Skip to content

Commit

Permalink
bpf, kconfig: Add consolidated menu entry for bpf with core options
Browse files Browse the repository at this point in the history
Right now, all core BPF related options are scattered in different Kconfig
locations mainly due to historic reasons. Moving forward, lets add a proper
subsystem entry under ...

  General setup  --->
    BPF subsystem  --->

... in order to have all knobs in a single location and thus ease BPF related
configuration. Networking related bits such as sockmap are out of scope for
the general setup and therefore better suited to remain in net/Kconfig.

Signed-off-by: Daniel Borkmann <[email protected]>
Signed-off-by: Alexei Starovoitov <[email protected]>
Link: https://lore.kernel.org/bpf/f23f58765a4d59244ebd8037da7b6a6b2fb58446.1620765074.git.daniel@iogearbox.net
  • Loading branch information
borkmann authored and Alexei Starovoitov committed May 11, 2021
1 parent 04ea308 commit b24abcf
Show file tree
Hide file tree
Showing 3 changed files with 79 additions and 67 deletions.
41 changes: 1 addition & 40 deletions init/Kconfig
Original file line number Diff line number Diff line change
Expand Up @@ -439,6 +439,7 @@ config AUDITSYSCALL

source "kernel/irq/Kconfig"
source "kernel/time/Kconfig"
source "kernel/bpf/Kconfig"
source "kernel/Kconfig.preempt"

menu "CPU/Task time and stats accounting"
Expand Down Expand Up @@ -1705,46 +1706,6 @@ config KALLSYMS_BASE_RELATIVE

# syscall, maps, verifier

config BPF_LSM
bool "LSM Instrumentation with BPF"
depends on BPF_EVENTS
depends on BPF_SYSCALL
depends on SECURITY
depends on BPF_JIT
help
Enables instrumentation of the security hooks with eBPF programs for
implementing dynamic MAC and Audit Policies.

If you are unsure how to answer this question, answer N.

config BPF_SYSCALL
bool "Enable bpf() system call"
select BPF
select IRQ_WORK
select TASKS_TRACE_RCU
select BINARY_PRINTF
select NET_SOCK_MSG if INET
default n
help
Enable the bpf() system call that allows to manipulate eBPF
programs and maps via file descriptors.

config ARCH_WANT_DEFAULT_BPF_JIT
bool

config BPF_JIT_ALWAYS_ON
bool "Permanently enable BPF JIT and remove BPF interpreter"
depends on BPF_SYSCALL && HAVE_EBPF_JIT && BPF_JIT
help
Enables BPF JIT and removes BPF interpreter to avoid
speculative execution of BPF instructions by the interpreter

config BPF_JIT_DEFAULT_ON
def_bool ARCH_WANT_DEFAULT_BPF_JIT || BPF_JIT_ALWAYS_ON
depends on HAVE_EBPF_JIT && BPF_JIT

source "kernel/bpf/preload/Kconfig"

config USERFAULTFD
bool "Enable userfaultfd() system call"
depends on MMU
Expand Down
78 changes: 78 additions & 0 deletions kernel/bpf/Kconfig
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
# SPDX-License-Identifier: GPL-2.0-only

# BPF interpreter that, for example, classic socket filters depend on.
config BPF
bool

# Used by archs to tell that they support BPF JIT compiler plus which
# flavour. Only one of the two can be selected for a specific arch since
# eBPF JIT supersedes the cBPF JIT.

# Classic BPF JIT (cBPF)
config HAVE_CBPF_JIT
bool

# Extended BPF JIT (eBPF)
config HAVE_EBPF_JIT
bool

# Used by archs to tell that they want the BPF JIT compiler enabled by
# default for kernels that were compiled with BPF JIT support.
config ARCH_WANT_DEFAULT_BPF_JIT
bool

menu "BPF subsystem"

config BPF_SYSCALL
bool "Enable bpf() system call"
select BPF
select IRQ_WORK
select TASKS_TRACE_RCU
select BINARY_PRINTF
select NET_SOCK_MSG if INET
default n
help
Enable the bpf() system call that allows to manipulate BPF programs
and maps via file descriptors.

config BPF_JIT
bool "Enable BPF Just In Time compiler"
depends on HAVE_CBPF_JIT || HAVE_EBPF_JIT
depends on MODULES
help
BPF programs are normally handled by a BPF interpreter. This option
allows the kernel to generate native code when a program is loaded
into the kernel. This will significantly speed-up processing of BPF
programs.

Note, an admin should enable this feature changing:
/proc/sys/net/core/bpf_jit_enable
/proc/sys/net/core/bpf_jit_harden (optional)
/proc/sys/net/core/bpf_jit_kallsyms (optional)

config BPF_JIT_ALWAYS_ON
bool "Permanently enable BPF JIT and remove BPF interpreter"
depends on BPF_SYSCALL && HAVE_EBPF_JIT && BPF_JIT
help
Enables BPF JIT and removes BPF interpreter to avoid speculative
execution of BPF instructions by the interpreter.

config BPF_JIT_DEFAULT_ON
def_bool ARCH_WANT_DEFAULT_BPF_JIT || BPF_JIT_ALWAYS_ON
depends on HAVE_EBPF_JIT && BPF_JIT

source "kernel/bpf/preload/Kconfig"

config BPF_LSM
bool "Enable BPF LSM Instrumentation"
depends on BPF_EVENTS
depends on BPF_SYSCALL
depends on SECURITY
depends on BPF_JIT
help
Enables instrumentation of the security hooks with BPF programs for
implementing dynamic MAC and Audit Policies.

If you are unsure how to answer this question, answer N.

endmenu # "BPF subsystem"
27 changes: 0 additions & 27 deletions net/Kconfig
Original file line number Diff line number Diff line change
Expand Up @@ -302,21 +302,6 @@ config BQL
select DQL
default y

config BPF_JIT
bool "enable BPF Just In Time compiler"
depends on HAVE_CBPF_JIT || HAVE_EBPF_JIT
depends on MODULES
help
Berkeley Packet Filter filtering capabilities are normally handled
by an interpreter. This option allows kernel to generate a native
code when filter is loaded in memory. This should speedup
packet sniffing (libpcap/tcpdump).

Note, admin should enable this feature changing:
/proc/sys/net/core/bpf_jit_enable
/proc/sys/net/core/bpf_jit_harden (optional)
/proc/sys/net/core/bpf_jit_kallsyms (optional)

config BPF_STREAM_PARSER
bool "enable BPF STREAM_PARSER"
depends on INET
Expand Down Expand Up @@ -470,15 +455,3 @@ config ETHTOOL_NETLINK
e.g. notification messages.

endif # if NET

# Used by archs to tell that they support BPF JIT compiler plus which flavour.
# Only one of the two can be selected for a specific arch since eBPF JIT supersedes
# the cBPF JIT.

# Classic BPF JIT (cBPF)
config HAVE_CBPF_JIT
bool

# Extended BPF JIT (eBPF)
config HAVE_EBPF_JIT
bool

0 comments on commit b24abcf

Please sign in to comment.