From nobody Sat Feb  7 06:20:50 2026
Received: from mail-wr1-f43.google.com (mail-wr1-f43.google.com
 [209.85.221.43])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id BC99C407573
	for <linux-kernel@vger.kernel.org>; Thu,  5 Feb 2026 14:37:45 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.221.43
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1770302266; cv=none;
 b=riBQe5WNV8FGa5VH1dHIddkJ2TOoX/c2Atr8uznZUoE9aOJDNQzUEu0IMtj/+CpEDALyvJIZ1QpSXWNFWjMhiu/z5YmABxBq2uGIFeN8EaXKCIGr0UUjfiLiYxH1A8qqnseBdwlmtbEnEYqW6LQeTLU+z5mhUCvooAZ11TAWW9Q=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1770302266; c=relaxed/simple;
	bh=3+I3YXJAeMJegb9I1hw4ztW66HinQyv4pQxBA83lAQY=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=WvNlLw7Jf56Nt+pAMcNjSfqueDOPjTC0ihVbus7CpUjLcq69hJuwb6yk9dDdO4lofbK4YoNhZgQOvWxRke/X4Flwf7ZRmGSNRHmvzdv+gqOKDceP+jCeYg4VGatZwUrhdUZKABH3J7FM+jlcwNtVZZ0NA73lINxB5fVWwz3jlBY=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=suse.com;
 spf=pass smtp.mailfrom=suse.com;
 dkim=pass (2048-bit key) header.d=suse.com header.i=@suse.com
 header.b=NYJrqpiY; arc=none smtp.client-ip=209.85.221.43
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=suse.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=suse.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=suse.com header.i=@suse.com
 header.b="NYJrqpiY"
Received: by mail-wr1-f43.google.com with SMTP id
 ffacd0b85a97d-435a517be33so705565f8f.0
        for <linux-kernel@vger.kernel.org>;
 Thu, 05 Feb 2026 06:37:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=suse.com; s=google; t=1770302264; x=1770907064;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=D1qdUtqe3EFZ3Mf4wkI+qAPVS2QnmUM27Jj1lTw5Vko=;
        b=NYJrqpiYTJpJwBLGDkMMaHEzkM3t4Cc88bnFX5Ty/yfbDAPshd5HJ5rIeJaEYsyU++
         z1isjn/JKfxToucf4bze3g07YYwYMpLsh91lwChjgiNMsF+8RtwctgrlsZIWq//oiOjX
         s9yo/DfLqfVmcf+lM68gsWcg2vcbLB0O5CxCF+oFE1YibxlINVrRZQyNpHQronxWZPqC
         O5XFFRUN6b1MGmTTbpIk0Ts08kvwbh4gdelgsTM48t8Oxj8CJW99WjHXW93CkvsiNyoC
         c+tIQvvUDbS7fjBlwWrDw55RTtgSFiBvropJxj76paIdEwUfwCoMG15SrxueEhWEB8NU
         CR1w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1770302264; x=1770907064;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=D1qdUtqe3EFZ3Mf4wkI+qAPVS2QnmUM27Jj1lTw5Vko=;
        b=FkNTeLj6b2WmE93BLTijjSE4Tf/4tSi+lEmkPu1xwVJD1i0cO77+YUrH6t/rcDkT80
         +B2+3jb08shFSOOBz1IVUlXpvsnedbg+7IavuGpPbPcjD4P+r6L3YvuZKVsviGYdC0+f
         q2LG2CtKFt6jvETq4pWpZjjys4RNZ+aydyPzsjVGHJIxFVe0aGfFvksLcSdskdqpPyTJ
         9qfUH9GpsmCm9rUUASL/AbRC9Rt88s9voRcXS0HXZt49FWwOv/Gn5HDrjZjf2XulyLeY
         s9kS6iiszyYInrjWkrQxZpnbNuybK8J8+1QJwDchsok7yaQIdbwRszIVd7+H7xr/ePiG
         ATIw==
X-Forwarded-Encrypted: i=1;
 AJvYcCUO7W1gcO4fRB96Ah0fxTNWsG6aJKFOAO7dMkp1TQOsv9py86au6goyg6hnFK0gDxvCXzdraNuyAZqseYg=@vger.kernel.org
X-Gm-Message-State: AOJu0YzYlM/6WrpXvk5u5cCKCXP4OEQbkkQd/a7aqQofIreHBlbleKKR
	JKbTlAdt1aUQntV1KLCB8fD8Quo+k34lJMKcASwg8y+yU1coWwCmcuc/Sx5Imx+eZvc=
X-Gm-Gg: AZuq6aLYf3OJ53dzmwTVyOC4oLtxaJRESvfozw8GBY/nlZofiZJ7m7DLEysZWpbpTPW
	vCNkFPxDo2RNeTv7Bc6f4eS3u9GqIu9P4xoaY8fo/ZS1jxgSZ909uoE0KyPzDrgkJ2NzY+mCgk8
	fQ6forOpREm0bnZ/KLDhKgZMsdzc3ncm3F5i5R9QYa2yGgys4/Bu+KTCEIhRg5Jjvl6FMGCobjN
	2WR5iSpfkpr62PusCCyNGCmfvRWpPnfEhbxucjRlJOxy/st0Posu3rT/aDyA7jKtBvh38RPeAPq
	x+m5HbuAqI1j8FeixdD6gbwgI6bbA3hIufd1xgpW3A8vTEGwk0TYxjcUWMUWCsNNYVP7yhUz0m9
	E8lNFKdoczZarULgxDBKp7NmzzOs7XfXeFPWgs7Q39WAtaV+cIFEsTeB4vOmetbTr7kqwrTga3i
	wAS/u8eh+yw0MjZdemHGGgc77ylOUrjZA=
X-Received: by 2002:adf:fc86:0:b0:436:19f9:9012 with SMTP id
 ffacd0b85a97d-43619f99049mr5823961f8f.9.1770302263969;
        Thu, 05 Feb 2026 06:37:43 -0800 (PST)
Received: from zovi.suse.cz (109-81-1-107.rct.o2.cz. [109.81.1.107])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-43617e25cefsm15486175f8f.9.2026.02.05.06.37.42
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 05 Feb 2026 06:37:43 -0800 (PST)
From: Petr Pavlu <petr.pavlu@suse.com>
To: Luis Chamberlain <mcgrof@kernel.org>,
	Petr Pavlu <petr.pavlu@suse.com>,
	Daniel Gomez <da.gomez@kernel.org>,
	Sami Tolvanen <samitolvanen@google.com>
Cc: Aaron Tomlin <atomlin@atomlin.com>,
	linux-modules@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH] module: Fix the modversions and signing submenus
Date: Thu,  5 Feb 2026 15:37:08 +0100
Message-ID: <20260205143720.423026-1-petr.pavlu@suse.com>
X-Mailer: git-send-email 2.52.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

