Introduction
Introduction Statistics Contact Development Disclaimer Help
My eBPF exploration
2024-01-11
Last edit: 2024-01-11
---------------------
Having discovered eBPF and read a few books about it, I'm writing here the esse…
You can find my eBPF (XDP) projects at the bottom of the page.
## What is eBPF ?
eBPF stands for extended Berkeley Packet Filter. It's a virtual machine with a …
eBPF mainly avoid use to rewrite the kernel source code and the whole process (…
Linux modules exist, they can be loaded dynamically, but there is a problem, th…
### Important features
Kernel probe
is an important part of the eBPF functioning.
> *"It enables you to dynamically break into any kernel routine and collect deb…
So how can a user (user space) communicate with a BPF program (kernel space) ?
It is possible thanks to BPF maps. A map is a key/value stores that resides in …
## eBPF program
An eBPF program is nothing else than a set of eBPF instructions in a bytecode f…
eBPF program take a pointer to a context that depends of the type of event (def…
There are a set of functions that eBPF programs can call, it is called bpf help…
Each program type cannot call every bpf helper functions, some are banned by th…
BPF Kernel functions
aka kfuncs allow internal kernel functions to be called from eBPF programs.
## BPF System call
This system call allow us to perform a command on an extended BPF map or progra…
```c
#include
int bpf(int cmd, union bpf_attr *attr, unsigned int size);
```
An example of the bpf system call output from `strace`.
```text
bpf(BPF_BTF_LOAD, ...) = 3
bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_PERF_EVENT_ARRAY…) = 4
bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_HASH...) = 5
bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_KPROBE,...prog_name="hello",...) = 6
bpf(BPF_MAP_UPDATE_ELEM, ...}
...
```
## BTF
BTF stands for BPF Type Format, it is the metadata format which encodes the deb…
> *"BTF provides a standardized way to describe the data structures used by eBP…
The BTF is stored as a BPF map after the BPF program is loaded. It makes the BP…
## CO-RE
CO-RE stands for Compile Once, Run Everywhere, the idea behing is to compile a …
We can list some CO-RE elements:
- BTF
- Kernel headers
- Including individual header files
- Generating kernel headers (vmlinux.h) with `bpftool`
- Compiler support flags like `-g`
- Data structure relocations support for libraries
- Information relocation based on destination machine data structure differen…
- BPF skeleton
- Generated with `bpftool`, it allows the programmer to call functions to ma…
## eBPF verifier
The verification process ensures the eBPF bytecode is safe.
It tests every possible execution paths, it pushes copy of the regs onto a stac…
It is optimized to avoid evaluating the instructions with something called stat…
## XDP
XDP stands for eXpress Data Path, it is a programmable kernel-integrated packet…
> *"The packet processor is the in-kernel component for XDP programs that proce…
XDP programs can make decision (drop, pass, etc..) on the received packets.
## Important Linux concepts
The capabilities are a way of dividing Linux root privileged into smaller "unit…
Seccomp means Secure Computing and is a security layer in Linux that allow to f…
## Links
Here are some of my XDP projects.
https://github.com/theobori/tinyknock
https://github.com/theobori/tinyfilter
You are viewing proxied material from tilde.pink. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.