linux/kernel/bpf/Kconfig

# SPDX-License-Identifier: GPL-2.0-only

# BPF interpreter that, for example, classic socket filters depend on.
config BPF
	bool

# Used by archs to tell that they support BPF JIT compiler plus which
# flavour. Only one of the two can be selected for a specific arch since
# eBPF JIT supersedes the cBPF JIT.

# Classic BPF JIT (cBPF)
config HAVE_CBPF_JIT
	bool

# Extended BPF JIT (eBPF)
config HAVE_EBPF_JIT
	bool

# Used by archs to tell that they want the BPF JIT compiler enabled by
# default for kernels that were compiled with BPF JIT support.
config ARCH_WANT_DEFAULT_BPF_JIT
	bool

menu "BPF subsystem"

config BPF_SYSCALL
	bool "Enable bpf() system call"
	select BPF
	select IRQ_WORK
	select TASKS_TRACE_RCU
	select BINARY_PRINTF
	select NET_SOCK_MSG if INET
	default n
	help
	  Enable the bpf() system call that allows to manipulate BPF programs
	  and maps via file descriptors.

config BPF_JIT
	bool "Enable BPF Just In Time compiler"
	depends on HAVE_CBPF_JIT || HAVE_EBPF_JIT
	depends on MODULES
	help
	  BPF programs are normally handled by a BPF interpreter. This option
	  allows the kernel to generate native code when a program is loaded
	  into the kernel. This will significantly speed-up processing of BPF
	  programs.

	  Note, an admin should enable this feature changing:
	  /proc/sys/net/core/bpf_jit_enable
	  /proc/sys/net/core/bpf_jit_harden   (optional)
	  /proc/sys/net/core/bpf_jit_kallsyms (optional)

config BPF_JIT_ALWAYS_ON
	bool "Permanently enable BPF JIT and remove BPF interpreter"
	depends on BPF_SYSCALL && HAVE_EBPF_JIT && BPF_JIT
	help
	  Enables BPF JIT and removes BPF interpreter to avoid speculative
	  execution of BPF instructions by the interpreter.

config BPF_JIT_DEFAULT_ON
	def_bool ARCH_WANT_DEFAULT_BPF_JIT || BPF_JIT_ALWAYS_ON
	depends on HAVE_EBPF_JIT && BPF_JIT

source "kernel/bpf/preload/Kconfig"

config BPF_LSM
	bool "Enable BPF LSM Instrumentation"
	depends on BPF_EVENTS
	depends on BPF_SYSCALL
	depends on SECURITY
	depends on BPF_JIT
	help
	  Enables instrumentation of the security hooks with BPF programs for
	  implementing dynamic MAC and Audit Policies.

	  If you are unsure how to answer this question, answer N.

endmenu # "BPF subsystem"
bpf, kconfig: Add consolidated menu entry for bpf with core options Right now, all core BPF related options are scattered in different Kconfig locations mainly due to historic reasons. Moving forward, lets add a proper subsystem entry under ... General setup ---> BPF subsystem ---> ... in order to have all knobs in a single location and thus ease BPF related configuration. Networking related bits such as sockmap are out of scope for the general setup and therefore better suited to remain in net/Kconfig. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Link: https://lore.kernel.org/bpf/f23f58765a4d59244ebd8037da7b6a6b2fb58446.1620765074.git.daniel@iogearbox.net 2021-05-11 20:35:16 +00:00			`# SPDX-License-Identifier: GPL-2.0-only`

			`# BPF interpreter that, for example, classic socket filters depend on.`
			`config BPF`
			`bool`

			`# Used by archs to tell that they support BPF JIT compiler plus which`
			`# flavour. Only one of the two can be selected for a specific arch since`
			`# eBPF JIT supersedes the cBPF JIT.`

			`# Classic BPF JIT (cBPF)`
			`config HAVE_CBPF_JIT`
			`bool`

			`# Extended BPF JIT (eBPF)`
			`config HAVE_EBPF_JIT`
			`bool`

			`# Used by archs to tell that they want the BPF JIT compiler enabled by`
			`# default for kernels that were compiled with BPF JIT support.`
			`config ARCH_WANT_DEFAULT_BPF_JIT`
			`bool`

			`menu "BPF subsystem"`

			`config BPF_SYSCALL`
			`bool "Enable bpf() system call"`
			`select BPF`
			`select IRQ_WORK`
			`select TASKS_TRACE_RCU`
			`select BINARY_PRINTF`
			`select NET_SOCK_MSG if INET`
			`default n`
			`help`
			`Enable the bpf() system call that allows to manipulate BPF programs`
			`and maps via file descriptors.`

			`config BPF_JIT`
			`bool "Enable BPF Just In Time compiler"`
			`depends on HAVE_CBPF_JIT \|\| HAVE_EBPF_JIT`
			`depends on MODULES`
			`help`
			`BPF programs are normally handled by a BPF interpreter. This option`
			`allows the kernel to generate native code when a program is loaded`
			`into the kernel. This will significantly speed-up processing of BPF`
			`programs.`

			`Note, an admin should enable this feature changing:`
			`/proc/sys/net/core/bpf_jit_enable`
			`/proc/sys/net/core/bpf_jit_harden (optional)`
			`/proc/sys/net/core/bpf_jit_kallsyms (optional)`

			`config BPF_JIT_ALWAYS_ON`
			`bool "Permanently enable BPF JIT and remove BPF interpreter"`
			`depends on BPF_SYSCALL && HAVE_EBPF_JIT && BPF_JIT`
			`help`
			`Enables BPF JIT and removes BPF interpreter to avoid speculative`
			`execution of BPF instructions by the interpreter.`

			`config BPF_JIT_DEFAULT_ON`
			`def_bool ARCH_WANT_DEFAULT_BPF_JIT \|\| BPF_JIT_ALWAYS_ON`
			`depends on HAVE_EBPF_JIT && BPF_JIT`

			`source "kernel/bpf/preload/Kconfig"`

			`config BPF_LSM`
			`bool "Enable BPF LSM Instrumentation"`
			`depends on BPF_EVENTS`
			`depends on BPF_SYSCALL`
			`depends on SECURITY`
			`depends on BPF_JIT`
			`help`
			`Enables instrumentation of the security hooks with BPF programs for`
			`implementing dynamic MAC and Audit Policies.`

			`If you are unsure how to answer this question, answer N.`

			`endmenu # "BPF subsystem"`