It is used to safely and efficiently extend the capabilities of the kernel at
runtime without requiring changes to kernel
source code or loading
kernel modules.[6] Safety is provided through an in-kernel verifier which performs
static code analysis and rejects programs which crash, hang or otherwise interfere with the kernel negatively.[7][8]
This validation model differs from
sandboxed environments, where the execution environment is restricted and the runtime has no insight about the program.[9] Examples of programs that are automatically rejected are programs without strong exit guarantees (i.e. for/while loops without exit conditions) and programs dereferencing pointers without safety checks.[10]
Design
Loaded programs which passed the verifier are either
interpreted or in-kernel
just-in-time compiled (JIT compiled) for native execution performance. The execution model is
event-driven and with few exceptions
run-to-completion,[2] meaning, programs can be attached to various
hook points in the
operating system kernel and are run upon triggering of an event. eBPF use cases include (but are not limited to)
networking such as
XDP,
tracing and
security subsystems.[5] Given eBPF's efficiency and flexibility opened up new possibilities to solve production issues,
Brendan Gregg famously dubbed eBPF "superpowers for Linux".[11]Linus Torvalds said, "BPF has actually been really useful, and the real power of it is how it allows people to do specialized code that isn't enabled until asked for".[12] Due to its success in Linux, the eBPF
runtime has been ported to other operating systems such as
Windows.[4]
History
eBPF was built on top of the Berkeley Packet Filter (cBPF). At the lowest level, it introduced the use of ten 64-bit registers (instead of two 32-bit long registers for cBPF), different jump semantics, a call instruction and corresponding register passing convention, new instructions, and a different encoding for these instructions.[13]
Most significant milestones in the evolution of eBPF
Date
Event
April 2011
The first in-kernel Linux
just-in-time compiler (JIT compiler) for the classic Berkeley Packet Filter got merged.[14]
January 2012
The first non-networking use case of the classic Berkeley Packet Filter,
seccomp-bpf,[15] appeared; it allows filtering of
system calls using a configurable policy implemented through BPF instructions.
March 2014
David S. Miller, primary maintainer of the Linux networking stack, accepted the rework of the old in-kernel BPF
interpreter. It was replaced by an eBPF interpreter and the Linux kernel internally translates classic BPF (cBPF) into eBPF instructions.[16]
March 2015
The ability to attach eBPF to
kprobes as first
tracing use case was merged.[18] In the same month, initial infrastructure work got accepted to attach eBPF to the networking traffic control (tc) layer allowing to attach eBPF to the core ingress and later also egress paths of the network stack, later heavily used by projects such as
Cilium.[19][20][21]
August 2015
The eBPF
compiler backend got merged into
LLVM 3.7.0 release.[22]
September 2015
Brendan Gregg announced a collection of new eBPF-based tracing tools as the bcc project, providing a front-end for eBPF to make it easier to write programs.[23]
July 2016
eBPF got the ability to be attached into network driver's core receive path. This layer is known today as
eXpress DataPath (XDP) and was added as a response to
DPDK to create a fast data path which works in combination with the Linux kernel rather than bypassing it.[24][25][26]
August 2016
Cilium was initially announced during
LinuxCon as a project providing fast
IPv6 container networking with eBPF and XDP. Today, Cilium has been adopted by major cloud provider's
Kubernetes offerings and is one of the most widely used CNIs.[27][21][28]
November 2016
Netronome added offload of eBPF programs for XDP and tc BPF layer to their NIC.[29]
May 2017
Meta's layer 4 load-balancer, Katran, went live. Every packet towards
facebook.com since then has been processed by eBPF & XDP.[30]
November 2017
eBPF becomes its own kernel subsystem to ease the continuously growing kernel patch management. The first pull request by eBPF maintainers was submitted.[31]
September 2017
Bpftool was added to the Linux kernel as a user space utility to introspect the eBPF subsystem.[32]
January 2018
A new socket family called AF_XDP was published, allowing for high performance packet processing with zero-copy semantics at the XDP layer.[33] Today,
DPDK has an official AF_XDP poll-mode driver support.[34]
February 2018
The bpfilter prototype has been published, allowing translation of a subset of iptables rulesets into eBPF via a newly developed user mode driver. The work has caused controversies due to the ongoing nftables development effort and has not been merged into mainline.[35][36]
The alias eBPF is often interchangeably used with BPF,[2][43] for example by the Linux kernel community. eBPF and BPF is referred to as a technology name like
LLVM.[2] eBPF evolved from the
Berkeley Packet Filter as an extended version, but its use case outgrew networking, and today eBPF as a
pseudo-acronym is preferred.[2]
The
bee is the official logo for eBPF. At the first eBPF Summit there was a vote taken and the bee
mascot was named "eBee".[44][45] The logo has originally been created by Vadim Shchekoldin.[45] Earlier unofficial eBPF mascots have existed in the past,[46] but haven't seen widespread adoption.
Governance
The eBPF Foundation was created in August 2021 with the goal to expand the contributions being made to extend the powerful capabilities of eBPF and grow beyond Linux.[1] Founding members include
Meta,
Google, Isovalent,
Microsoft and
Netflix. The purpose is to raise, budget and spend funds in support of various open source, open data and/or open standards projects relating to eBPF technologies[47] to further drive the growth and adoption of the eBPF ecosystem. Since inception,
Red Hat,
Huawei,
Crowdstrike, Tigera, DaoCloud, Datoms, FutureWei also joined.[48]
Adoption
eBPF has been adopted by a number of large-scale production users, for example:
Meta uses eBPF through their Katran layer 4 load-balancer for all traffic going to facebook.com[49][50][51][30]
Google uses eBPF in
GKE, developed and uses BPF LSM to replace audit and it uses eBPF for networking[28][52][53][54]
Due to the ease of programmability, eBPF has been used as a tool for implementing microarchitectural timing
side-channel attacks such as
Spectre against vulnerable
microprocessors.[93] While unprivileged eBPF implemented mitigations against transient execution attacks,[94] unprivileged use has ultimately been disabled by the kernel community by default to protect from use against future hardware vulnerabilities.[95]
Rice, Liz (April 2023). Learning eBPF: Programming the Linux Kernel for Enhanced Observability, Networking, and Security. O'Reilly Media.
ISBN978-1098135126.