1# SPDX-License-Identifier: GPL-2.0-only
2
3# BPF interpreter that, for example, classic socket filters depend on.
4config BPF
5	bool
6
7# Used by archs to tell that they support BPF JIT compiler plus which
8# flavour. Only one of the two can be selected for a specific arch since
9# eBPF JIT supersedes the cBPF JIT.
10
11# Classic BPF JIT (cBPF)
12config HAVE_CBPF_JIT
13	bool
14
15# Extended BPF JIT (eBPF)
16config HAVE_EBPF_JIT
17	bool
18
19# Used by archs to tell that they want the BPF JIT compiler enabled by
20# default for kernels that were compiled with BPF JIT support.
21config ARCH_WANT_DEFAULT_BPF_JIT
22	bool
23
24menu "BPF subsystem"
25
26config BPF_SYSCALL
27	bool "Enable bpf() system call"
28	select BPF
29	select IRQ_WORK
30	select TASKS_RCU if PREEMPTION
31	select TASKS_TRACE_RCU
32	select BINARY_PRINTF
33	select NET_SOCK_MSG if NET
34	select NET_XGRESS if NET
35	select PAGE_POOL if NET
36	default n
37	help
38	  Enable the bpf() system call that allows to manipulate BPF programs
39	  and maps via file descriptors.
40
41config BPF_JIT
42	bool "Enable BPF Just In Time compiler"
43	depends on BPF
44	depends on HAVE_CBPF_JIT || HAVE_EBPF_JIT
45	depends on MODULES
46	help
47	  BPF programs are normally handled by a BPF interpreter. This option
48	  allows the kernel to generate native code when a program is loaded
49	  into the kernel. This will significantly speed-up processing of BPF
50	  programs.
51
52	  Note, an admin should enable this feature changing:
53	  /proc/sys/net/core/bpf_jit_enable
54	  /proc/sys/net/core/bpf_jit_harden   (optional)
55	  /proc/sys/net/core/bpf_jit_kallsyms (optional)
56
57config BPF_JIT_ALWAYS_ON
58	bool "Permanently enable BPF JIT and remove BPF interpreter"
59	depends on BPF_SYSCALL && HAVE_EBPF_JIT && BPF_JIT
60	help
61	  Enables BPF JIT and removes BPF interpreter to avoid speculative
62	  execution of BPF instructions by the interpreter.
63
64	  When CONFIG_BPF_JIT_ALWAYS_ON is enabled, /proc/sys/net/core/bpf_jit_enable
65	  is permanently set to 1 and setting any other value than that will
66	  return failure.
67
68config BPF_JIT_DEFAULT_ON
69	def_bool ARCH_WANT_DEFAULT_BPF_JIT || BPF_JIT_ALWAYS_ON
70	depends on HAVE_EBPF_JIT && BPF_JIT
71
72config BPF_UNPRIV_DEFAULT_OFF
73	bool "Disable unprivileged BPF by default"
74	default y
75	depends on BPF_SYSCALL
76	help
77	  Disables unprivileged BPF by default by setting the corresponding
78	  /proc/sys/kernel/unprivileged_bpf_disabled knob to 2. An admin can
79	  still reenable it by setting it to 0 later on, or permanently
80	  disable it by setting it to 1 (from which no other transition to
81	  0 is possible anymore).
82
83	  Unprivileged BPF could be used to exploit certain potential
84	  speculative execution side-channel vulnerabilities on unmitigated
85	  affected hardware.
86
87	  If you are unsure how to answer this question, answer Y.
88
89source "kernel/bpf/preload/Kconfig"
90
91config BPF_LSM
92	bool "Enable BPF LSM Instrumentation"
93	depends on BPF_EVENTS
94	depends on BPF_SYSCALL
95	depends on SECURITY
96	depends on BPF_JIT
97	help
98	  Enables instrumentation of the security hooks with BPF programs for
99	  implementing dynamic MAC and Audit Policies.
100
101	  If you are unsure how to answer this question, answer N.
102
103endmenu # "BPF subsystem"
104