Check out my first novel, midnight's simulacra!

EBPF: Difference between revisions

From dankwiki
No edit summary
Line 16: Line 16:
LLVM has enjoyed <tt>bpf</tt> backend support since 3.7. Compile using <tt>-target bpf</tt> to generate BPF bytecode, adding <tt>-g</tt> to generate BTF information.
LLVM has enjoyed <tt>bpf</tt> backend support since 3.7. Compile using <tt>-target bpf</tt> to generate BPF bytecode, adding <tt>-g</tt> to generate BTF information.


<tt>readelf</tt> on the resulting object ought look like:
<tt>readelf</tt> on the resulting object ought indicate a <tt>Machine</tt> of "Linux BPF" or "EM_BPF". The resulting object can be loaded into the kernel with <tt>bpftool prog load</tt> or libbpf's <tt>bpf_object__open()</tt>.
<pre>
ELF Header:
  Magic:  7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
  Class:                            ELF64
  Data:                              2's complement, little endian
  Version:                          1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                      0
  Type:                              REL (Relocatable file)
  Machine:                          Linux BPF
  Version:                          0x1
  Entry point address:              0x0
  Start of program headers:          0 (bytes into file)
  Start of section headers:          360 (bytes into file)
  Flags:                            0x0
...
</pre>
The resulting object can be loaded into the kernel with <tt>bpftool prog load</tt> or libbpf's <tt>bpf_object__open()</tt>.


===JIT===
===JIT===

Revision as of 05:46, 25 September 2019

eBPF (Enhanced Berkeley Packet Filter) is a powerful toolchain capable of compiling high-level languages into a BPF bytecode, which is JITted into local machine code, and can be inserted into a running kernel. It builds atop kprobes, and is in the same family of tools as SystemTap and DTrace. It is driven through the bpf(2) system call, though it is usually more convenient to employ the libbpf library and bpftool binary.

eBPF supports its own BTF debugging information, a simplified form of DWARF.

Tools

bpftool

bpftool can be built in tools/bpf of the installed kernel's source.

bpftrace

bpftrace provides a terse DSL that looks an awful lot like awk, allowing simple eBPF programs to be instantiated and attached directly from the command line.

Compiling eBPF

BCC

The BPF Compiler Collection automates much of the process of turning eBPF source into a kernel object, but much of this (as of 2019-09) requires Python. The BPF object of bcc.py can take raw eBPF text, and return an object which can be easily attached to a variety of eBPF targets.

LLVM

LLVM has enjoyed bpf backend support since 3.7. Compile using -target bpf to generate BPF bytecode, adding -g to generate BTF information.

readelf on the resulting object ought indicate a Machine of "Linux BPF" or "EM_BPF". The resulting object can be loaded into the kernel with bpftool prog load or libbpf's bpf_object__open().

JIT

  • JIT requires the net.core.bpf_jit_enable sysctl to be set

See Also