1b24abcffSDaniel Borkmann# SPDX-License-Identifier: GPL-2.0-only 2b24abcffSDaniel Borkmann 3b24abcffSDaniel Borkmann# BPF interpreter that, for example, classic socket filters depend on. 4b24abcffSDaniel Borkmannconfig BPF 5b24abcffSDaniel Borkmann bool 6e55dad12SMasahiro Yamada select CRYPTO_LIB_SHA1 7b24abcffSDaniel Borkmann 8b24abcffSDaniel Borkmann# Used by archs to tell that they support BPF JIT compiler plus which 9b24abcffSDaniel Borkmann# flavour. Only one of the two can be selected for a specific arch since 10b24abcffSDaniel Borkmann# eBPF JIT supersedes the cBPF JIT. 11b24abcffSDaniel Borkmann 12b24abcffSDaniel Borkmann# Classic BPF JIT (cBPF) 13b24abcffSDaniel Borkmannconfig HAVE_CBPF_JIT 14b24abcffSDaniel Borkmann bool 15b24abcffSDaniel Borkmann 16b24abcffSDaniel Borkmann# Extended BPF JIT (eBPF) 17b24abcffSDaniel Borkmannconfig HAVE_EBPF_JIT 18b24abcffSDaniel Borkmann bool 19b24abcffSDaniel Borkmann 20b24abcffSDaniel Borkmann# Used by archs to tell that they want the BPF JIT compiler enabled by 21b24abcffSDaniel Borkmann# default for kernels that were compiled with BPF JIT support. 22b24abcffSDaniel Borkmannconfig ARCH_WANT_DEFAULT_BPF_JIT 23b24abcffSDaniel Borkmann bool 24b24abcffSDaniel Borkmann 25b24abcffSDaniel Borkmannmenu "BPF subsystem" 26b24abcffSDaniel Borkmann 27b24abcffSDaniel Borkmannconfig BPF_SYSCALL 28b24abcffSDaniel Borkmann bool "Enable bpf() system call" 29b24abcffSDaniel Borkmann select BPF 30b24abcffSDaniel Borkmann select IRQ_WORK 31*b993115bSPaul E. McKenney select NEED_TASKS_RCU 32b24abcffSDaniel Borkmann select TASKS_TRACE_RCU 33b24abcffSDaniel Borkmann select BINARY_PRINTF 3417edea21SCong Wang select NET_SOCK_MSG if NET 35e420bed0SDaniel Borkmann select NET_XGRESS if NET 36b530e9e1SToke Høiland-Jørgensen select PAGE_POOL if NET 37b24abcffSDaniel Borkmann default n 38b24abcffSDaniel Borkmann help 39b24abcffSDaniel Borkmann Enable the bpf() system call that allows to manipulate BPF programs 40b24abcffSDaniel Borkmann and maps via file descriptors. 41b24abcffSDaniel Borkmann 42b24abcffSDaniel Borkmannconfig BPF_JIT 43b24abcffSDaniel Borkmann bool "Enable BPF Just In Time compiler" 446bdacdb4SDaniel Borkmann depends on BPF 45b24abcffSDaniel Borkmann depends on HAVE_CBPF_JIT || HAVE_EBPF_JIT 46b24abcffSDaniel Borkmann select EXECMEM 47b24abcffSDaniel Borkmann help 48b24abcffSDaniel Borkmann BPF programs are normally handled by a BPF interpreter. This option 49b24abcffSDaniel Borkmann allows the kernel to generate native code when a program is loaded 50b24abcffSDaniel Borkmann into the kernel. This will significantly speed-up processing of BPF 51b24abcffSDaniel Borkmann programs. 