1b24abcffSDaniel Borkmann# SPDX-License-Identifier: GPL-2.0-only 2b24abcffSDaniel Borkmann 3b24abcffSDaniel Borkmann# BPF interpreter that, for example, classic socket filters depend on. 4b24abcffSDaniel Borkmannconfig BPF 5b24abcffSDaniel Borkmann bool 6b24abcffSDaniel Borkmann 7b24abcffSDaniel Borkmann# Used by archs to tell that they support BPF JIT compiler plus which 8b24abcffSDaniel Borkmann# flavour. Only one of the two can be selected for a specific arch since 9b24abcffSDaniel Borkmann# eBPF JIT supersedes the cBPF JIT. 10b24abcffSDaniel Borkmann 11b24abcffSDaniel Borkmann# Classic BPF JIT (cBPF) 12b24abcffSDaniel Borkmannconfig HAVE_CBPF_JIT 13b24abcffSDaniel Borkmann bool 14b24abcffSDaniel Borkmann 15b24abcffSDaniel Borkmann# Extended BPF JIT (eBPF) 16b24abcffSDaniel Borkmannconfig HAVE_EBPF_JIT 17b24abcffSDaniel Borkmann bool 18b24abcffSDaniel Borkmann 19b24abcffSDaniel Borkmann# Used by archs to tell that they want the BPF JIT compiler enabled by 20b24abcffSDaniel Borkmann# default for kernels that were compiled with BPF JIT support. 21b24abcffSDaniel Borkmannconfig ARCH_WANT_DEFAULT_BPF_JIT 22b24abcffSDaniel Borkmann bool 23b24abcffSDaniel Borkmann 24b24abcffSDaniel Borkmannmenu "BPF subsystem" 25b24abcffSDaniel Borkmann 26b24abcffSDaniel Borkmannconfig BPF_SYSCALL 27b24abcffSDaniel Borkmann bool "Enable bpf() system call" 28b24abcffSDaniel Borkmann select BPF 29b24abcffSDaniel Borkmann select IRQ_WORK 30835f14edSPaul E. McKenney select TASKS_RCU if PREEMPTION 31b24abcffSDaniel Borkmann select TASKS_TRACE_RCU 32b24abcffSDaniel Borkmann select BINARY_PRINTF 3317edea21SCong Wang select NET_SOCK_MSG if NET 34*e420bed0SDaniel Borkmann select NET_XGRESS if NET 35b530e9e1SToke Høiland-Jørgensen select PAGE_POOL if NET 36b24abcffSDaniel Borkmann default n 37b24abcffSDaniel Borkmann help 38b24abcffSDaniel Borkmann Enable the bpf() system call that allows to manipulate BPF programs 39b24abcffSDaniel Borkmann and maps via file descriptors. 40b24abcffSDaniel Borkmann 41b24abcffSDaniel Borkmannconfig BPF_JIT 42b24abcffSDaniel Borkmann bool "Enable BPF Just In Time compiler" 436bdacdb4SDaniel Borkmann depends on BPF 44b24abcffSDaniel Borkmann depends on HAVE_CBPF_JIT || HAVE_EBPF_JIT 45b24abcffSDaniel Borkmann depends on MODULES 46b24abcffSDaniel Borkmann help 47b24abcffSDaniel Borkmann BPF programs are normally handled by a BPF interpreter. This option 48b24abcffSDaniel Borkmann allows the kernel to generate native code when a program is loaded 49b24abcffSDaniel Borkmann into the kernel. This will significantly speed-up processing of BPF 50b24abcffSDaniel Borkmann programs. 51b24abcffSDaniel Borkmann 52b24abcffSDaniel Borkmann Note, an admin should enable this feature changing: 53b24abcffSDaniel Borkmann /proc/sys/net/core/bpf_jit_enable 54b24abcffSDaniel Borkmann /proc/sys/net/core/bpf_jit_harden (optional) 55b24abcffSDaniel Borkmann /proc/sys/net/core/bpf_jit_kallsyms (optional) 56b24abcffSDaniel Borkmann 57b24abcffSDaniel Borkmannconfig BPF_JIT_ALWAYS_ON 58b24abcffSDaniel Borkmann bool "Permanently enable BPF JIT and remove BPF interpreter" 59b24abcffSDaniel Borkmann depends on BPF_SYSCALL && HAVE_EBPF_JIT && BPF_JIT 60b24abcffSDaniel Borkmann help 61b24abcffSDaniel Borkmann Enables BPF JIT and removes BPF interpreter to avoid speculative 62b24abcffSDaniel Borkmann execution of BPF instructions by the interpreter. 63b24abcffSDaniel Borkmann 64b664e255STiezhu Yang When CONFIG_BPF_JIT_ALWAYS_ON is enabled, /proc/sys/net/core/bpf_jit_enable 65b664e255STiezhu Yang is permanently set to 1 and setting any other value than that will 66b664e255STiezhu Yang return failure. 67b664e255STiezhu Yang 68b24abcffSDaniel Borkmannconfig BPF_JIT_DEFAULT_ON 69b24abcffSDaniel Borkmann def_bool ARCH_WANT_DEFAULT_BPF_JIT || BPF_JIT_ALWAYS_ON 70b24abcffSDaniel Borkmann depends on HAVE_EBPF_JIT && BPF_JIT 71b24abcffSDaniel Borkmann 7208389d88SDaniel Borkmannconfig BPF_UNPRIV_DEFAULT_OFF 7308389d88SDaniel Borkmann bool "Disable unprivileged BPF by default" 748a03e56bSPawan Gupta default y 7508389d88SDaniel Borkmann depends on BPF_SYSCALL 7608389d88SDaniel Borkmann help 7708389d88SDaniel Borkmann Disables unprivileged BPF by default by setting the corresponding 7808389d88SDaniel Borkmann /proc/sys/kernel/unprivileged_bpf_disabled knob to 2. An admin can 7908389d88SDaniel Borkmann still reenable it by setting it to 0 later on, or permanently 8008389d88SDaniel Borkmann disable it by setting it to 1 (from which no other transition to 8108389d88SDaniel Borkmann 0 is possible anymore). 8208389d88SDaniel Borkmann 838a03e56bSPawan Gupta Unprivileged BPF could be used to exploit certain potential 848a03e56bSPawan Gupta speculative execution side-channel vulnerabilities on unmitigated 858a03e56bSPawan Gupta affected hardware. 868a03e56bSPawan Gupta 878a03e56bSPawan Gupta If you are unsure how to answer this question, answer Y. 888a03e56bSPawan Gupta 89b24abcffSDaniel Borkmannsource "kernel/bpf/preload/Kconfig" 90b24abcffSDaniel Borkmann 91b24abcffSDaniel Borkmannconfig BPF_LSM 92b24abcffSDaniel Borkmann bool "Enable BPF LSM Instrumentation" 93b24abcffSDaniel Borkmann depends on BPF_EVENTS 94b24abcffSDaniel Borkmann depends on BPF_SYSCALL 95b24abcffSDaniel Borkmann depends on SECURITY 96b24abcffSDaniel Borkmann depends on BPF_JIT 97b24abcffSDaniel Borkmann help 98b24abcffSDaniel Borkmann Enables instrumentation of the security hooks with BPF programs for 99b24abcffSDaniel Borkmann implementing dynamic MAC and Audit Policies. 100b24abcffSDaniel Borkmann 101b24abcffSDaniel Borkmann If you are unsure how to answer this question, answer N. 102b24abcffSDaniel Borkmann 103b24abcffSDaniel Borkmannendmenu # "BPF subsystem" 104