eBPF Is Coming for Windows
At the virtual eBPF Summit last month, Thomas Graf, who is CTO and cofounder of Isovalent, talked about the future of the open source filter-turned kernel engine. And that future includes Microsoft Windows, he noted.
Since its inclusion in the kernel a decade ago, the Linux-based eBPF has found widespread adoption, particularly for observability, security and compliance tools that benefit from its programmable in-line speed to analyze and filter packets without the need for cumbersome modules or dangerous kernel modifications.
In 2021, Microsoft engineers embarked on a project to make a version of eBPF for Windows, which is to say give the Windows kernel a similar programmable interface.
With the promised cross-platform compatibility between Windows and Linux, tool makers can write binaries that run on both platforms.
eBPF … For Windows
Like the Linux eBPF, Windows eBPF will execute small eBPF bytecode programs within the kernel itself.
Unlike the Linux version, however, the Windows build only uses an interpreter for debugging non-production builds. For production use, it will rely on native code generation, which “involves loading Windows drivers that contain signed eBPF programs,” wrote Microsoft Principal Software Engineer Alan Jowett, in a 2022 blog post.
“Due to the risks associated with having an interpreter in the kernel address space, it was decided to only enable it for non-production signed builds.”
The Microsoft project, captured on GitHub, shows 43 contributors, with the code mostly written in C, with a smattering of C++.
The package will bring bytecode compatibility with Linux eBPF, Graf said. But the hook points where eBPF connects to the kernel may differ, given the differences with the Windows system calls.
Microsoft’s architecture for its eBPF for Windows kernel (Windows)
All the tooling that has been done for the Linux eBPF will also be ported over to Windows environs “in the coming years,” Graf said.
He warned that this will bring more challenges to the community. Going forward, tool makers will need to ensure that their wares work in both environments.
Hence the need for standardization.
eBPF Standardization
Originally, eBPF (which, the keepers now agree, no longer stands for anything) evolved as a set of code; it did not follow a pre-defined specification that it was implementing, Graf pointed out. As a result, the code itself “is the standard” that the tool makers must write to, he said.
The Internet Engineering Task Force (IETF) has embarked on a project to solidify things a bit more, as to guarantee as much “cross-platform” compatibility between Windows and Linux as possible, explained Dave Thaler, a technical advisor for the working group who is also one of the main contributors to the Microsoft eBPF project, in an earlier presentation this year for the Linux Foundation‘s Storage Summit.
The first task of IETF eBPF Working Group plans to solidify the Instruction Set Architecture (ISA) for the virtual machine that runs the eBPF programs. The body has finished the document that describes ISA, and is currently in the last stages of publishing.
Next, the group plans to develop a set of expectations for the verifier, which guarantee the safe execution of untrusted eBPF programs. What should a verified do to ensure code is safe? What security properties does a verifier guarantee? For this work, the group can build from the Linux kernel’s verifier.rst for eBPF.
The group also plans to create a format for producing portable eBPF binaries via an ABI (application binary interface) specification, perhaps based on one of those already existing.
October 14: This post has been updated with additional information around the eBPF architecture and documentation release dates.
