2022-03-14 21:21:44 +03:00
< img src = "docs/eBPF%20logo%20png%20800px.png" width = 75 height = 75 align = left / >
2021-02-13 03:16:49 +03:00
2022-03-28 19:28:32 +03:00
# eBPF for Windows
2023-04-10 20:53:50 +03:00
[](https://github.com/microsoft/ebpf-for-windows/actions/workflows/cicd.yml?query=event%3Aschedule++)
2022-03-28 19:28:32 +03:00
[](https://bestpractices.coreinfrastructure.org/projects/5742)
2022-04-02 22:17:36 +03:00
[](https://codecov.io/gh/microsoft/ebpf-for-windows)
2023-10-02 23:21:33 +03:00
[](https://bpfperformancegrafana.azurewebsites.net/public-dashboards/3826972d0ff245158b6df21d5e6868a9?orgId=1)
2022-03-28 19:28:32 +03:00
2021-04-15 21:41:16 +03:00
eBPF is a well-known technology for providing programmability and agility, especially for extending an
2021-04-26 01:25:25 +03:00
OS kernel, for use cases such as DoS protection and observability. This project is a work-in-progress that
2022-04-05 04:55:17 +03:00
allows existing eBPF
2021-04-15 21:41:16 +03:00
toolchains and APIs familiar in the Linux ecosystem to be used on top of Windows. That is, this project
2021-05-03 22:28:30 +03:00
takes existing eBPF projects as submodules and adds the layer in between to make them run on top of Windows.
2021-04-15 21:41:16 +03:00
2021-04-16 04:36:36 +03:00
## New to eBPF?
2021-12-06 19:54:47 +03:00
See our [basic eBPF tutorial ](docs/tutorial.md ) and our
[tutorial on debugging eBPF verification failures ](docs/debugging.md ).
2021-04-16 04:36:36 +03:00
2021-04-17 23:37:48 +03:00
## Architectural Overview
2022-04-20 02:59:31 +03:00
The following diagram shows the basic architecture of this project and related components:
2021-04-17 23:37:48 +03:00
As shown in the diagram, existing eBPF toolchains (clang, etc.) can be used to generate eBPF bytecode from
2021-11-20 04:10:49 +03:00
source code in various languages. Bytecode can be consumed by any application, or via bpftool or the Netsh command line tool, which use a shared library
2021-05-07 00:30:56 +03:00
that exposes [Libbpf APIs ](https://github.com/libbpf/libbpf ),
though this is still in progress.
2021-04-17 23:37:48 +03:00
The eBPF bytecode is sent to a static verifier (the [PREVAIL verifier ](https://github.com/vbpf/ebpf-verifier ))
2021-11-20 04:10:49 +03:00
that is hosted in a secure user-mode environment such as a system service (which is the case at present),
enclave, or trusted VM.
2022-04-20 02:59:31 +03:00
If the eBPF program passes all the verifier checks, it can be loaded into the kernel-mode execution context.
Typically this is done by being JIT compiled (via the [uBPF ](https://github.com/iovisor/ubpf ) JIT compiler) into native code that is passed to the execution context. In a debug build,
the byte code can instead be directly loaded into
an interpreter (from [uBPF ](https://github.com/iovisor/ubpf ) in the kernel-mode execution context) though
the interpreter is not present in a release build as it is considered less secure. See also the HVCI FAQ answer
below.
2021-04-17 23:37:48 +03:00
2022-04-12 05:51:02 +03:00
eBPF programs installed into the kernel-mode execution context can attach to various
[hooks ](https://microsoft.github.io/ebpf-for-windows/ebpf__structs_8h.html#a0f8242763b15ec665eaa47c6add861a0 )
and call various helper APIs exposed by the eBPF shim,
2021-04-17 23:37:48 +03:00
which internally wraps public Windows kernel APIs, allowing the use of eBPF on existing versions of Windows.
