How To
Summary
This document describes how to prevent a kernel module that has been compiled into a kernel from being loaded and run at boot time.
Steps
In the Linux kernel, modules (sometimes known as drivers) can allow new functionality when needed. Rather than building all modules into the kernel, some can be left to load automatically if needed.
The practice of disabling kernel modules, known as blacklisting, is a fairly straightforward way to prevent these loadable modules from being inserted and run. However if you need to disable a module that has been compiled in to the kernel, how would you do that?
One way is to determine the "init" method of the module, and prevent that from running. This method usually initializes the module, setting up things like sockets, opening a device node, or allocating memory to be used.
The init routine may be called different things depending on the module. However it usually contains the word "init" in it, and can be found from the list of symbols the kernel uses, called the System.map file. This is usually found at /boot/System.map-KERNELVERSION, with the one matching the current kernel as /boot/System.map-$(uname -r) . This can also be seen on the running system from /proc/kallsyms .
Searching the System.map file for the module in question will give the symbols and routines added to the kernel by it, and the init routine can be observed as one of these.
To block the init method from being run at boot time, set the kernel variable "initcall_blacklist"
One example can be seen using the kernel module "af_alg", which provides a user-space API for linux kernel cryptographic calls. This module is compiled in to the kernel, so conventional means of using a file in /etc/modprobe.d/ to block it will not work.
So first, we need to search for the initialization routine in either the System.map file or /proc/kallsyms
root# grep af_alg /boot/System.map-$(uname -r) | grep initUsing /proc/kallsyms the search can be done as a regular user:
$ grep af_alg /proc/kallsyms | grep initAnd we find the routine:
000000000148c910 t af_alg_initTo block this from being used at boot time, we need to modify the kernel boot parameters, and add this initialization routine to the list of blocked ones, denoted by the variable "initcall_blacklist".
For Red Hat, use the "grubby" command:
root# grubby --args "initcall_blacklist=af_alg_init" --update-kernel ALLFor other distros use the appropriate method. For example on SUSE SLES the preferred way is to use yast2 or yast and go to, select System › Boot Loader › Boot Loader Settings › Kernel Parameters and add the kernel parameter.
After a reboot, the kernel module will not be loaded.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
20 November 2025
UID
ibm17252011