cachepc-linux

Fork of AMDESE/linux with modifications for CachePC side-channel attack
git clone https://git.sinitax.com/sinitax/cachepc-linux
Log | Files | Refs | README | LICENSE | sfeed.txt

Kconfig (3088B)


      1# SPDX-License-Identifier: GPL-2.0-only
      2
      3# BPF interpreter that, for example, classic socket filters depend on.
      4config BPF
      5	bool
      6
      7# Used by archs to tell that they support BPF JIT compiler plus which
      8# flavour. Only one of the two can be selected for a specific arch since
      9# eBPF JIT supersedes the cBPF JIT.
     10
     11# Classic BPF JIT (cBPF)
     12config HAVE_CBPF_JIT
     13	bool
     14
     15# Extended BPF JIT (eBPF)
     16config HAVE_EBPF_JIT
     17	bool
     18
     19# Used by archs to tell that they want the BPF JIT compiler enabled by
     20# default for kernels that were compiled with BPF JIT support.
     21config ARCH_WANT_DEFAULT_BPF_JIT
     22	bool
     23
     24menu "BPF subsystem"
     25
     26config BPF_SYSCALL
     27	bool "Enable bpf() system call"
     28	select BPF
     29	select IRQ_WORK
     30	select TASKS_RCU if PREEMPTION
     31	select TASKS_TRACE_RCU
     32	select BINARY_PRINTF
     33	select NET_SOCK_MSG if NET
     34	select PAGE_POOL if NET
     35	default n
     36	help
     37	  Enable the bpf() system call that allows to manipulate BPF programs
     38	  and maps via file descriptors.
     39
     40config BPF_JIT
     41	bool "Enable BPF Just In Time compiler"
     42	depends on BPF
     43	depends on HAVE_CBPF_JIT || HAVE_EBPF_JIT
     44	depends on MODULES
     45	help
     46	  BPF programs are normally handled by a BPF interpreter. This option
     47	  allows the kernel to generate native code when a program is loaded
     48	  into the kernel. This will significantly speed-up processing of BPF
     49	  programs.
     50
     51	  Note, an admin should enable this feature changing:
     52	  /proc/sys/net/core/bpf_jit_enable
     53	  /proc/sys/net/core/bpf_jit_harden   (optional)
     54	  /proc/sys/net/core/bpf_jit_kallsyms (optional)
     55
     56config BPF_JIT_ALWAYS_ON
     57	bool "Permanently enable BPF JIT and remove BPF interpreter"
     58	depends on BPF_SYSCALL && HAVE_EBPF_JIT && BPF_JIT
     59	help
     60	  Enables BPF JIT and removes BPF interpreter to avoid speculative
     61	  execution of BPF instructions by the interpreter.
     62
     63	  When CONFIG_BPF_JIT_ALWAYS_ON is enabled, /proc/sys/net/core/bpf_jit_enable
     64	  is permanently set to 1 and setting any other value than that will
     65	  return failure.
     66
     67config BPF_JIT_DEFAULT_ON
     68	def_bool ARCH_WANT_DEFAULT_BPF_JIT || BPF_JIT_ALWAYS_ON
     69	depends on HAVE_EBPF_JIT && BPF_JIT
     70
     71config BPF_UNPRIV_DEFAULT_OFF
     72	bool "Disable unprivileged BPF by default"
     73	default y
     74	depends on BPF_SYSCALL
     75	help
     76	  Disables unprivileged BPF by default by setting the corresponding
     77	  /proc/sys/kernel/unprivileged_bpf_disabled knob to 2. An admin can
     78	  still reenable it by setting it to 0 later on, or permanently
     79	  disable it by setting it to 1 (from which no other transition to
     80	  0 is possible anymore).
     81
     82	  Unprivileged BPF could be used to exploit certain potential
     83	  speculative execution side-channel vulnerabilities on unmitigated
     84	  affected hardware.
     85
     86	  If you are unsure how to answer this question, answer Y.
     87
     88source "kernel/bpf/preload/Kconfig"
     89
     90config BPF_LSM
     91	bool "Enable BPF LSM Instrumentation"
     92	depends on BPF_EVENTS
     93	depends on BPF_SYSCALL
     94	depends on SECURITY
     95	depends on BPF_JIT
     96	help
     97	  Enables instrumentation of the security hooks with BPF programs for
     98	  implementing dynamic MAC and Audit Policies.
     99
    100	  If you are unsure how to answer this question, answer N.
    101
    102endmenu # "BPF subsystem"