Fusing Linux’s eBPF with Windows

eBPF is now operable on other operating system other than Linux - Windows

May 22, 2021, 1:36 a.m.

TL;DR

History has it that on May 10, 2021, Microsoft announced the release of a new project that brings eBPF open source projects to Windows 10, Windows Server 2016, and eventual versions.

Key Facts

1
Microsoft Windows becomes the 2nd operating system to host eBPF, the first being Linux.
2
The ebpf-for-windows project's long-term blueprint is to bring IOVisor uBPF project and several existing eBPF projects to Windows.
3
At the moment, socket binding and eXpress data path (XDP) remain the only two hooks available on eBPF for Windows

Details

The acronym eBPF may come off as strange to some people, especially if they have been paying less attention to cloud native communities, Linux operating system-related posts. It has been the buzz on many conference schedules in recent years, and now it has its own conference.

Extended Berkeley Packet Filter (eBPF), also known as “God's Own Nectar,” is a popular, unique innovation that provides networking, application profiling, security, and performance troubleshooting.

eBPF debuted on December 19, 1992, developed by Steven McCanne and Van Jacobson. eBPF is an extension and a kernel-mode BPF; this started with Linux in its version 3.18. Since then, a significant amount of software and tools have taken their roots or essence around eBPF.

eBPF logo

The eBPF community recognizes the Linux Kernel as the first OS to implement its projects; many other operating systems have plans laid out to bring eBPF to their platforms.

Not only does eBPF nowadays stand out in network filtering, analysis, and management, it extends far beyond these utility reach. Process context tracing and system call filtering are some of the capabilities developers and operators enjoy with eBPF. It’s evolved into a versatile player that can be suitable for system profiling, collecting, programming tracing, and aggregating low-end personalized metrics. eBPF has made a name for itself; security programs like Tracee, Falco, and Cilium; Kubernetes-native programs like Hubble and Pixie, the Clang toolchain, and other toolchains.

In a blog post hosted by Dave Thaler, Partner Software Engineer, and Poorna Gaddehosur, colleague and Principal Software Engineer Lead at Microsoft, Microsoft stated that “The ebpf-for-windows project aims to allow developers to use familiar eBPF toolchains and application programming interfaces (APIs) on top of existing versions of Windows. Building on the work of others, this project takes several existing eBPF open source projects and adds the “glue” to make them run on Windows.”

The long-term blueprint starts with a new open source project that lines eBPF up for integration with Windows 10 and Windows Server 2016. Subsequently, the expansion will make other eBPF open source projects like the IOVisor uBPF project and the PREVAIL verifier compatible with Windows. eBPF programs go through refining in various languages before being compiled to eBPF bytecode.

The architecture of this project and related components. Image courtesy: https://github.com/Microsoft/ebpf-for-windows

On Windows, this bytecode gets consumed utilizing a library that implements the Libbpf APIs, which is fused into a command-line tool.

There are only two hooks available in the ebpf-for-windows-project - XDP and socket bind. But with further development, more hooks, not just network hooks, will be added.