Commit b24abcff authored by Daniel Borkmann's avatar Daniel Borkmann Committed by Alexei Starovoitov
Browse files

bpf, kconfig: Add consolidated menu entry for bpf with core options 



Right now, all core BPF related options are scattered in different Kconfig
locations mainly due to historic reasons. Moving forward, lets add a proper
subsystem entry under ...

  General setup  --->
    BPF subsystem  --->

... in order to have all knobs in a single location and thus ease BPF related
configuration. Networking related bits such as sockmap are out of scope for
the general setup and therefore better suited to remain in net/Kconfig.

Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/f23f58765a4d59244ebd8037da7b6a6b2fb58446.1620765074.git.daniel@iogearbox.net
parent 04ea3086

init/Kconfig

+1 −40
Original line number Diff line number Diff line
@@ -439,6 +439,7 @@ config AUDITSYSCALL 


source "kernel/irq/Kconfig"

source "kernel/time/Kconfig"

source "kernel/bpf/Kconfig"

source "kernel/Kconfig.preempt"



menu "CPU/Task time and stats accounting"
@@ -1705,46 +1706,6 @@ config KALLSYMS_BASE_RELATIVE 


# syscall, maps, verifier



config BPF_LSM

	bool "LSM Instrumentation with BPF"

	depends on BPF_EVENTS

	depends on BPF_SYSCALL

	depends on SECURITY

	depends on BPF_JIT

	help

	  Enables instrumentation of the security hooks with eBPF programs for

	  implementing dynamic MAC and Audit Policies.



	  If you are unsure how to answer this question, answer N.



config BPF_SYSCALL

	bool "Enable bpf() system call"

	select BPF

	select IRQ_WORK

	select TASKS_TRACE_RCU

	select BINARY_PRINTF

	select NET_SOCK_MSG if INET

	default n

	help

	  Enable the bpf() system call that allows to manipulate eBPF

	  programs and maps via file descriptors.



config ARCH_WANT_DEFAULT_BPF_JIT

	bool



config BPF_JIT_ALWAYS_ON

	bool "Permanently enable BPF JIT and remove BPF interpreter"

	depends on BPF_SYSCALL && HAVE_EBPF_JIT && BPF_JIT

	help

	  Enables BPF JIT and removes BPF interpreter to avoid

	  speculative execution of BPF instructions by the interpreter



config BPF_JIT_DEFAULT_ON

	def_bool ARCH_WANT_DEFAULT_BPF_JIT || BPF_JIT_ALWAYS_ON

	depends on HAVE_EBPF_JIT && BPF_JIT



source "kernel/bpf/preload/Kconfig"



config USERFAULTFD

	bool "Enable userfaultfd() system call"

	depends on MMU

kernel/bpf/Kconfig

0 → 100644
+78 −0
Original line number Diff line number Diff line 
# SPDX-License-Identifier: GPL-2.0-only



# BPF interpreter that, for example, classic socket filters depend on.

config BPF

	bool



# Used by archs to tell that they support BPF JIT compiler plus which

# flavour. Only one of the two can be selected for a specific arch since

# eBPF JIT supersedes the cBPF JIT.



# Classic BPF JIT (cBPF)

config HAVE_CBPF_JIT

	bool



# Extended BPF JIT (eBPF)

config HAVE_EBPF_JIT

	bool



# Used by archs to tell that they want the BPF JIT compiler enabled by

# default for kernels that were compiled with BPF JIT support.

config ARCH_WANT_DEFAULT_BPF_JIT

	bool



menu "BPF subsystem"



config BPF_SYSCALL

	bool "Enable bpf() system call"

	select BPF

	select IRQ_WORK

	select TASKS_TRACE_RCU

	select BINARY_PRINTF

	select NET_SOCK_MSG if INET

	default n

	help

	  Enable the bpf() system call that allows to manipulate BPF programs

	  and maps via file descriptors.



config BPF_JIT

	bool "Enable BPF Just In Time compiler"

	depends on HAVE_CBPF_JIT || HAVE_EBPF_JIT

	depends on MODULES

	help

	  BPF programs are normally handled by a BPF interpreter. This option

	  allows the kernel to generate native code when a program is loaded

	  into the kernel. This will significantly speed-up processing of BPF

	  programs.



	  Note, an admin should enable this feature changing:

	  /proc/sys/net/core/bpf_jit_enable

	  /proc/sys/net/core/bpf_jit_harden   (optional)

	  /proc/sys/net/core/bpf_jit_kallsyms (optional)



config BPF_JIT_ALWAYS_ON

	bool "Permanently enable BPF JIT and remove BPF interpreter"

	depends on BPF_SYSCALL && HAVE_EBPF_JIT && BPF_JIT

	help

	  Enables BPF JIT and removes BPF interpreter to avoid speculative

	  execution of BPF instructions by the interpreter.



config BPF_JIT_DEFAULT_ON

	def_bool ARCH_WANT_DEFAULT_BPF_JIT || BPF_JIT_ALWAYS_ON

	depends on HAVE_EBPF_JIT && BPF_JIT



source "kernel/bpf/preload/Kconfig"



config BPF_LSM

	bool "Enable BPF LSM Instrumentation"

	depends on BPF_EVENTS

	depends on BPF_SYSCALL

	depends on SECURITY

	depends on BPF_JIT

	help

	  Enables instrumentation of the security hooks with BPF programs for

	  implementing dynamic MAC and Audit Policies.



	  If you are unsure how to answer this question, answer N.



endmenu # "BPF subsystem"

net/Kconfig

+0 −27
Original line number Diff line number Diff line
@@ -302,21 +302,6 @@ config BQL 
	select DQL

	default y



config BPF_JIT

	bool "enable BPF Just In Time compiler"

	depends on HAVE_CBPF_JIT || HAVE_EBPF_JIT

	depends on MODULES

	help

	  Berkeley Packet Filter filtering capabilities are normally handled

	  by an interpreter. This option allows kernel to generate a native

	  code when filter is loaded in memory. This should speedup

	  packet sniffing (libpcap/tcpdump).



	  Note, admin should enable this feature changing:

	  /proc/sys/net/core/bpf_jit_enable

	  /proc/sys/net/core/bpf_jit_harden   (optional)

	  /proc/sys/net/core/bpf_jit_kallsyms (optional)



config BPF_STREAM_PARSER

	bool "enable BPF STREAM_PARSER"

	depends on INET
@@ -470,15 +455,3 @@ config ETHTOOL_NETLINK 
	  e.g. notification messages.



endif   # if NET
 


# Used by archs to tell that they support BPF JIT compiler plus which flavour.

# Only one of the two can be selected for a specific arch since eBPF JIT supersedes

# the cBPF JIT.



# Classic BPF JIT (cBPF)

config HAVE_CBPF_JIT

	bool



# Extended BPF JIT (eBPF)

config HAVE_EBPF_JIT

	bool