* [Buildroot] How can I compile a module into the kernel?
@ 2018-10-20 23:27 Patrick Doyle
2018-10-21 7:55 ` Thomas Petazzoni
0 siblings, 1 reply; 6+ messages in thread
From: Patrick Doyle @ 2018-10-20 23:27 UTC (permalink / raw)
To: buildroot
For security reasons, I would like to disable loadable modules in my
kernel. But my wireless driver is only available as a module.
I could drop the module into the source tree, possibly with a minor
tweak to the Makefile, and just include it that way, but then I would
have to maintain a source tree separately from my vendor supplied
source tree. And I hate proliferating yet another public git
repository clone of a clone of a clone of the Linux kernel.
Or I could drop the module into my source tree and convert it into a
large patch which I would apply to the kernel as part of the build
process. But those sorts of patches get messy to maintain.
What I would really like to do is to tell buildroot and/or the kernel
"Link this external module into the kernel at link time, not at
runtime".
Does anybody have any thoughts as to how I might do that?
--wpd
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Buildroot] How can I compile a module into the kernel?
2018-10-20 23:27 [Buildroot] How can I compile a module into the kernel? Patrick Doyle
@ 2018-10-21 7:55 ` Thomas Petazzoni
2018-10-21 17:20 ` Patrick Doyle
0 siblings, 1 reply; 6+ messages in thread
From: Thomas Petazzoni @ 2018-10-21 7:55 UTC (permalink / raw)
To: buildroot
Hello Patrick,
On Sat, 20 Oct 2018 19:27:05 -0400, Patrick Doyle wrote:
> For security reasons, I would like to disable loadable modules in my
> kernel. But my wireless driver is only available as a module.
>
> I could drop the module into the source tree, possibly with a minor
> tweak to the Makefile, and just include it that way, but then I would
> have to maintain a source tree separately from my vendor supplied
> source tree. And I hate proliferating yet another public git
> repository clone of a clone of a clone of the Linux kernel.
>
> Or I could drop the module into my source tree and convert it into a
> large patch which I would apply to the kernel as part of the build
> process. But those sorts of patches get messy to maintain.
>
> What I would really like to do is to tell buildroot and/or the kernel
> "Link this external module into the kernel at link time, not at
> runtime".
You simply can't do that: external modules can only be built as
modules. If you want a driver to be compiled inside the kernel image
itself, then it has to be built as part of the kernel build process. So
you need to import the source code of your driver into your kernel
source tree.
Best regards,
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Buildroot] How can I compile a module into the kernel?
2018-10-21 7:55 ` Thomas Petazzoni
@ 2018-10-21 17:20 ` Patrick Doyle
2018-10-21 17:33 ` Thomas Petazzoni
0 siblings, 1 reply; 6+ messages in thread
From: Patrick Doyle @ 2018-10-21 17:20 UTC (permalink / raw)
To: buildroot
On Sun, Oct 21, 2018 at 3:55 AM Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
> Hello Patrick,
> On Sat, 20 Oct 2018 19:27:05 -0400, Patrick Doyle wrote:
> > For security reasons, I would like to disable loadable modules in my
> > kernel.
> > What I would really like to do is to tell buildroot and/or the kernel
> > "Link this external module into the kernel at link time, not at
> > runtime".
>
> You simply can't do that: external modules can only be built as
> modules.
Thank you Thomas.
Yeah, that's what I was finding as well, but I thought I should ask nonetheless.
Is it possible to permanently disable loadable modules from user space
at runtime? Or to only load signed modules? Or do I need to look
more carefully at selinux?
Any thoughts?
Thanks again.
--wpd
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Buildroot] How can I compile a module into the kernel?
2018-10-21 17:20 ` Patrick Doyle
@ 2018-10-21 17:33 ` Thomas Petazzoni
2018-10-21 17:47 ` Baruch Siach
0 siblings, 1 reply; 6+ messages in thread
From: Thomas Petazzoni @ 2018-10-21 17:33 UTC (permalink / raw)
To: buildroot
Hello,
On Sun, 21 Oct 2018 13:20:58 -0400, Patrick Doyle wrote:
> Is it possible to permanently disable loadable modules from user space
> at runtime? Or to only load signed modules? Or do I need to look
> more carefully at selinux?
Yes, you can lock to only load signed modules, and I think you can also
lock to no longer load any modules, i.e you can load a few modules at
boot time, and then ask the kernel to no longer load any other module.
I don't have a reference for that, but I'm pretty sure it was discussed
on LWN some $time ago.
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Buildroot] How can I compile a module into the kernel?
2018-10-21 17:33 ` Thomas Petazzoni
@ 2018-10-21 17:47 ` Baruch Siach
2018-10-22 0:56 ` Patrick Doyle
0 siblings, 1 reply; 6+ messages in thread
From: Baruch Siach @ 2018-10-21 17:47 UTC (permalink / raw)
To: buildroot
Hi Thomas, Patrick,
Thomas Petazzoni writes:
> On Sun, 21 Oct 2018 13:20:58 -0400, Patrick Doyle wrote:
>> Is it possible to permanently disable loadable modules from user space
>> at runtime? Or to only load signed modules? Or do I need to look
>> more carefully at selinux?
>
> Yes, you can lock to only load signed modules, and I think you can also
> lock to no longer load any modules, i.e you can load a few modules at
> boot time, and then ask the kernel to no longer load any other module.
See the 'modules_disabled' sysctl. It's documented in
Documentation/sysctl/kernel.txt.
baruch
--
http://baruch.siach.name/blog/ ~. .~ Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
- baruch at tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Buildroot] How can I compile a module into the kernel?
2018-10-21 17:47 ` Baruch Siach
@ 2018-10-22 0:56 ` Patrick Doyle
0 siblings, 0 replies; 6+ messages in thread
From: Patrick Doyle @ 2018-10-22 0:56 UTC (permalink / raw)
To: buildroot
On Sun, Oct 21, 2018 at 1:47 PM Baruch Siach <baruch@tkos.co.il> wrote:
> Hi Thomas, Patrick,
> See the 'modules_disabled' sysctl. It's documented in
> Documentation/sysctl/kernel.txt.
>
> baruch
Excellent! That's what I needed. Thanks.
--wpd
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2018-10-22 0:56 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-10-20 23:27 [Buildroot] How can I compile a module into the kernel? Patrick Doyle
2018-10-21 7:55 ` Thomas Petazzoni
2018-10-21 17:20 ` Patrick Doyle
2018-10-21 17:33 ` Thomas Petazzoni
2018-10-21 17:47 ` Baruch Siach
2018-10-22 0:56 ` Patrick Doyle
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.