|
1 | | -# Kernel Configuration for BPF Features |
| 1 | +# BPF 特性的内核配置 |
2 | 2 |
|
3 | | -## BPF Related Kernel Configurations |
| 3 | +## 与 BPF 相关的内核配置 |
4 | 4 |
|
5 | | -| Functionalities | Kernel Configuration | Description | |
6 | | -|:----------------|:---------------------|:------------| |
7 | | -| **Basic** | CONFIG_BPF_SYSCALL | Enable the bpf() system call | |
8 | | -| | CONFIG_BPF_JIT | BPF programs are normally handled by a BPF interpreter. This option allows the kernel to generate native code when a program is loaded into the kernel. This will significantly speed-up processing of BPF programs | |
9 | | -| | CONFIG_HAVE_BPF_JIT | Enable BPF Just In Time compiler | |
10 | | -| | CONFIG_HAVE_EBPF_JIT | Extended BPF JIT (eBPF) | |
11 | | -| | CONFIG_HAVE_CBPF_JIT | Classic BPF JIT (cBPF) | |
12 | | -| | CONFIG_MODULES | Enable to build loadable kernel modules | |
13 | | -| | CONFIG_BPF | BPF VM interpreter | |
14 | | -| | CONFIG_BPF_EVENTS | Allow the user to attach BPF programs to kprobe, uprobe, and tracepoint events | |
15 | | -| | CONFIG_PERF_EVENTS | Kernel performance events and counters | |
16 | | -| | CONFIG_HAVE_PERF_EVENTS | Enable perf events | |
17 | | -| | CONFIG_PROFILING | Enable the extended profiling support mechanisms used by profilers | |
18 | | -| **BTF** | CONFIG_DEBUG_INFO_BTF | Generate deduplicated BTF type information from DWARF debug info | |
19 | | -| | CONFIG_PAHOLE_HAS_SPLIT_BTF | Generate BTF for each selected kernel module | |
20 | | -| | CONFIG_DEBUG_INFO_BTF_MODULES | Generate compact split BTF type information for kernel modules | |
21 | | -| **Security** | CONFIG_BPF_JIT_ALWAYS_ON | Enable BPF JIT and removes BPF interpreter to avoid speculative execution | |
22 | | -| | CONFIG_BPF_UNPRIV_DEFAULT_OFF | Disable unprivileged BPF by default by setting | |
23 | | -| **Cgroup** | CONFIG_CGROUP_BPF | Support for BPF programs attached to cgroups | |
24 | | -| **Network** | CONFIG_BPFILTER | BPF based packet filtering framework (BPFILTER) | |
25 | | -| | CONFIG_BPFILTER_UMH | This builds bpfilter kernel module with embedded user mode helper | |
26 | | -| | CONFIG_NET_CLS_BPF | BPF-based classifier - to classify packets based on programmable BPF (JIT'ed) filters as an alternative to ematches | |
27 | | -| | CONFIG_NET_ACT_BPF | Execute BPF code on packets. The BPF code will decide if the packet should be dropped or not | |
28 | | -| | CONFIG_BPF_STREAM_PARSER | Enable this to allow a TCP stream parser to be used with BPF_MAP_TYPE_SOCKMAP | |
29 | | -| | CONFIG_LWTUNNEL_BPF | Allow to run BPF programs as a nexthop action following a route lookup for incoming and outgoing packets | |
