2021-05-11 23:35:16 +03:00
|
|
|
# SPDX-License-Identifier: GPL-2.0-only
|
|
|
|
|
|
|
|
# BPF interpreter that, for example, classic socket filters depend on.
|
|
|
|
config BPF
|
|
|
|
bool
|
|
|
|
|
|
|
|
# Used by archs to tell that they support BPF JIT compiler plus which
|
|
|
|
# flavour. Only one of the two can be selected for a specific arch since
|
|
|
|
# eBPF JIT supersedes the cBPF JIT.
|
|
|
|
|
|
|
|
# Classic BPF JIT (cBPF)
|
|
|
|
config HAVE_CBPF_JIT
|
|
|
|
bool
|
|
|
|
|
|
|
|
# Extended BPF JIT (eBPF)
|
|
|
|
config HAVE_EBPF_JIT
|
|
|
|
bool
|
|
|
|
|
|
|
|
# Used by archs to tell that they want the BPF JIT compiler enabled by
|
|
|
|
# default for kernels that were compiled with BPF JIT support.
|
|
|
|
config ARCH_WANT_DEFAULT_BPF_JIT
|
|
|
|
bool
|
|
|
|
|
|
|
|
menu "BPF subsystem"
|
|
|
|
|
|
|
|
config BPF_SYSCALL
|
|
|
|
bool "Enable bpf() system call"
|
|
|
|
select BPF
|
|
|
|
select IRQ_WORK
|
2022-03-17 21:05:09 +03:00
|
|
|
select TASKS_RCU if PREEMPTION
|
2021-05-11 23:35:16 +03:00
|
|
|
select TASKS_TRACE_RCU
|
|
|
|
select BINARY_PRINTF
|
2021-07-04 22:02:42 +03:00
|
|
|
select NET_SOCK_MSG if NET
|
bpf: Add "live packet" mode for XDP in BPF_PROG_RUN
This adds support for running XDP programs through BPF_PROG_RUN in a mode
that enables live packet processing of the resulting frames. Previous uses
of BPF_PROG_RUN for XDP returned the XDP program return code and the
modified packet data to userspace, which is useful for unit testing of XDP
programs.
The existing BPF_PROG_RUN for XDP allows userspace to set the ingress
ifindex and RXQ number as part of the context object being passed to the
kernel. This patch reuses that code, but adds a new mode with different
semantics, which can be selected with the new BPF_F_TEST_XDP_LIVE_FRAMES
flag.
When running BPF_PROG_RUN in this mode, the XDP program return codes will
be honoured: returning XDP_PASS will result in the frame being injected
into the networking stack as if it came from the selected networking
interface, while returning XDP_TX and XDP_REDIRECT will result in the frame
being transmitted out that interface. XDP_TX is translated into an
XDP_REDIRECT operation to the same interface, since the real XDP_TX action
is only possible from within the network drivers themselves, not from the
process context where BPF_PROG_RUN is executed.
Internally, this new mode of operation creates a page pool instance while
setting up the test run, and feeds pages from that into the XDP program.
The setup cost of this is amortised over the number of repetitions
specified by userspace.
To support the performance testing use case, we further optimise the setup
step so that all pages in the pool are pre-initialised with the packet
data, and pre-computed context and xdp_frame objects stored at the start of
each page. This makes it possible to entirely avoid touching the page
content on each XDP program invocation, and enables sending up to 9
Mpps/core on my test box.
Because the data pages are recycled by the page pool, and the test runner
doesn't re-initialise them for each run, subsequent invocations of the XDP
program will see the packet data in the state it was after the last time it
ran on that particular page. This means that an XDP program that modifies
the packet before redirecting it has to be careful about which assumptions
it makes about the packet content, but that is only an issue for the most
naively written programs.
Enabling the new flag is only allowed when not setting ctx_out and data_out
in the test specification, since using it means frames will be redirected
somewhere else, so they can't be returned.
