bpf.2: Kernel 4.15 added CONFIG_BPF_JIT_ALWAYS_ON

This causes the JIT compiler to be always on and forces bpf_jit_enable to 1. Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-03-05 15:36:26 +01:00 · 2018-03-05 15:36:26 +01:00 · 5a29959a67
parent 036b0619f7
commit 5a29959a67
1 changed files with 13 additions and 1 deletions
--- a/man2/bpf.2
+++ b/man2/bpf.2
@ -1152,7 +1152,8 @@ files in the kernel source tree.
 .PP
 The kernel contains a just-in-time (JIT) compiler that translates
 eBPF bytecode into native machine code for better performance.
-The JIT compiler is disabled by default,
+In kernels before Linux 4.15,
+the JIT compiler is disabled by default,
 but its operation can be controlled by writing one of the
 following integer strings to the file
 .IR /proc/sys/net/core/bpf_jit_enable :
@ -1167,6 +1168,17 @@ These opcodes can then be disassembled using the program
 .IR tools/net/bpf_jit_disasm.c
 provided in the kernel source tree.
 .PP
+Since Linux 4.15,
+.\" commit 290af86629b25ffd1ed6232c4e9107da031705cb
+the kernel may configured with the
+.B CONFIG_BPF_JIT_ALWAYS_ON
+option.
+In this case, the JIT compiler is always enabled, and the
+.I bpf_jit_enable
+is initialized to 1 and is immutable.
+(This kernel configuration option was provided as a mitigation for
+one of the Spectre attacks against the BPF interpreter.)
+.PP
 JIT compiler for eBPF is currently available for the x86-64, arm64,
 and s390 architectures.
 .SH SEE ALSO