1 # SPDX-License-Identifier: GPL-2.0-only 1 # SPDX-License-Identifier: GPL-2.0-only
2 2
3 # BPF interpreter that, for example, classic s 3 # BPF interpreter that, for example, classic socket filters depend on.
4 config BPF 4 config BPF
5 bool 5 bool
6 select CRYPTO_LIB_SHA1 <<
7 6
8 # Used by archs to tell that they support BPF 7 # Used by archs to tell that they support BPF JIT compiler plus which
9 # flavour. Only one of the two can be selected 8 # flavour. Only one of the two can be selected for a specific arch since
10 # eBPF JIT supersedes the cBPF JIT. 9 # eBPF JIT supersedes the cBPF JIT.
11 10
12 # Classic BPF JIT (cBPF) 11 # Classic BPF JIT (cBPF)
13 config HAVE_CBPF_JIT 12 config HAVE_CBPF_JIT
14 bool 13 bool
15 14
16 # Extended BPF JIT (eBPF) 15 # Extended BPF JIT (eBPF)
17 config HAVE_EBPF_JIT 16 config HAVE_EBPF_JIT
18 bool 17 bool
19 18
20 # Used by archs to tell that they want the BPF 19 # Used by archs to tell that they want the BPF JIT compiler enabled by
21 # default for kernels that were compiled with 20 # default for kernels that were compiled with BPF JIT support.
22 config ARCH_WANT_DEFAULT_BPF_JIT 21 config ARCH_WANT_DEFAULT_BPF_JIT
23 bool 22 bool
24 23
25 menu "BPF subsystem" 24 menu "BPF subsystem"
26 25
27 config BPF_SYSCALL 26 config BPF_SYSCALL
28 bool "Enable bpf() system call" 27 bool "Enable bpf() system call"
29 select BPF 28 select BPF
30 select IRQ_WORK 29 select IRQ_WORK
31 select NEED_TASKS_RCU !! 30 select TASKS_RCU if PREEMPTION
32 select TASKS_TRACE_RCU 31 select TASKS_TRACE_RCU
33 select BINARY_PRINTF 32 select BINARY_PRINTF
34 select NET_SOCK_MSG if NET 33 select NET_SOCK_MSG if NET
35 select NET_XGRESS if NET 34 select NET_XGRESS if NET
36 select PAGE_POOL if NET 35 select PAGE_POOL if NET
37 default n 36 default n
38 help 37 help
39 Enable the bpf() system call that al 38 Enable the bpf() system call that allows to manipulate BPF programs
40 and maps via file descriptors. 39 and maps via file descriptors.
41 40
42 config BPF_JIT 41 config BPF_JIT
43 bool "Enable BPF Just In Time compiler 42 bool "Enable BPF Just In Time compiler"
44 depends on BPF 43 depends on BPF
45 depends on HAVE_CBPF_JIT || HAVE_EBPF_ 44 depends on HAVE_CBPF_JIT || HAVE_EBPF_JIT
46 select EXECMEM !! 45 depends on MODULES
47 help 46 help
48 BPF programs are normally handled by 47 BPF programs are normally handled by a BPF interpreter. This option
49 allows the kernel to generate native 48 allows the kernel to generate native code when a program is loaded
50 into the kernel. This will significa 49 into the kernel. This will significantly speed-up processing of BPF
51 programs. 50 programs.
52 51
53 Note, an admin should enable this fe 52 Note, an admin should enable this feature changing:
54 /proc/sys/net/core/bpf_jit_enable 53 /proc/sys/net/core/bpf_jit_enable
55 /proc/sys/net/core/bpf_jit_harden 54 /proc/sys/net/core/bpf_jit_harden (optional)
56 /proc/sys/net/core/bpf_jit_kallsyms 55 /proc/sys/net/core/bpf_jit_kallsyms (optional)
57 56
58 config BPF_JIT_ALWAYS_ON 57 config BPF_JIT_ALWAYS_ON
59 bool "Permanently enable BPF JIT and r 58 bool "Permanently enable BPF JIT and remove BPF interpreter"
60 depends on BPF_SYSCALL && HAVE_EBPF_JI 59 depends on BPF_SYSCALL && HAVE_EBPF_JIT && BPF_JIT
61 help 60 help
62 Enables BPF JIT and removes BPF inte 61 Enables BPF JIT and removes BPF interpreter to avoid speculative
63 execution of BPF instructions by the 62 execution of BPF instructions by the interpreter.
64 63
65 When CONFIG_BPF_JIT_ALWAYS_ON is ena 64 When CONFIG_BPF_JIT_ALWAYS_ON is enabled, /proc/sys/net/core/bpf_jit_enable
66 is permanently set to 1 and setting 65 is permanently set to 1 and setting any other value than that will
67 return failure. 66 return failure.
68 67
69 config BPF_JIT_DEFAULT_ON 68 config BPF_JIT_DEFAULT_ON
70 def_bool ARCH_WANT_DEFAULT_BPF_JIT || 69 def_bool ARCH_WANT_DEFAULT_BPF_JIT || BPF_JIT_ALWAYS_ON
71 depends on HAVE_EBPF_JIT && BPF_JIT 70 depends on HAVE_EBPF_JIT && BPF_JIT
72 71
73 config BPF_UNPRIV_DEFAULT_OFF 72 config BPF_UNPRIV_DEFAULT_OFF
74 bool "Disable unprivileged BPF by defa 73 bool "Disable unprivileged BPF by default"
75 default y 74 default y
76 depends on BPF_SYSCALL 75 depends on BPF_SYSCALL
77 help 76 help
78 Disables unprivileged BPF by default 77 Disables unprivileged BPF by default by setting the corresponding
79 /proc/sys/kernel/unprivileged_bpf_di 78 /proc/sys/kernel/unprivileged_bpf_disabled knob to 2. An admin can
80 still reenable it by setting it to 0 79 still reenable it by setting it to 0 later on, or permanently
81 disable it by setting it to 1 (from 80 disable it by setting it to 1 (from which no other transition to
82 0 is possible anymore). 81 0 is possible anymore).
83 82
84 Unprivileged BPF could be used to ex 83 Unprivileged BPF could be used to exploit certain potential
85 speculative execution side-channel v 84 speculative execution side-channel vulnerabilities on unmitigated
86 affected hardware. 85 affected hardware.
87 86
88 If you are unsure how to answer this 87 If you are unsure how to answer this question, answer Y.
89 88
90 source "kernel/bpf/preload/Kconfig" 89 source "kernel/bpf/preload/Kconfig"
91 90
92 config BPF_LSM 91 config BPF_LSM
93 bool "Enable BPF LSM Instrumentation" 92 bool "Enable BPF LSM Instrumentation"
94 depends on BPF_EVENTS 93 depends on BPF_EVENTS
95 depends on BPF_SYSCALL 94 depends on BPF_SYSCALL
96 depends on SECURITY 95 depends on SECURITY
97 depends on BPF_JIT 96 depends on BPF_JIT
98 help 97 help
99 Enables instrumentation of the secur 98 Enables instrumentation of the security hooks with BPF programs for
100 implementing dynamic MAC and Audit P 99 implementing dynamic MAC and Audit Policies.
101 100
102 If you are unsure how to answer this 101 If you are unsure how to answer this question, answer N.
103 102
104 endmenu # "BPF subsystem" 103 endmenu # "BPF subsystem"
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.