1b24abcffSDaniel Borkmann# SPDX-License-Identifier: GPL-2.0-only 2b24abcffSDaniel Borkmann 3b24abcffSDaniel Borkmann# BPF interpreter that, for example, classic socket filters depend on. 4b24abcffSDaniel Borkmannconfig BPF 5b24abcffSDaniel Borkmann bool 6b24abcffSDaniel Borkmann 7b24abcffSDaniel Borkmann# Used by archs to tell that they support BPF JIT compiler plus which 8b24abcffSDaniel Borkmann# flavour. Only one of the two can be selected for a specific arch since 9b24abcffSDaniel Borkmann# eBPF JIT supersedes the cBPF JIT. 10b24abcffSDaniel Borkmann 11b24abcffSDaniel Borkmann# Classic BPF JIT (cBPF) 12b24abcffSDaniel Borkmannconfig HAVE_CBPF_JIT 13b24abcffSDaniel Borkmann bool 14b24abcffSDaniel Borkmann 15b24abcffSDaniel Borkmann# Extended BPF JIT (eBPF) 16b24abcffSDaniel Borkmannconfig HAVE_EBPF_JIT 17b24abcffSDaniel Borkmann bool 18b24abcffSDaniel Borkmann 19b24abcffSDaniel Borkmann# Used by archs to tell that they want the BPF JIT compiler enabled by 20b24abcffSDaniel Borkmann# default for kernels that were compiled with BPF JIT support. 21b24abcffSDaniel Borkmannconfig ARCH_WANT_DEFAULT_BPF_JIT 22b24abcffSDaniel Borkmann bool 23b24abcffSDaniel Borkmann 24b24abcffSDaniel Borkmannmenu "BPF subsystem" 25b24abcffSDaniel Borkmann 26b24abcffSDaniel Borkmannconfig BPF_SYSCALL 27b24abcffSDaniel Borkmann bool "Enable bpf() system call" 28b24abcffSDaniel Borkmann select BPF 29b24abcffSDaniel Borkmann select IRQ_WORK 30b24abcffSDaniel Borkmann select TASKS_TRACE_RCU 31b24abcffSDaniel Borkmann select BINARY_PRINTF 3217edea21SCong Wang select NET_SOCK_MSG if NET 33*b530e9e1SToke Høiland-Jørgensen select PAGE_POOL if NET 34b24abcffSDaniel Borkmann default n 35b24abcffSDaniel Borkmann help 36b24abcffSDaniel Borkmann Enable the bpf() system call that allows to manipulate BPF programs 37b24abcffSDaniel Borkmann and maps via file descriptors. 38b24abcffSDaniel Borkmann 39b24abcffSDaniel Borkmannconfig BPF_JIT 40b24abcffSDaniel Borkmann bool "Enable BPF Just In Time compiler" 416bdacdb4SDaniel Borkmann depends on BPF 42b24abcffSDaniel Borkmann depends on HAVE_CBPF_JIT || HAVE_EBPF_JIT 43b24abcffSDaniel Borkmann depends on MODULES 44b24abcffSDaniel Borkmann help 45b24abcffSDaniel Borkmann BPF programs are normally handled by a BPF interpreter. This option 46b24abcffSDaniel Borkmann allows the kernel to generate native code when a program is loaded 47b24abcffSDaniel Borkmann into the kernel. This will significantly speed-up processing of BPF 48b24abcffSDaniel Borkmann programs. 49b24abcffSDaniel Borkmann 50b24abcffSDaniel Borkmann Note, an admin should enable this feature changing: 51b24abcffSDaniel Borkmann /proc/sys/net/core/bpf_jit_enable 52b24abcffSDaniel Borkmann /proc/sys/net/core/bpf_jit_harden (optional) 53b24abcffSDaniel Borkmann /proc/sys/net/core/bpf_jit_kallsyms (optional) 54b24abcffSDaniel Borkmann 55b24abcffSDaniel Borkmannconfig BPF_JIT_ALWAYS_ON 56b24abcffSDaniel Borkmann bool "Permanently enable BPF JIT and remove BPF interpreter" 57b24abcffSDaniel Borkmann depends on BPF_SYSCALL && HAVE_EBPF_JIT && BPF_JIT 58b24abcffSDaniel Borkmann help 59b24abcffSDaniel Borkmann Enables BPF JIT and removes BPF interpreter to avoid speculative 60b24abcffSDaniel Borkmann execution of BPF instructions by the interpreter. 61b24abcffSDaniel Borkmann 62b664e255STiezhu Yang When CONFIG_BPF_JIT_ALWAYS_ON is enabled, /proc/sys/net/core/bpf_jit_enable 63b664e255STiezhu Yang is permanently set to 1 and setting any other value than that will 64b664e255STiezhu Yang return failure. 65b664e255STiezhu Yang 66b24abcffSDaniel Borkmannconfig BPF_JIT_DEFAULT_ON 67b24abcffSDaniel Borkmann def_bool ARCH_WANT_DEFAULT_BPF_JIT || BPF_JIT_ALWAYS_ON 68b24abcffSDaniel Borkmann depends on HAVE_EBPF_JIT && BPF_JIT 69b24abcffSDaniel Borkmann 7008389d88SDaniel Borkmannconfig BPF_UNPRIV_DEFAULT_OFF 7108389d88SDaniel Borkmann bool "Disable unprivileged BPF by default" 728a03e56bSPawan Gupta default y 7308389d88SDaniel Borkmann depends on BPF_SYSCALL 7408389d88SDaniel Borkmann help 7508389d88SDaniel Borkmann Disables unprivileged BPF by default by setting the corresponding 7608389d88SDaniel Borkmann /proc/sys/kernel/unprivileged_bpf_disabled knob to 2. An admin can 7708389d88SDaniel Borkmann still reenable it by setting it to 0 later on, or permanently 7808389d88SDaniel Borkmann disable it by setting it to 1 (from which no other transition to 7908389d88SDaniel Borkmann 0 is possible anymore). 8008389d88SDaniel Borkmann 818a03e56bSPawan Gupta Unprivileged BPF could be used to exploit certain potential 828a03e56bSPawan Gupta speculative execution side-channel vulnerabilities on unmitigated 838a03e56bSPawan Gupta affected hardware. 848a03e56bSPawan Gupta 858a03e56bSPawan Gupta If you are unsure how to answer this question, answer Y. 868a03e56bSPawan Gupta 87b24abcffSDaniel Borkmannsource "kernel/bpf/preload/Kconfig" 88b24abcffSDaniel Borkmann 89b24abcffSDaniel Borkmannconfig BPF_LSM 90b24abcffSDaniel Borkmann bool "Enable BPF LSM Instrumentation" 91b24abcffSDaniel Borkmann depends on BPF_EVENTS 92b24abcffSDaniel Borkmann depends on BPF_SYSCALL 93b24abcffSDaniel Borkmann depends on SECURITY 94b24abcffSDaniel Borkmann depends on BPF_JIT 95b24abcffSDaniel Borkmann help 96b24abcffSDaniel Borkmann Enables instrumentation of the security hooks with BPF programs for 97b24abcffSDaniel Borkmann implementing dynamic MAC and Audit Policies. 98b24abcffSDaniel Borkmann 99b24abcffSDaniel Borkmann If you are unsure how to answer this question, answer N. 100b24abcffSDaniel Borkmann 101b24abcffSDaniel Borkmannendmenu # "BPF subsystem" 102