Loadable kernel module

In computing, a loadable kernel module (or LKM) is an object file that contains code to extend the running kernel, or so-called base kernel, of an operating system. LKMs are typically used to add support for new hardware and/or filesystems, or for adding system calls. When the functionality provided by a LKM is no longer required, it can be unloaded in order to free memory and other resources.

Most current Unix-like systems and Microsoft Windows support loadable kernel modules, although they might use a different name for them, such as kernel loadable module (kld) in FreeBSD, kernel extension (kext) in OS X and kernel-mode driver in Windows NT. They are also known as Kernel Loadable Modules (or KLM), and simply as Kernel Modules (KMOD)

Advantages

Without loadable kernel modules, an operating system would have to include all possible anticipated functionality already compiled directly into the base kernel. Much of that functionality would reside in memory without being used, wasting memory, and would require that users rebuild and reboot the base kernel every time they require new functionality. Most operating systems supporting loadable kernel modules will include modules to support most desired functionality.

Disadvantages

One minor criticism of preferring a modular kernel over a static kernel is the so-called Fragmentation Penalty. The base kernel is always unpacked into real contiguous memory by its setup routines; so, the base kernel code is never fragmented. Once the system is in a state where modules may be inserted—for example, once the filesystems have been mounted that contain the modules—it is probable that any new kernel code insertion will cause the kernel to become fragmented, thereby introducing a minor performance penalty.

Implementation of LKM in linux

Loadable kernel modules in Linux are loaded (and unloaded) by the insmode command. They are located in /lib/modules and have had the extension .ko (“kernel object”) since version 2.6 (previous versions used the .o extension).The lsmod command lists the loaded kernel modules. In emergency cases, when the system fails to boot due to e.g. broken modules, specific modules can be enabled or disabled by modifying the kernel boot parameters list (for example, if using GRUB, by pressing ‘e’ in the GRUB start menu, then editing the kernel parameter line).

In the opinion of Linux maintainers, LKM are derived works of the kernel. The Linux maintainers tolerate the distribution of proprietary modules, but allow symbols to be marked as only available to GNU General Public License (GPL) modules.

Loading a proprietary or non-GPL-compatible LKM will set a ‘taint’ flagin the running kernel—meaning that any problems or bugs experienced will be less likely to be investigated by the maintainers. LKMs effectively become part of the running kernel, so can corrupt kernel data structures and produce bugs.

In 2004, Linuxant—a consulting company that releases proprietary device drivers as loadable kernel modules—attempted to bypass GPLONLY symbol restrictions by abusing a NULL terminator in their

module license i.e.,

MODULE_LICENSE:

MODULE_LICENSE("GPLfor files in the \"GPL\" directory; for others, only LICENSE file applies");

Linux allows disabling module loading via sysctl option /proc/sys/kernel/modules_disabled .An initramfs system may load specific modules needed for a machine at boot and then disable module loading. This makes the security very similar to a monolithic kernel. If an attacker can change the initramfs, they can change the kernel binary.