BPF Preload / User Mode Debugging Additions On The Way For Linux 5.10
The "first real user" of the BPF user mode driver facility is on the way for Linux 5.10.
Hitting bpf-next a few days ago is some interesting work destined for Linux 5.10. "This patch set is the first real user of user mode driver facility. The general use case for user mode driver is to ship vmlinux with preloaded BPF programs. In this particular case the user mode driver populates bpffs instance with two BPF iterators. In several months BPF_LSM project would need to preload the kernel with its own set of BPF programs and attach to LSM hooks instead of bpffs. BPF iterators and BPF_LSM are unstable from uapi perspective. They are tracing based and peek into arbitrary kernel data structures. One can question why a kernel module cannot embed BPF programs inside. The reason is that libbpf is necessary to load them. First libbpf loads BPF Type Format, then creates BPF maps, populates them. Then it relocates code sections inside BPF programs, loads BPF programs, and finally attaches them to events. Theoretically libbpf can be rewritten to work in the kernel, but that is massive undertaking...Hence the decision is to ship vmlinux with user mode drivers that load BPF programs. Just like kernel modules extend vmlinux BPF programs are safe extensions of the kernel and some of them need to ship with vmlinux."
The BPF preload functionality introduced is on building a kernel module with multiple embedded BPF programs pinned into the BPF FS mount that are useful for debugging and introspection.
More details on the work via this commit for the continually evolving and quite interesting (e)BPF code.
Add A Comment