52b24abcffSDaniel Borkmann 53b24abcffSDaniel Borkmann Note, an admin should enable this feature changing: 54b24abcffSDaniel Borkmann /proc/sys/net/core/bpf_jit_enable 55b24abcffSDaniel Borkmann /proc/sys/net/core/bpf_jit_harden (optional) 56b24abcffSDaniel Borkmann /proc/sys/net/core/bpf_jit_kallsyms (optional) 57b24abcffSDaniel Borkmann 58b24abcffSDaniel Borkmannconfig BPF_JIT_ALWAYS_ON 59b24abcffSDaniel Borkmann bool "Permanently enable BPF JIT and remove BPF interpreter" 60b24abcffSDaniel Borkmann depends on BPF_SYSCALL && HAVE_EBPF_JIT && BPF_JIT 61b24abcffSDaniel Borkmann help 62b24abcffSDaniel Borkmann Enables BPF JIT and removes BPF interpreter to avoid speculative 63b24abcffSDaniel Borkmann execution of BPF instructions by the interpreter. 64b24abcffSDaniel Borkmann 65b664e255STiezhu Yang When CONFIG_BPF_JIT_ALWAYS_ON is enabled, /proc/sys/net/core/bpf_jit_enable 66b664e255STiezhu Yang is permanently set to 1 and setting any other value than that will 67b664e255STiezhu Yang return failure. 68b664e255STiezhu Yang 69b24abcffSDaniel Borkmannconfig BPF_JIT_DEFAULT_ON 70b24abcffSDaniel Borkmann def_bool ARCH_WANT_DEFAULT_BPF_JIT || BPF_JIT_ALWAYS_ON 71b24abcffSDaniel Borkmann depends on HAVE_EBPF_JIT && BPF_JIT 72b24abcffSDaniel Borkmann 7308389d88SDaniel Borkmannconfig BPF_UNPRIV_DEFAULT_OFF 7408389d88SDaniel Borkmann bool "Disable unprivileged BPF by default" 758a03e56bSPawan Gupta default y 7608389d88SDaniel Borkmann depends on BPF_SYSCALL 7708389d88SDaniel Borkmann help 7808389d88SDaniel Borkmann Disables unprivileged BPF by default by setting the corresponding 7908389d88SDaniel Borkmann /proc/sys/kernel/unprivileged_bpf_disabled knob to 2. An admin can 8008389d88SDaniel Borkmann still reenable it by setting it to 0 later on, or permanently 8108389d88SDaniel Borkmann disable it by setting it to 1 (from which no other transition to 8208389d88SDaniel Borkmann 0 is possible anymore). 8308389d88SDaniel Borkmann 848a03e56bSPawan Gupta Unprivileged BPF could be used to exploit certain potential 858a03e56bSPawan Gupta speculative execution side-channel vulnerabilities on unmitigated 868a03e56bSPawan Gupta affected hardware. 878a03e56bSPawan Gupta 888a03e56bSPawan Gupta If you are unsure how to answer this question, answer Y. 898a03e56bSPawan Gupta 90b24abcffSDaniel Borkmannsource "kernel/bpf/preload/Kconfig" 91b24abcffSDaniel Borkmann 92b24abcffSDaniel Borkmannconfig BPF_LSM 93b24abcffSDaniel Borkmann bool "Enable BPF LSM Instrumentation" 94b24abcffSDaniel Borkmann depends on BPF_EVENTS 95b24abcffSDaniel Borkmann depends on BPF_SYSCALL 96b24abcffSDaniel Borkmann depends on SECURITY 97b24abcffSDaniel Borkmann depends on BPF_JIT 98b24abcffSDaniel Borkmann help 99b24abcffSDaniel Borkmann Enables instrumentation of the security hooks with BPF programs for 100b24abcffSDaniel Borkmann implementing dynamic MAC and Audit Policies. 101b24abcffSDaniel Borkmann 102b24abcffSDaniel Borkmann If you are unsure how to answer this question, answer N. 103b24abcffSDaniel Borkmann 104b24abcffSDaniel Borkmannendmenu # "BPF subsystem" 105