 |
My eBPF exploration |
|
2024-01-11 |
|
Last edit: 2024-01-11 |
|
--------------------- |
|
|
|
Having discovered eBPF and read a few books about it, I'm writing here the esse… |
|
|
|
You can find my eBPF (XDP) projects at the bottom of the page. |
|
|
|
## What is eBPF ? |
|
|
|
eBPF stands for extended Berkeley Packet Filter. It's a virtual machine with a … |
|
|
|
eBPF mainly avoid use to rewrite the kernel source code and the whole process (… |
|
|
|
Linux modules exist, they can be loaded dynamically, but there is a problem, th… |
|
|
|
### Important features |
|
|
 |
Kernel probe |
|
is an important part of the eBPF functioning. |
|
> *"It enables you to dynamically break into any kernel routine and collect deb… |
|
|
|
So how can a user (user space) communicate with a BPF program (kernel space) ? |
|
|
|
It is possible thanks to BPF maps. A map is a key/value stores that resides in … |
|
|
|
## eBPF program |
|
|
|
An eBPF program is nothing else than a set of eBPF instructions in a bytecode f… |
|
|
|
eBPF program take a pointer to a context that depends of the type of event (def… |
|
|
|
There are a set of functions that eBPF programs can call, it is called bpf help… |
|
|
|
Each program type cannot call every bpf helper functions, some are banned by th… |
|
|
|
BPF Kernel functions |
|
aka kfuncs allow internal kernel functions to be called from eBPF programs. |
|
|
|
## BPF System call |
|
|
|
This system call allow us to perform a command on an extended BPF map or progra… |
|
|
|
```c |
|
#include |
|
|
|
int bpf(int cmd, union bpf_attr *attr, unsigned int size); |
|
``` |
|
|
|
An example of the bpf system call output from `strace`. |
|
|
|
```text |
|
bpf(BPF_BTF_LOAD, ...) = 3 |
|
bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_PERF_EVENT_ARRAY…) = 4 |
|
bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_HASH...) = 5 |
|
bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_KPROBE,...prog_name="hello",...) = 6 |
|
bpf(BPF_MAP_UPDATE_ELEM, ...} |
|
... |
|
``` |
|
|
|
## BTF |
|
|
|
BTF stands for BPF Type Format, it is the metadata format which encodes the deb… |
|
|
|
> *"BTF provides a standardized way to describe the data structures used by eBP… |
|
|
|
The BTF is stored as a BPF map after the BPF program is loaded. It makes the BP… |
|
|
|
## CO-RE |
|
|
|
CO-RE stands for Compile Once, Run Everywhere, the idea behing is to compile a … |
|
|
|
We can list some CO-RE elements: |
|
- BTF |
|
- Kernel headers |
|
- Including individual header files |
|
- Generating kernel headers (vmlinux.h) with `bpftool` |
|
- Compiler support flags like `-g` |
|
- Data structure relocations support for libraries |
|
- Information relocation based on destination machine data structure differen… |
|
- BPF skeleton |
|
- Generated with `bpftool`, it allows the programmer to call functions to ma… |
|
|
|
## eBPF verifier |
|
|
|
The verification process ensures the eBPF bytecode is safe. |
|
|
|
It tests every possible execution paths, it pushes copy of the regs onto a stac… |
|
|
|
It is optimized to avoid evaluating the instructions with something called stat… |
|
|
|
## XDP |
|
|
|
XDP stands for eXpress Data Path, it is a programmable kernel-integrated packet… |
|
|
|
> *"The packet processor is the in-kernel component for XDP programs that proce… |
|
|
|
XDP programs can make decision (drop, pass, etc..) on the received packets. |
|
|
|
## Important Linux concepts |
|
|
|
The capabilities are a way of dividing Linux root privileged into smaller "unit… |
|
|
|
Seccomp means Secure Computing and is a security layer in Linux that allow to f… |
|
|
|
## Links |
|
|
|
Here are some of my XDP projects. |
|
|
|
https://github.com/theobori/tinyknock |
|
|
|
https://github.com/theobori/tinyfilter |
|