30 | | -| | CONFIG_NETFILTER_XT_MATCH_BPF | BPF matching applies a linux socket filter to each packet and accepts those for which the filter returns non-zero | |
31 | | -| | CONFIG_IPV6_SEG6_BPF | To support BPF seg6local hook. bpf: Add IPv6 Segment Routing helpersy. [Reference](https://github.com/torvalds/linux/commit/fe94cc290f535709d3c5ebd1e472dfd0aec7ee7) | |
32 | | -| **kprobes** | CONFIG_KPROBE_EVENTS | This allows the user to add tracing events (similar to tracepoints) on the fly via the ftrace interface | |
33 | | -| | CONFIG_KPROBES | Enable kprobes-based dynamic events | |
34 | | -| | CONFIG_HAVE_KPROBES | Check if krpobes enabled | |
35 | | -| | CONFIG_HAVE_REGS_AND_STACK_ACCESS_API | This symbol should be selected by an architecture if it supports the API needed to access registers and stack entries from pt_regs. For example the kprobes-based event tracer needs this API. | |
36 | | -| | CONFIG_KPROBES_ON_FTRACE | Have kprobes on function tracer if arch supports full passing of pt_regs to function tracing | |
37 | | -| **kprobe multi** | CONFIG_FPROBE | Enable fprobe to attach the probe on multiple functions at once | |
38 | | -| **kprobe override** | CONFIG_BPF_KPROBE_OVERRIDE | Enable BPF programs to override a kprobed function | |
39 | | -| **uprobes** | CONFIG_UPROBE_EVENTS | Enable uprobes-based dynamic events | |
40 | | -| | CONFIG_ARCH_SUPPORTS_UPROBES | Arch specific uprobes support | |
41 | | -| | CONFIG_UPROBES | Uprobes is the user-space counterpart to kprobes: they enable instrumentation applications (such as 'perf probe') to establish unintrusive probes in user-space binaries and libraries, by executing handler functions when the probes are hit by user-space applications. | |
42 | | -| | CONFIG_MMU | MMU-based virtualised addressing space support by paged memory management | |
43 | | -| **Tracepoints** | CONFIG_TRACEPOINTS | Enable inserting tracepoints in the kernel and connect to proble functions | |
44 | | -| | CONFIG_HAVE_SYSCALL_TRACEPOINTS | Enable syscall enter/exit tracing | |
| 5 | +| 功能 | 内核配置 | 描述 | |
| 6 | +|:----|:----------|:-----| |
| 7 | +| **基础** | CONFIG_BPF_SYSCALL | 启用 bpf() 系统调用 | |
| 8 | +| | CONFIG_BPF_JIT | BPF 程序通常由 BPF 解释器处理。此选项允许内核在加载程序时生成本地代码。这将显著加速 BPF 程序的处理 | |
| 9 | +| | CONFIG_HAVE_BPF_JIT | 启用 BPF 即时编译器 | |
| 10 | +| | CONFIG_HAVE_EBPF_JIT | 扩展 BPF JIT (eBPF) | |
| 11 | +| | CONFIG_HAVE_CBPF_JIT | 经典 BPF JIT (cBPF) | |
| 12 | +| | CONFIG_MODULES | 启用可加载内核模块的构建 | |
| 13 | +| | CONFIG_BPF | BPF VM 解释器 | |
| 14 | +| | CONFIG_BPF_EVENTS | 允许用户将 BPF 程序附加到 kprobe、uprobe 和 tracepoint 事件上 | |
| 15 | +| | CONFIG_PERF_EVENTS | 内核性能事件和计数器 | |
| 16 | +| | CONFIG_HAVE_PERF_EVENTS | 启用性能事件 | |
