Check out my first novel, midnight's simulacra!

EBPF

From dankwiki
Revision as of 03:35, 23 September 2019 by Dank (talk | contribs)

eBPF (Enhanced Berkeley Packet Filter) is a powerful toolchain capable of compiling high-level languages into a BPF bytecode, which is JITted into local machine code, and can be inserted into a running kernel. It builds atop kprobes, and is in the same family of tools as SystemTap and DTrace.

eBPF supports its own BTF debugging information, a simplified form of DWARF.

bpftool

bpftool can be built in tools/bpf of the installed kernel's source.

Compiling eBPF

LLVM

LLVM has enjoyed bpf backend support since 3.7. Compile using -target bpf. readelf on the resulting object ought look like:

ELF Header:
  Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF64
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              REL (Relocatable file)
  Machine:                           Linux BPF
  Version:                           0x1
  Entry point address:               0x0
  Start of program headers:          0 (bytes into file)
  Start of section headers:          360 (bytes into file)
  Flags:                             0x0
...

JIT

  • JIT requires the net.core.bpf_jit_enable sysctl to be set

See Also