The module Kconfig file contains a set of options related to "Module
versioning support" (depends on MODVERSIONS) and "Module signature
verification" (depends on MODULE_SIG). The Kconfig tool automatically
creates submenus when an entry for a symbol is followed by consecutive
items that all depend on the symbol. However, this functionality doesn't
work for the mentioned module options. The MODVERSIONS options are
interleaved with ASM_MODVERSIONS, which has no 'depends on MODVERSIONS' but
instead uses 'default HAVE_ASM_MODVERSIONS && MODVERSIONS'. Similarly, the
MODULE_SIG options are interleaved by a comment warning not to forget
signing modules with scripts/sign-file, which uses the condition 'depends
on MODULE_SIG_FORCE && !MODULE_SIG_ALL'.

The result is that the options are confusingly shown when using
a menuconfig tool, as follows:

 [*]   Module versioning support
         Module versioning implementation (genksyms (from source code))  --=
->
 [ ]   Extended Module Versioning Support
 [*]   Basic Module Versioning Support
 [*]   Source checksum for all modules
 [*]   Module signature verification
 [ ]     Require modules to be validly signed
 [ ]     Automatically sign all modules
       Hash algorithm to sign modules (SHA-256)  --->

Fix the issue by using if/endif to group related options together in
kernel/module/Kconfig, similarly to how the MODULE_DEBUG options are
already grouped. Note that the signing-related options depend on
'MODULE_SIG || IMA_APPRAISE_MODSIG', with the exception of
MODULE_SIG_FORCE, which is valid only for MODULE_SIG and is therefore kept
separately. For consistency, do the same for the MODULE_COMPRESS entries.
The options are then properly placed into submenus, as follows:

 [*]   Module versioning support
         Module versioning implementation (genksyms (from source code))  --=
->
 [ ]     Extended Module Versioning Support
 [*]     Basic Module Versioning Support
 [*]   Source checksum for all modules
 [*]   Module signature verification
 [ ]     Require modules to be validly signed
 [ ]     Automatically sign all modules
         Hash algorithm to sign modules (SHA-256)  --->

Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
---
 kernel/module/Kconfig | 23 +++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/kernel/module/Kconfig b/kernel/module/Kconfig
index 2a1beebf1d37..537985387ff3 100644
--- a/kernel/module/Kconfig
+++ b/kernel/module/Kconfig
@@ -169,9 +169,10 @@ config MODVERSIONS
 	  make them incompatible with the kernel you are running.  If
 	  unsure, say N.
=20
+if MODVERSIONS
+
 choice
 	prompt "Module versioning implementation"
-	depends on MODVERSIONS
 	help
 	  Select the tool used to calculate symbol versions for modules.
=20
@@ -206,7 +207,7 @@ endchoice
=20
 config ASM_MODVERSIONS
 	bool
-	default HAVE_ASM_MODVERSIONS && MODVERSIONS
+	default HAVE_ASM_MODVERSIONS
 	help
 	  This enables module versioning for exported symbols also from
 	  assembly. This can be enabled only when the target architecture
@@ -214,7 +215,6 @@ config ASM_MODVERSIONS
=20
 config EXTENDED_MODVERSIONS
 	bool "Extended Module Versioning Support"
-	depends on MODVERSIONS
 	help
 	  This enables extended MODVERSIONs support, allowing long symbol
 	  names to be versioned.
@@ -224,7 +224,6 @@ config EXTENDED_MODVERSIONS
=20
 config BASIC_MODVERSIONS
 	bool "Basic Module Versioning Support"
-	depends on MODVERSIONS
 	default y
 	help
 	  This enables basic MODVERSIONS support, allowing older tools or
@@ -237,6 +236,8 @@ config BASIC_MODVERSIONS
 	  This is enabled by default when MODVERSIONS are enabled.
 	  If unsure, say Y.
=20
+endif # MODVERSIONS
+
 config MODULE_SRCVERSION_ALL
 	bool "Source checksum for all modules"
 	help
@@ -277,10 +278,11 @@ config MODULE_SIG_FORCE
 	  Reject unsigned modules or signed modules for which we don't have a
 	  key.  Without this, such modules will simply taint the kernel.
=20
+if MODULE_SIG || IMA_APPRAISE_MODSIG
+
 config MODULE_SIG_ALL
 	bool "Automatically sign all modules"
 	default y
-	depends on MODULE_SIG || IMA_APPRAISE_MODSIG
 	help
 	  Sign all modules during make modules_install. Without this option,
 	  modules must be signed manually, using the scripts/sign-file tool.
@@ -290,7 +292,6 @@ comment "Do not forget to sign required modules with sc=
ripts/sign-file"
=20
 choice
 	prompt "Hash algorithm to sign modules"
-	depends on MODULE_SIG || IMA_APPRAISE_MODSIG
 	default MODULE_SIG_SHA512
 	help
 	  This determines which sort of hashing algorithm will be used during
@@ -331,7 +332,6 @@ endchoice
=20
 config MODULE_SIG_HASH
 	string
-	depends on MODULE_SIG || IMA_APPRAISE_MODSIG
 	default "sha1" if MODULE_SIG_SHA1
 	default "sha256" if MODULE_SIG_SHA256
 	default "sha384" if MODULE_SIG_SHA384
@@ -340,6 +340,8 @@ config MODULE_SIG_HASH
 	default "sha3-384" if MODULE_SIG_SHA3_384
 	default "sha3-512" if MODULE_SIG_SHA3_512
=20
+endif # MODULE_SIG || IMA_APPRAISE_MODSIG
+
 config MODULE_COMPRESS
 	bool "Module compression"
 	help
@@ -355,9 +357,10 @@ config MODULE_COMPRESS
=20
 	  If unsure, say N.
=20
+if MODULE_COMPRESS
+
 choice
 	prompt "Module compression type"
-	depends on MODULE_COMPRESS
 	help
 	  Choose the supported algorithm for module compression.
=20
@@ -384,7 +387,6 @@ endchoice
 config MODULE_COMPRESS_ALL
 	bool "Automatically compress all modules"
 	default y
-	depends on MODULE_COMPRESS
 	help
 	  Compress all modules during 'make modules_install'.
=20
@@ -394,7 +396,6 @@ config MODULE_COMPRESS_ALL
=20
 config MODULE_DECOMPRESS
 	bool "Support in-kernel module decompression"
-	depends on MODULE_COMPRESS
 	select ZLIB_INFLATE if MODULE_COMPRESS_GZIP
 	select XZ_DEC if MODULE_COMPRESS_XZ
 	select ZSTD_DECOMPRESS if MODULE_COMPRESS_ZSTD
@@ -405,6 +406,8 @@ config MODULE_DECOMPRESS
=20
 	  If unsure, say N.
=20
+endif # MODULE_COMPRESS
+
 config MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS
 	bool "Allow loading of modules with missing namespace imports"
 	help

base-commit: 6bd9ed02871f22beb0e50690b0c3caf457104f7c
--=20
2.52.0