1b24abcffSDaniel Borkmann# SPDX-License-Identifier: GPL-2.0-only 2b24abcffSDaniel Borkmann 3b24abcffSDaniel Borkmann# BPF interpreter that, for example, classic socket filters depend on. 4b24abcffSDaniel Borkmannconfig BPF 5b24abcffSDaniel Borkmann bool 6b24abcffSDaniel Borkmann 7b24abcffSDaniel Borkmann# Used by archs to tell that they support BPF JIT compiler plus which 8b24abcffSDaniel Borkmann# flavour. Only one of the two can be selected for a specific arch since 9b24abcffSDaniel Borkmann# eBPF JIT supersedes the cBPF JIT. 10b24abcffSDaniel Borkmann 11b24abcffSDaniel Borkmann# Classic BPF JIT (cBPF) 12b24abcffSDaniel Borkmannconfig HAVE_CBPF_JIT 13b24abcffSDaniel Borkmann bool 14b24abcffSDaniel Borkmann 15b24abcffSDaniel Borkmann# Extended BPF JIT (eBPF) 16b24abcffSDaniel Borkmannconfig HAVE_EBPF_JIT 17b24abcffSDaniel Borkmann bool 18b24abcffSDaniel Borkmann 19b24abcffSDaniel Borkmann# Used by archs to tell that they want the BPF JIT compiler enabled by 20b24abcffSDaniel Borkmann# default for kernels that were compiled with BPF JIT support. 21b24abcffSDaniel Borkmannconfig ARCH_WANT_DEFAULT_BPF_JIT 22b24abcffSDaniel Borkmann bool 23b24abcffSDaniel Borkmann 24b24abcffSDaniel Borkmannmenu "BPF subsystem" 25b24abcffSDaniel Borkmann 26b24abcffSDaniel Borkmannconfig BPF_SYSCALL 27b24abcffSDaniel Borkmann bool "Enable bpf() system call" 28b24abcffSDaniel Borkmann select BPF 29b24abcffSDaniel Borkmann select IRQ_WORK 30b24abcffSDaniel Borkmann select TASKS_TRACE_RCU 31b24abcffSDaniel Borkmann select BINARY_PRINTF 32b24abcffSDaniel Borkmann select NET_SOCK_MSG if INET 33b24abcffSDaniel Borkmann default n 34b24abcffSDaniel Borkmann help 35b24abcffSDaniel Borkmann Enable the bpf() system call that allows to manipulate BPF programs 36b24abcffSDaniel Borkmann and maps via file descriptors. 37b24abcffSDaniel Borkmann 38b24abcffSDaniel Borkmannconfig BPF_JIT 39b24abcffSDaniel Borkmann bool "Enable BPF Just In Time compiler" 40*6bdacdb4SDaniel Borkmann depends on BPF 41b24abcffSDaniel Borkmann depends on HAVE_CBPF_JIT || HAVE_EBPF_JIT 42b24abcffSDaniel Borkmann depends on MODULES 43b24abcffSDaniel Borkmann help 44b24abcffSDaniel Borkmann BPF programs are normally handled by a BPF interpreter. This option 45b24abcffSDaniel Borkmann allows the kernel to generate native code when a program is loaded 46b24abcffSDaniel Borkmann into the kernel. This will significantly speed-up processing of BPF 47b24abcffSDaniel Borkmann programs. 48b24abcffSDaniel Borkmann 49b24abcffSDaniel Borkmann Note, an admin should enable this feature changing: 50b24abcffSDaniel Borkmann /proc/sys/net/core/bpf_jit_enable 51b24abcffSDaniel Borkmann /proc/sys/net/core/bpf_jit_harden (optional) 52b24abcffSDaniel Borkmann /proc/sys/net/core/bpf_jit_kallsyms (optional) 53b24abcffSDaniel Borkmann 54b24abcffSDaniel Borkmannconfig BPF_JIT_ALWAYS_ON 55b24abcffSDaniel Borkmann bool "Permanently enable BPF JIT and remove BPF interpreter" 56b24abcffSDaniel Borkmann depends on BPF_SYSCALL && HAVE_EBPF_JIT && BPF_JIT 57b24abcffSDaniel Borkmann help 58b24abcffSDaniel Borkmann Enables BPF JIT and removes BPF interpreter to avoid speculative 59b24abcffSDaniel Borkmann execution of BPF instructions by the interpreter. 60b24abcffSDaniel Borkmann 61b24abcffSDaniel Borkmannconfig BPF_JIT_DEFAULT_ON 62b24abcffSDaniel Borkmann def_bool ARCH_WANT_DEFAULT_BPF_JIT || BPF_JIT_ALWAYS_ON 63b24abcffSDaniel Borkmann depends on HAVE_EBPF_JIT && BPF_JIT 64b24abcffSDaniel Borkmann 6508389d88SDaniel Borkmannconfig BPF_UNPRIV_DEFAULT_OFF 6608389d88SDaniel Borkmann bool "Disable unprivileged BPF by default" 6708389d88SDaniel Borkmann depends on BPF_SYSCALL 6808389d88SDaniel Borkmann help 6908389d88SDaniel Borkmann Disables unprivileged BPF by default by setting the corresponding 7008389d88SDaniel Borkmann /proc/sys/kernel/unprivileged_bpf_disabled knob to 2. An admin can 7108389d88SDaniel Borkmann still reenable it by setting it to 0 later on, or permanently 7208389d88SDaniel Borkmann disable it by setting it to 1 (from which no other transition to 7308389d88SDaniel Borkmann 0 is possible anymore). 7408389d88SDaniel Borkmann 75b24abcffSDaniel Borkmannsource "kernel/bpf/preload/Kconfig" 76b24abcffSDaniel Borkmann 77b24abcffSDaniel Borkmannconfig BPF_LSM 78b24abcffSDaniel Borkmann bool "Enable BPF LSM Instrumentation" 79b24abcffSDaniel Borkmann depends on BPF_EVENTS 80b24abcffSDaniel Borkmann depends on BPF_SYSCALL 81b24abcffSDaniel Borkmann depends on SECURITY 82b24abcffSDaniel Borkmann depends on BPF_JIT 83b24abcffSDaniel Borkmann help 84b24abcffSDaniel Borkmann Enables instrumentation of the security hooks with BPF programs for 85b24abcffSDaniel Borkmann implementing dynamic MAC and Audit Policies. 86b24abcffSDaniel Borkmann 87b24abcffSDaniel Borkmann If you are unsure how to answer this question, answer N. 88b24abcffSDaniel Borkmann 89b24abcffSDaniel Borkmannendmenu # "BPF subsystem" 90