My eBPF exploration | |
2024-01-11 | |
Last edit: 2024-01-11 | |
--------------------- | |
Having discovered eBPF and read a few books about it, I'm writing here the esse… | |
You can find my eBPF (XDP) projects at the bottom of the page. | |
## What is eBPF ? | |
eBPF stands for extended Berkeley Packet Filter. It's a virtual machine with a … | |
eBPF mainly avoid use to rewrite the kernel source code and the whole process (… | |
Linux modules exist, they can be loaded dynamically, but there is a problem, th… | |
### Important features | |
Kernel probe | |
is an important part of the eBPF functioning. | |
> *"It enables you to dynamically break into any kernel routine and collect deb… | |
So how can a user (user space) communicate with a BPF program (kernel space) ? | |
It is possible thanks to BPF maps. A map is a key/value stores that resides in … | |
## eBPF program | |
An eBPF program is nothing else than a set of eBPF instructions in a bytecode f… | |
eBPF program take a pointer to a context that depends of the type of event (def… | |
There are a set of functions that eBPF programs can call, it is called bpf help… | |
Each program type cannot call every bpf helper functions, some are banned by th… | |
BPF Kernel functions | |
aka kfuncs allow internal kernel functions to be called from eBPF programs. | |
## BPF System call | |
This system call allow us to perform a command on an extended BPF map or progra… | |
```c | |
#include | |
int bpf(int cmd, union bpf_attr *attr, unsigned int size); | |
``` | |
An example of the bpf system call output from `strace`. | |
```text | |
bpf(BPF_BTF_LOAD, ...) = 3 | |
bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_PERF_EVENT_ARRAY…) = 4 | |
bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_HASH...) = 5 | |
bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_KPROBE,...prog_name="hello",...) = 6 | |
bpf(BPF_MAP_UPDATE_ELEM, ...} | |
... | |
``` | |
## BTF | |
BTF stands for BPF Type Format, it is the metadata format which encodes the deb… | |
> *"BTF provides a standardized way to describe the data structures used by eBP… | |
The BTF is stored as a BPF map after the BPF program is loaded. It makes the BP… | |
## CO-RE | |
CO-RE stands for Compile Once, Run Everywhere, the idea behing is to compile a … | |
We can list some CO-RE elements: | |
- BTF | |
- Kernel headers | |
- Including individual header files | |
- Generating kernel headers (vmlinux.h) with `bpftool` | |
- Compiler support flags like `-g` | |
- Data structure relocations support for libraries | |
- Information relocation based on destination machine data structure differen… | |
- BPF skeleton | |
- Generated with `bpftool`, it allows the programmer to call functions to ma… | |
## eBPF verifier | |
The verification process ensures the eBPF bytecode is safe. | |
It tests every possible execution paths, it pushes copy of the regs onto a stac… | |
It is optimized to avoid evaluating the instructions with something called stat… | |
## XDP | |
XDP stands for eXpress Data Path, it is a programmable kernel-integrated packet… | |
> *"The packet processor is the in-kernel component for XDP programs that proce… | |
XDP programs can make decision (drop, pass, etc..) on the received packets. | |
## Important Linux concepts | |
The capabilities are a way of dividing Linux root privileged into smaller "unit… | |
Seccomp means Secure Computing and is a security layer in Linux that allow to f… | |
## Links | |
Here are some of my XDP projects. | |
https://github.com/theobori/tinyknock | |
https://github.com/theobori/tinyfilter | |