway), which makes your kernel smaller, faster
	  and simpler.  If unsure, say Y.

config MODULE_FORCE_UNLOAD
	bool "Forced module unloading"
	depends on MODULE_UNLOAD
	help
	  This option allows you to force a module to unload, even if the
	  kernel believes it is unsafe: the kernel will remove the module
	  without waiting for anyone to stop using it (using the -f option to
	  rmmod).  This is mainly for kernel developers and desperate users.
	  If unsure, say N.

config MODULE_UNLOAD_TAINT_TRACKING
	bool "Tainted module unload tracking"
	depends on MODULE_UNLOAD
	default n
	help
	  This option allows you to maintain a record of each unloaded
	  module that tainted the kernel. In addition to displaying a
	  list of linked (or loaded) modules e.g. on detection of a bad
	  page (see bad_page()), the aforementioned details are also
	  shown. If unsure, say N.

config MODVERSIONS
	bool "Module versioning support"
	help
	  Usually, you have to use modules compiled with your kernel.
	  Saying Y here makes it sometimes possible to use modules
	  compiled for different kernels, by adding enough information
	  to the modules to (hopefully) spot any changes which would
	  make them incompatible with the kernel you are running.  If
	  unsure, say N.

config ASM_MODVERSIONS
	bool
	default HAVE_ASM_MODVERSIONS && MODVERSIONS
	help
	  This enables module versioning for exported symbols also from
	  assembly. This can be enabled only when the target architecture
	  supports it.

config MODULE_SRCVERSION_ALL
	bool "Source checksum for all modules"
	help
	  Modules which contain a MODULE_VERSION get an extra "srcversion"
	  field inserted into their modinfo section, which contains a
	  sum of the source files which made it.  This helps maintainers
	  see exactly which source was used to build a module (since
	  others sometimes change the module source without updating
	  the version).  With this option, such a "srcversion" field
	  will be created for all modules.  If unsure, say N.

config MODULE_SIG
	bool "Module signature verification"
	select MODULE_SIG_FORMAT
	help
	  Check modules for valid signatures upon load: the signature
	  is simply appended to the module. For more information see
	  <file:Documentation/admin-guide/module-signing.rst>.

	  Note that this option adds the OpenSSL development packages as a
	  kernel build dependency so that the signing tool can use its crypto
	  library.

	  You should enable this option if you wish to use either
	  CONFIG_SECURITY_LOCKDOWN_LSM or lockdown functionality imposed via
	  another LSM - otherwise unsigned modules will be loadable regardless
	  of the lockdown policy.

	  !!!WARNING!!!  If you enable this option, you MUST make sure that the
	  module DOES NOT get stripped after being signed.  This includes the
	  debuginfo strip done by some packagers (such as rpmbuild) and
	  inclusion into an initramfs that wants the module size reduced.

config MODULE_SIG_FORCE
	bool "Require modules to be validly signed"
	depends on MODULE_SIG
	help
	  Reject unsigned modules or signed modules for which we don't have a
	  key.  Without this, such modules will simply taint the kernel.

config MODULE_SIG_ALL
	bool "Automatically sign all modules"
	default y
	depends on MODULE_SIG || IMA_APPRAISE_MODSIG
	help
	  Sign all modules during make modules_install. Without this option,
	  modules must be signed manually, using the scripts/sign-file tool.

comment "Do not forget to sign required modules with scripts/sign-file"
	depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL

choice
	prompt "Which hash algorithm should modules be signed with?"
	depends on MODULE_SIG || IMA_APPRAISE_MODSIG
	help
	  This determines which sort of hashing algorithm will be used during
	  signature generation.  This algorithm _must_ be built into the kernel
	  directly so that signature verification can take place.  It is not
	  possible to load a signed module containing the algorithm to check
	  the signature on that module.

config MODULE_SIG_SHA1
	bool "Sign modules with SHA-1"
	select CRYPTO_SHA1

config MODULE_SIG_SHA224
	bool "Sign modules with SHA-224"
	select CRYPTO_SHA256

config MODULE_SIG_SHA256
	bool "Sign modules with SHA-256"
	select CRYPTO_SHA256

config MODULE_SIG_SHA384
	bool "Sign modules with SHA-384"
	select CRYPTO_SHA512

config MODULE_SIG_SHA512
	bool "Sign modules with SHA-512"
	select CRYPTO_SHA512

endchoice

config MODULE_SIG_HASH
	string
	depends on MODULE_SIG || IMA_APPRAISE_MODSIG
	default "sha1" if MODULE_SIG_SHA1
	default "sha224" if MODULE_SIG_SHA224
	default "sha256" if MODULE_SIG_SHA256
	default "sha384" if MODULE_SIG_SHA384
	default "sha512" if MODULE_SIG_SHA512

choice
	prompt "Module compression mode"
	help
	  This option allows you to choose the algorithm which will be used to
	  compress modules when 'make modules_install' is run. (or, you can
	  choose to not compress modules at all.)