| 17 | +| | CONFIG_PROFILING | 启用分析器使用的扩展分析支持机制 | |
| 18 | +| **BTF** | CONFIG_DEBUG_INFO_BTF | 从 DWARF 调试信息生成去重的 BTF 类型信息 | |
| 19 | +| | CONFIG_PAHOLE_HAS_SPLIT_BTF | 为每个选定的内核模块生成 BTF | |
| 20 | +| | CONFIG_DEBUG_INFO_BTF_MODULES | 为内核模块生成紧凑的分割 BTF 类型信息 | |
| 21 | +| **安全** | CONFIG_BPF_JIT_ALWAYS_ON | 启用 BPF JIT 并删除 BPF 解释器以避免猜测执行 | |
| 22 | +| | CONFIG_BPF_UNPRIV_DEFAULT_OFF | 通过设置默认禁用非特权 BPF | |
| 23 | +| **Cgroup** | CONFIG_CGROUP_BPF | 支持将 BPF 程序附加到 cgroup 上 | |
| 24 | +| **网络** | CONFIG_BPFILTER | 基于 BPF 的数据包过滤框架 (BPFILTER) | |
| 25 | +| | CONFIG_BPFILTER_UMH | 使用内嵌的用户模式助手构建 bpfilter 内核模块 | |
| 26 | +| | CONFIG_NET_CLS_BPF | 基于可编程 BPF (JIT'ed) 过滤器进行数据包分类的基于 BPF 的分类器的替代方法 || | CONFIG_NET_ACT_BPF | 在数据包上执行BPF代码。BPF代码将决定是否丢弃数据包 | |
| 27 | +| | CONFIG_BPF_STREAM_PARSER | 启用此功能,允许使用BPF_MAP_TYPE_SOCKMAP与TCP流解析器配合使用 | |
| 28 | +| | CONFIG_LWTUNNEL_BPF | 在路由查找入站和出站数据包后,允许作为下一跳操作运行BPF程序 | |
| 29 | +| | CONFIG_NETFILTER_XT_MATCH_BPF | BPF匹配将对每个数据包应用Linux套接字过滤器,并接受过滤器返回非零值的数据包 | |
| 30 | +| | CONFIG_IPV6_SEG6_BPF | 为支持BPF seg6local挂钩,添加IPv6 Segement Routing助手 [参考](https://github.com/torvalds/linux/commit/fe94cc290f535709d3c5ebd1e472dfd0aec7ee7) | |
| 31 | +| **kprobes** | CONFIG_KPROBE_EVENTS | 允许用户通过ftrace接口动态添加跟踪事件(类似于tracepoints) | |
| 32 | +| | CONFIG_KPROBES | 启用基于kprobes的动态事件 | |
| 33 | +| | CONFIG_HAVE_KPROBES | 检查是否启用了kprobes | |
| 34 | +| | CONFIG_HAVE_REGS_AND_STACK_ACCESS_API | 如果架构支持从pt_regs访问寄存器和堆栈条目所需的API,则应该选择此符号。例如,基于kprobes的事件跟踪器需要此API | |
| 35 | +| | CONFIG_KPROBES_ON_FTRACE | 如果架构支持将pt_regs完全传递给函数跟踪,则在函数跟踪器上有kprobes | |
| 36 | +| **kprobe multi** | CONFIG_FPROBE | 启用fprobe以一次性在多个函数上附加探测点 | |
| 37 | +| **kprobe override** | CONFIG_BPF_KPROBE_OVERRIDE | 启用BPF程序覆盖kprobed函数 | |
| 38 | +| **uprobes** | CONFIG_UPROBE_EVENTS | 启用基于uprobes的动态事件 | |
| 39 | +| | CONFIG_ARCH_SUPPORTS_UPROBES | 架构特定的uprobes支持 | |
| 40 | +| | CONFIG_UPROBES | Uprobes是kprobes的用户空间对应项:它们允许仪器应用程序(如'perf probe')在用户空间二进制文件和库中建立非侵入性探测点,并在用户空间应用程序触发探测点时执行处理函数。 || | CONFIG_MMU | 基于MMU的虚拟化寻址空间支持,通过分页内存管理 | |
| 41 | +| **Tracepoints** | CONFIG_TRACEPOINTS | 启用在内核中插入Tracepoints并与问题函数连接 | |
| 42 | +| | CONFIG_HAVE_SYSCALL_TRACEPOINTS | 启用系统调用进入/退出跟踪 | |
45 | 43 | | **Raw Tracepoints** | Same as Tracepoints | | |
46 | | -| **LSM** | CONFIG_BPF_LSM | Enable instrumentation of the security hooks with BPF programs for implementing dynamic MAC and Audit Policies | |
47 | | -| **LIRC** | CONFIG_BPF_LIRC_MODE2 | Allow attaching BPF programs to a lirc device | |
48 | | - |
| 44 | +| **LSM** | CONFIG_BPF_LSM | 使用BPF程序对安全钩子进行仪器化,实现动态MAC和审计策略 | |
| 45 | +| **LIRC** | CONFIG_BPF_LIRC_MODE2 | 允许将BPF程序附加到lirc设备 | |
0 commit comments