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Martin KaFai Lau <kafai@fb.com>
Link: https://lore.kernel.org/bpf/20220309105346.100053-2-toke@redhat.com
2022-03-09 13:53:42 +03:00
|
|
|
select PAGE_POOL if NET
|
2021-05-11 23:35:16 +03:00
|
|
|
default n
|
|
|
|
help
|
|
|
|
Enable the bpf() system call that allows to manipulate BPF programs
|
|
|
|
and maps via file descriptors.
|
|
|
|
|
|
|
|
config BPF_JIT
|
|
|
|
bool "Enable BPF Just In Time compiler"
|
2021-05-12 21:57:14 +03:00
|
|
|
depends on BPF
|
2021-05-11 23:35:16 +03:00
|
|
|
depends on HAVE_CBPF_JIT || HAVE_EBPF_JIT
|
|
|
|
depends on MODULES
|
|
|
|
help
|
|
|
|
BPF programs are normally handled by a BPF interpreter. This option
|
|
|
|
allows the kernel to generate native code when a program is loaded
|
|
|
|
into the kernel. This will significantly speed-up processing of BPF
|
|
|
|
programs.
|
|
|
|
|
|
|
|
Note, an admin should enable this feature changing:
|
|
|
|
/proc/sys/net/core/bpf_jit_enable
|
|
|
|
/proc/sys/net/core/bpf_jit_harden (optional)
|
|
|
|
/proc/sys/net/core/bpf_jit_kallsyms (optional)
|
|
|
|
|
|
|
|
config BPF_JIT_ALWAYS_ON
|
|
|
|
bool "Permanently enable BPF JIT and remove BPF interpreter"
|
|
|
|
depends on BPF_SYSCALL && HAVE_EBPF_JIT && BPF_JIT
|
|
|
|
help
|
|
|
|
Enables BPF JIT and removes BPF interpreter to avoid speculative
|
|
|
|
execution of BPF instructions by the interpreter.
|
|
|
|
|
2022-02-22 12:57:05 +03:00
|
|
|
When CONFIG_BPF_JIT_ALWAYS_ON is enabled, /proc/sys/net/core/bpf_jit_enable
|
|
|
|
is permanently set to 1 and setting any other value than that will
|
|
|
|
return failure.
|
|
|
|
|
2021-05-11 23:35:16 +03:00
|
|
|
config BPF_JIT_DEFAULT_ON
|
|
|
|
def_bool ARCH_WANT_DEFAULT_BPF_JIT || BPF_JIT_ALWAYS_ON
|
|
|
|
depends on HAVE_EBPF_JIT && BPF_JIT
|
|
|
|
|
2021-05-11 23:35:17 +03:00
|
|
|
config BPF_UNPRIV_DEFAULT_OFF
|
|
|
|
bool "Disable unprivileged BPF by default"
|
2021-10-29 22:43:54 +03:00
|
|
|
default y
|
2021-05-11 23:35:17 +03:00
|
|
|
depends on BPF_SYSCALL
|
|
|
|
help
|
|
|
|
Disables unprivileged BPF by default by setting the corresponding
|
|
|
|
/proc/sys/kernel/unprivileged_bpf_disabled knob to 2. An admin can
|
|
|
|
still reenable it by setting it to 0 later on, or permanently
|
|
|
|
disable it by setting it to 1 (from which no other transition to
|
|
|
|
0 is possible anymore).
|
|
|
|
|
2021-10-29 22:43:54 +03:00
|
|
|
Unprivileged BPF could be used to exploit certain potential
|
|
|
|
speculative execution side-channel vulnerabilities on unmitigated
|
|
|
|
affected hardware.
|
|
|
|
|
|
|
|
If you are unsure how to answer this question, answer Y.
|
|
|
|
|
2021-05-11 23:35:16 +03:00
|
|
|
source "kernel/bpf/preload/Kconfig"
|
|
|
|
|
|
|
|
config BPF_LSM
|
|
|
|
bool "Enable BPF LSM Instrumentation"
|
|
|
|
depends on BPF_EVENTS
|
|
|
|
depends on BPF_SYSCALL
|
|
|
|
depends on SECURITY
|
|
|
|
depends on BPF_JIT
|
|
|
|
help
|
|
|
|
Enables instrumentation of the security hooks with BPF programs for
|
|
|
|
implementing dynamic MAC and Audit Policies.
|
|
|
|
|
|
|
|
If you are unsure how to answer this question, answer N.
|
|
|
|
|
|
|
|
endmenu # "BPF subsystem"
|