From: Aaron Tomlin <atomlin@atomlin.com>
To: Arnd Bergmann <arnd@arndb.de>
Cc: Luis Chamberlain <mcgrof@kernel.org>,
Petr Pavlu <petr.pavlu@suse.com>,
da.gomez@kernel.org, Sami Tolvanen <samitolvanen@google.com>,
Peter Zijlstra <peterz@infradead.org>,
Andrew Morton <akpm@linux-foundation.org>,
Masami Hiramatsu <mhiramat@kernel.org>,
neelx@suse.com, da.anzani@gmail.com, sean@ashe.io,
chjohnst@mail.com, steve@abita.co, mproche@mail.com,
nick.lane@mail.com, Linux-Arch <linux-arch@vger.kernel.org>,
linux-modules@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v4] module: Extend module_blacklist parameter to built-in modules
Date: Mon, 13 Jul 2026 08:13:26 -0400 [thread overview]
Message-ID: <ea7kdjwoucecvetzf73ce5dpda3l3etb6i75bks6deekfu6mb6@ooptba3x2oh3> (raw)
In-Reply-To: <78ec1da5-11ae-4c35-a08e-cc88a5d083f4@app.fastmail.com>
On Mon, Jul 13, 2026 at 10:32:14AM +0200, Arnd Bergmann wrote:
> On Sat, Jul 11, 2026, at 01:13, Aaron Tomlin wrote:
> > On Fri, Jul 10, 2026 at 05:59:59PM +0200, Arnd Bergmann wrote:
> >> On Wed, Jul 8, 2026, at 04:00, Aaron Tomlin wrote:
> >> > Currently, the "module_blacklist=" command-line parameter only applies
> >> > to loadable modules. If a module is built-in, the parameter is silently
> >> > ignored. This patch extends the blacklisting functionality to built-in
> >> > modules by intercepting their initialisation routines during early boot.
> >>
> >> Andrew already asked you to provide more background on what you need
> >> this part for. Do you have a specific driver you need to disable?
> >>
> >> Can't you do the same thing using initcall_blacklist?
> >
> > The primary motivation for this patch is to provide consistent
> > administrative control.
>
> Ok, it sounds like you don't actually need it then.
>
> > Regarding your suggestion to use initcall_blacklist=, while it is certainly
> > a capable mechanism, it is fundamentally considered a debugging facility
> > intended for developers.
>
> I don't see much of a difference here, it's clearly still only a
> debugging tool to me, not a general administrative interface: turning
> off a random built-in driver likely causes undefined behavior later
> if there are any other drivers (built-in or loaded) that depend on it.
>
> Overall I don't think it's worth the added complexity.
Hi Arnd,
I appreciate your candour, but I must respectfully disagree with the
assessment that this is merely a debugging tool with no practical
necessity.
The requirement stems from large-scale infrastructure management and
configuration consistency. System administrators rely on standard
provisioning scripts across diverse hardware. If a distribution arbitrarily
alters a kernel configuration, changing a module from loadable (=m) to
built-in (=y), the administrator's module_blacklist= directive is suddenly
and silently ignored. This creates a severe policy enforcement gap.
Regarding the distinction between initcall_blacklist= and
module_blacklist=, the difference lies entirely in ABI stability.
To use initcall_blacklist= requires the administrator to know the exact
internal C function name of the initialisation routine (e.g.,
foo_driver_init). This is an internal kernel implementation detail, subject
to change without notice, and entirely undocumented for users. Conversely,
the module name is a stable, well-known, and documented user-facing
identifier. Providing a stable interface for administrative policy is the
very definition of a general administrative tool, rather than a developer
debugging facility.
For example, consider CVE-2021-43267. A system administrator can now use
module_blacklist=tipc which would cover both built-in and loadable module
configurations.
To address your concern regarding undefined behaviour, disabling a built-in
driver carries the exact same dependency risks as preventing a loadable
module from loading via the traditional blacklist. In both scenarios,
dependent drivers will naturally fail to probe or initialise. System
administrators who apply denylists are already expected to understand the
hardware and software dependencies of the modules they are explicitly
disabling.
I understand your hesitation regarding added complexity. However, with the
fast-path optimisation suggested by Sami (which bypassing the scan entirely
if the parameter is unused), the overhead is essentially zero. I believe
bridging the logical gap between how we treat =m and =y modules is well
worth that minimal footprint.
Kind regards,
--
Aaron Tomlin
next prev parent reply other threads:[~2026-07-13 12:13 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-08 2:00 Aaron Tomlin
2026-07-10 15:42 ` Sami Tolvanen
2026-07-18 1:58 ` Aaron Tomlin
2026-07-10 15:59 ` Arnd Bergmann
2026-07-10 23:13 ` Aaron Tomlin
2026-07-13 8:32 ` Arnd Bergmann
2026-07-13 12:13 ` Aaron Tomlin [this message]
2026-07-13 16:02 ` Petr Pavlu
2026-07-18 1:39 ` Aaron Tomlin
2026-07-14 14:46 ` Petr Pavlu
2026-07-18 4:03 ` Aaron Tomlin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ea7kdjwoucecvetzf73ce5dpda3l3etb6i75bks6deekfu6mb6@ooptba3x2oh3 \
--to=atomlin@atomlin.com \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=chjohnst@mail.com \
--cc=da.anzani@gmail.com \
--cc=da.gomez@kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-modules@vger.kernel.org \
--cc=mcgrof@kernel.org \
--cc=mhiramat@kernel.org \
--cc=mproche@mail.com \
--cc=neelx@suse.com \
--cc=nick.lane@mail.com \
--cc=peterz@infradead.org \
--cc=petr.pavlu@suse.com \
--cc=samitolvanen@google.com \
--cc=sean@ashe.io \
--cc=steve@abita.co \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox