Microsoft has released a new open source project, eBPF for Windows, to make eBPF work on Windows 10 and Windows Server 2016 and later. EBPF is a new design introduced in Kernel 3.15 that allows sandbox programs to run in the Linux kernel without changing the kernel source code or loading kernel modules.
The following is from Microsoft’s official announcement
EBPF is known as a revolutionary technology — offering programmability, extensibility, and agility. EBPF has been applied to use cases such as denial of service protection and observability. Over time, an ecosystem of important tools, products, and experiences has been built around eBPF. Although eBPF support was first implemented in the Linux kernel, there is growing interest in allowing eBPF to be used on other operating systems and extending user-mode services and daemons in addition to the kernel.
Today, we are pleased to announce a new Microsoft open Source project to make eBPF work on Windows 10 and Windows Server 2016 and beyond. The EPPF-for-Windows project aims to enable developers to use the familiar EBPF toolchain and application programming interface (API) on top of existing versions of Windows. Building on the work of others, the project takes several existing eBPF open source projects and adds “glue” to make them run on Windows.
We are announcing this project now because our goal is to work with the strong eBPF community to ensure that eBPF works on Windows as well as elsewhere.
The architecture overview
The following figure illustrates the architecture and related components of the project.
As shown, existing eBPF toolchains, such as Clang, can be used to generate eBPF bytecode from source code in a variety of languages. The resulting bytecode can then be used by any application or manually through the Windows Netsh command-line tool, both of which use a shared library that exposes the Libbpf API, although this is still a work in progress.
The library sends eBPF bytecode to a static validator (PREVAIL Validator) that is hosted in a user-mode protection process, a Windows security environment that allows kernel components to trust a user-mode daemon signed by their trusted key. If bytecode passes all the security checks of the validator, the bytecode can be loaded into a uBPF interpreter running in the Windows kernel mode execution context, or compiled by a uBPF just-in-time compiler (JIT) with native code loaded into the kernel mode execution context.
EBPF programs installed into kerl-mode execution contexts can be attached to various hooks to handle events and call various auxiliary apis exposed by eBPF Shim, which internally wraps the common Windows kernel apis, allowing eBPF to be used on existing versions of Windows. So far, two hooks have been added (XDP and Socket bind), and while these are network-specific hooks, we expect to add more hooks and helpers over time, not just network-related _. _
Is this a branch of eBPF?
In short, no.
The eBPF for Windows project takes advantage of existing open source projects, including IOVisor uBPF project and PREVAIL Validator, to run them on Top of Windows by adding a Windows-specific hosting environment to the code.
Does this provide application compatibility with eBPF programs written for Linux?
The goal is to provide source code compatibility for code that uses generic hooks and helpers that are applicable to the entire operating system ecosystem.
Linux provides many hooks and helpers, some of which are very Specific to Linux (using Linux internal data structures, for example) and will not work on other platforms. Other hooks and helpers are generally applicable to support their eBPF programs.
Similarly, the eBPF for Windows project exposes the Libbpf APIs to provide source code compatibility for applications that interact with eBPF programs.
Learn more and contribute
The EPPF-for-Windows project brings the power of EBPF to Windows users and intends to eventually reside a community-managed foundation within the EBPF ecosystem. With your input and help, we can achieve this goal.
Please contact us or create a question on GitHub. We are excited to continue to refine and extend EPPF-for-Windows so that everyone can benefit from this project. We are eager to see what you discover about this project and how it develops.