	  External modules will also be compressed in the same way during the
	  installation.

	  For modules inside an initrd or initramfs, it's more efficient to
	  compress the whole initrd or initramfs instead.

	  This is fully compatible with signed modules.

	  Please note that the tool used to load modules needs to support the
	  corresponding algorithm. module-init-tools MAY support gzip, and kmod
	  MAY support gzip, xz and zstd.

	  Your build system needs to provide the appropriate compression tool
	  to compress the modules.

	  If in doubt, select 'None'.

config MODULE_COMPRESS_NONE
	bool "None"
	help
	  Do not compress modules. The installed modules are suffixed
	  with .ko.

config MODULE_COMPRESS_GZIP
	bool "GZIP"
	help
	  Compress modules with GZIP. The installed modules are suffixed
	  with .ko.gz.

config MODULE_COMPRESS_XZ
	bool "XZ"
	help
	  Compress modules with XZ. The installed modules are suffixed
	  with .ko.xz.

config MODULE_COMPRESS_ZSTD
	bool "ZSTD"
	help
	  Compress modules with ZSTD. The installed modules are suffixed
	  with .ko.zst.

endchoice

config MODULE_DECOMPRESS
	bool "Support in-kernel module decompression"
	depends on MODULE_COMPRESS_GZIP || MODULE_COMPRESS_XZ
	select ZLIB_INFLATE if MODULE_COMPRESS_GZIP
	select XZ_DEC if MODULE_COMPRESS_XZ
	help

	  Support for decompressing kernel modules by the kernel itself
	  instead of relying on userspace to perform this task. Useful when
	  load pinning security policy is enabled.

	  If unsure, say N.

config MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS
	bool "Allow loading of modules with missing namespace imports"
	help
	  Symbols exported with EXPORT_SYMBOL_NS*() are considered exported in
	  a namespace. A module that makes use of a symbol exported with such a
	  namespace is required to import the namespace via MODULE_IMPORT_NS().
	  There is no technical reason to enforce correct namespace imports,
	  but it creates consistency between symbols defining namespaces and
	  users importing namespaces they make use of. This option relaxes this
	  requirement and lifts the enforcement when loading a module.

	  If unsure, say N.

config MODPROBE_PATH
	string "Path to modprobe binary"
	default "/sbin/modprobe"
	help
	  When kernel code requests a module, it does so by calling
	  the "modprobe" userspace utility. This option allows you to
	  set the path where that binary is found. This can be changed
	  at runtime via the sysctl file
	  /proc/sys/kernel/modprobe. Setting this to the empty string
	  removes the kernel's ability to request modules (but
	  userspace can still load modules explicitly).

config TRIM_UNUSED_KSYMS
	bool "Trim unused exported kernel symbols" if EXPERT
	depends on !COMPILE_TEST
	help
	  The kernel and some modules make many symbols available for
	  other modules to use via EXPORT_SYMBOL() and variants. Depending
	  on the set of modules being selected in your kernel configuration,
	  many of those exported symbols might never be used.

	  This option allows for unused exported symbols to be dropped from
	  the build. In turn, this provides the compiler more opportunities
	  (especially when using LTO) for optimizing the code and reducing
	  binary size.  This might have some security advantages as well.

	  If unsure, or if you need to build out-of-tree modules, say N.

config UNUSED_KSYMS_WHITELIST
	string "Whitelist of symbols to keep in ksymtab"
	depends on TRIM_UNUSED_KSYMS
	help
	  By default, all unused exported symbols will be un-exported from the
	  build when TRIM_UNUSED_KSYMS is selected.

	  UNUSED_KSYMS_WHITELIST allows to whitelist symbols that must be kept
	  exported at all times, even in absence of in-tree users. The value to
	  set here is the path to a text file containing the list of symbols,
	  one per line. The path can be absolute, or relative to the kernel
	  source tree.

config MODULES_TREE_LOOKUP
	def_bool y
	depends on PERF_EVENTS || TRACING || CFI_CLANG

endif # MODULES