1b24abcffSDaniel Borkmann# SPDX-License-Identifier: GPL-2.0-only 2b24abcffSDaniel Borkmann 3b24abcffSDaniel Borkmann# BPF interpreter that, for example, classic socket filters depend on. 4b24abcffSDaniel Borkmannconfig BPF 5b24abcffSDaniel Borkmann bool 6b24abcffSDaniel Borkmann 7b24abcffSDaniel Borkmann# Used by archs to tell that they support BPF JIT compiler plus which 8b24abcffSDaniel Borkmann# flavour. Only one of the two can be selected for a specific arch since 9b24abcffSDaniel Borkmann# eBPF JIT supersedes the cBPF JIT. 10b24abcffSDaniel Borkmann 11b24abcffSDaniel Borkmann# Classic BPF JIT (cBPF) 12b24abcffSDaniel Borkmannconfig HAVE_CBPF_JIT 13b24abcffSDaniel Borkmann bool 14b24abcffSDaniel Borkmann 15b24abcffSDaniel Borkmann# Extended BPF JIT (eBPF) 16b24abcffSDaniel Borkmannconfig HAVE_EBPF_JIT 17b24abcffSDaniel Borkmann bool 18b24abcffSDaniel Borkmann 19b24abcffSDaniel Borkmann# Used by archs to tell that they want the BPF JIT compiler enabled by 20b24abcffSDaniel Borkmann# default for kernels that were compiled with BPF JIT support. 21b24abcffSDaniel Borkmannconfig ARCH_WANT_DEFAULT_BPF_JIT 22b24abcffSDaniel Borkmann bool 23b24abcffSDaniel Borkmann 24b24abcffSDaniel Borkmannmenu "BPF subsystem" 25b24abcffSDaniel Borkmann 26b24abcffSDaniel Borkmannconfig BPF_SYSCALL 27b24abcffSDaniel Borkmann bool "Enable bpf() system call" 28b24abcffSDaniel Borkmann select BPF 29b24abcffSDaniel Borkmann select IRQ_WORK 30b24abcffSDaniel Borkmann select TASKS_TRACE_RCU 31b24abcffSDaniel Borkmann select BINARY_PRINTF 3217edea21SCong Wang select NET_SOCK_MSG if NET 33b24abcffSDaniel Borkmann default n 34b24abcffSDaniel Borkmann help 35b24abcffSDaniel Borkmann Enable the bpf() system call that allows to manipulate BPF programs 36b24abcffSDaniel Borkmann and maps via file descriptors. 37b24abcffSDaniel Borkmann 38b24abcffSDaniel Borkmannconfig BPF_JIT 39b24abcffSDaniel Borkmann bool "Enable BPF Just In Time compiler" 406bdacdb4SDaniel Borkmann depends on BPF 41b24abcffSDaniel Borkmann depends on HAVE_CBPF_JIT || HAVE_EBPF_JIT 42b24abcffSDaniel Borkmann depends on MODULES 43b24abcffSDaniel Borkmann help 44b24abcffSDaniel Borkmann BPF programs are normally handled by a BPF interpreter. This option 45b24abcffSDaniel Borkmann allows the kernel to generate native code when a program is loaded 46b24abcffSDaniel Borkmann into the kernel. This will significantly speed-up processing of BPF 47b24abcffSDaniel Borkmann programs. 48b24abcffSDaniel Borkmann 49b24abcffSDaniel Borkmann Note, an admin should enable this feature changing: 50b24abcffSDaniel Borkmann /proc/sys/net/core/bpf_jit_enable 51b24abcffSDaniel Borkmann /proc/sys/net/core/bpf_jit_harden (optional) 52b24abcffSDaniel Borkmann /proc/sys/net/core/bpf_jit_kallsyms (optional) 53b24abcffSDaniel Borkmann 54b24abcffSDaniel Borkmannconfig BPF_JIT_ALWAYS_ON 55b24abcffSDaniel Borkmann bool "Permanently enable BPF JIT and remove BPF interpreter" 56b24abcffSDaniel Borkmann depends on BPF_SYSCALL && HAVE_EBPF_JIT && BPF_JIT 57b24abcffSDaniel Borkmann help 58b24abcffSDaniel Borkmann Enables BPF JIT and removes BPF interpreter to avoid speculative 59b24abcffSDaniel Borkmann execution of BPF instructions by the interpreter. 60b24abcffSDaniel Borkmann 61*b664e255STiezhu Yang When CONFIG_BPF_JIT_ALWAYS_ON is enabled, /proc/sys/net/core/bpf_jit_enable 62*b664e255STiezhu Yang is permanently set to 1 and setting any other value than that will 63*b664e255STiezhu Yang return failure. 64*b664e255STiezhu Yang 65b24abcffSDaniel Borkmannconfig BPF_JIT_DEFAULT_ON 66b24abcffSDaniel Borkmann def_bool ARCH_WANT_DEFAULT_BPF_JIT || BPF_JIT_ALWAYS_ON 67b24abcffSDaniel Borkmann depends on HAVE_EBPF_JIT && BPF_JIT 68b24abcffSDaniel Borkmann 6908389d88SDaniel Borkmannconfig BPF_UNPRIV_DEFAULT_OFF 7008389d88SDaniel Borkmann bool "Disable unprivileged BPF by default" 718a03e56bSPawan Gupta default y 7208389d88SDaniel Borkmann depends on BPF_SYSCALL 7308389d88SDaniel Borkmann help 7408389d88SDaniel Borkmann Disables unprivileged BPF by default by setting the corresponding 7508389d88SDaniel Borkmann /proc/sys/kernel/unprivileged_bpf_disabled knob to 2. An admin can 7608389d88SDaniel Borkmann still reenable it by setting it to 0 later on, or permanently 7708389d88SDaniel Borkmann disable it by setting it to 1 (from which no other transition to 7808389d88SDaniel Borkmann 0 is possible anymore). 7908389d88SDaniel Borkmann 808a03e56bSPawan Gupta Unprivileged BPF could be used to exploit certain potential 818a03e56bSPawan Gupta speculative execution side-channel vulnerabilities on unmitigated 828a03e56bSPawan Gupta affected hardware. 838a03e56bSPawan Gupta 848a03e56bSPawan Gupta If you are unsure how to answer this question, answer Y. 858a03e56bSPawan Gupta 86b24abcffSDaniel Borkmannsource "kernel/bpf/preload/Kconfig" 87b24abcffSDaniel Borkmann 88b24abcffSDaniel Borkmannconfig BPF_LSM 89b24abcffSDaniel Borkmann bool "Enable BPF LSM Instrumentation" 90b24abcffSDaniel Borkmann depends on BPF_EVENTS 91b24abcffSDaniel Borkmann depends on BPF_SYSCALL 92b24abcffSDaniel Borkmann depends on SECURITY 93b24abcffSDaniel Borkmann depends on BPF_JIT 94b24abcffSDaniel Borkmann help 95b24abcffSDaniel Borkmann Enables instrumentation of the security hooks with BPF programs for 96b24abcffSDaniel Borkmann implementing dynamic MAC and Audit Policies. 97b24abcffSDaniel Borkmann 98b24abcffSDaniel Borkmann If you are unsure how to answer this question, answer N. 99b24abcffSDaniel Borkmann 100b24abcffSDaniel Borkmannendmenu # "BPF subsystem" 101