Resources on eBPF

ebpf_resources.md

Resources

• eBPF in Linux kernel doc
• BPF and XDP Reference Guide by Cilium
• BPF instruction encoding and opcode reference
• A Gentle Introduction to eBPF
• Brendan Gregg's page on eBPF
• BPF Internal I, BPF Internal II
• Write eBPF program in pure C
• eBPF assembly with LLVM
• eBPF LLVM Backend
• Dive into BPF: a list of reading material
• Andrii Nakryiko's Blog
• Bottom-up eBPF: Pointers to BPF code inside Linux
• bpf man page
• How I ended up writing opensnoop in pure C using eBPF
• Load XDP programs using the ip (iproute2) command
• Achieving high-performance, low-latency networking with XDP: Part I
• Using eXpress Data Path (XDP) maps in RHEL 8: Part 2
• How to interect with BPF Subsystem: Patch submission guide
• A brief introduction to XDP and eBPF
• Tools and Mechanisms to Debug BPF Programs [Slides][FOSDEM20][Quentin Monnet]
• Concurrency management in BPF
• BPF Type Format(BTF)
• [SE Answer] Understanding of BPF: Good overview mostly around tcpdump
• Extending the Kernel with eBPF: Android's guide to using BPF
• Kernel Pwning with eBPF: a Love Story
• Linux Kernel Privilege Escalation via Improper eBPF Program Verification
• BPF Verifier Overview
• [SE] Missing config option from Linux .config: CONFIG_DEBUG_INFO_BTF is missing from .config
• [SE] kernel compilation error when CONFIG_DEBUG_INFO_BTF is enabled
• Assembly within! BPF tail calls on x86 and ARM
• PREVAIL: Understanding the Windows eBPF Verifier
• [BOOK] What is eBPF
• Receive Side Scaling (RSS) with eBPF and CPUMAP

Projects

• eBPF-for-windows

Kernel Source

• kernel/bpf/: All the bpf kernel implementation
• include/linux/bpf.h
• include/uapi/linux/bpf.h
• tools/lib/bpf/bpf_helpers.h
• tools/lib/bpf/bpf_endian.h
• tools/lib/bpf/libbpf.h

Helper functions

• Example of adding a simple helper

Notes

• ebpf programs can have 4096 instructions.
• Load/store instruction can only access packet memory. epbf programs can access arbitrary kernel memory with bpf_prob_read(). But network context doesn't have this helper.
• 512 bytes of stack. Load/Store can be used to access stack.

Compiling and debugging

Simple compilation:

$ clang -g -O2 -Wall -target bpf -c prog.c -o prog.o

See Assembly:

$ llvm-objdump -d prog.o

Assembly with embedded C source:

$ llvm-objdump -S prog.o

Running ebpf programs with libbpf

• Install libbpf-dev and bpftool package (Ubuntu/Debian) or install them from source.
• Adapt libbpf-bootstrap for your project.
• For latest features compile and install latest kernel from net-next and latest clang.