2022-04-12 05:51:02 +03:00
Many [helpers ](https://microsoft.github.io/ebpf-for-windows/bpf__helper__defs_8h.html )
already exist, and more hooks and helpers will be added over time.
2021-04-17 23:37:48 +03:00
## Getting Started
2022-01-24 19:51:23 +03:00
This project supports eBPF on Windows 10 or later, and on Windows Server 2019 or later.
2021-04-17 23:37:48 +03:00
To try out this project, see our [Getting Started Guide ](docs/GettingStarted.md ).
Want to help? We welcome contributions! See our [Contributing guidelines ](CONTRIBUTING.md ).
2021-08-24 03:51:01 +03:00
Feel free to take a look at our [Good First Issues ](https://github.com/microsoft/ebpf-for-windows/labels/good%20first%20issue )
list if you're looking for somewhere to start.
2021-04-17 03:23:21 +03:00
2021-05-21 21:32:50 +03:00
Want to chat with us? We have a:
2021-11-30 18:59:36 +03:00
* [Slack channel ](https://cilium.slack.com/messages/ebpf-for-windows ) (If you are new, sign up at http://slack.cilium.io/)
2021-08-24 03:51:01 +03:00
* Zoom meeting for github issue triage: see [meeting info ](https://github.com/microsoft/ebpf-for-windows/discussions/427 )
For tracking Q& A and general discussion, we use [Discussions ](https://github.com/microsoft/ebpf-for-windows/discussions )
in github. This can also function similar to a mailing list if you subscribe to discussion notifications by
clicking "Watch" (or "Unwatch") and selecting "Custom" -> "Discussions" (or by selecting "All Activity" if
you want to receive notifications about everything else too).
2021-05-21 21:32:50 +03:00
2023-06-19 23:15:44 +03:00
If you have issues with an eBPF program, start with the [Troubleshooting Guide ](docs/TroubleshootingGuide.md ).
2021-04-17 03:23:21 +03:00
## Frequently Asked Questions
### 1. Is this a fork of eBPF?
2021-05-03 22:28:30 +03:00
No.
2021-05-06 21:51:06 +03:00
The eBPF for Windows project leverages existing projects, including
2021-05-10 20:03:14 +03:00
the [IOVisor uBPF project ](https://github.com/iovisor/ubpf ) and
2021-05-06 21:51:06 +03:00
the [PREVAIL verifier ](https://github.com/vbpf/ebpf-verifier ),
running them on top of Windows by adding the Windows-specific hosting environment for that code.
2021-04-17 03:23:21 +03:00
### 2. Does this provide app compatibility with eBPF programs written for Linux?
2021-05-06 21:51:06 +03:00
The intent is to provide source code compatibility for code that uses common
hooks and helpers that apply across OS ecosystems.
2021-05-03 22:28:30 +03:00
2021-05-06 21:51:06 +03:00
Linux provides many hooks and helpers, some of which are very Linux specific (e.g., using
Linux internal data structs) that would not be applicable to other platforms.
Other hooks and helpers are generically applicable and the intent is to support them for eBPF
programs.
2021-04-17 03:23:21 +03:00
2021-05-07 00:30:56 +03:00
Similarly, the eBPF for Windows project exposes [Libbpf APIs ](https://github.com/libbpf/libbpf )
2021-04-17 23:37:48 +03:00
to provide source code compatibility for applications that interact with eBPF programs.
2021-04-17 03:23:21 +03:00
### 3. Will eBPF work with HyperVisor-enforced Code Integrity (HVCI)?
2022-04-20 02:59:31 +03:00
Yes. With HVCI enabled, eBPF programs cannot be JIT compiled, but can be run either natively or in interpreted mode
(but the interpreter is disabled in release builds and is only supported in debug builds). To understand
why JIT compiled mode does not work, we must first understand what HVCI does.
2021-04-17 03:23:21 +03:00
[HyperVisor-enforced Code Integrity (HVCI) ](https://techcommunity.microsoft.com/t5/windows-insider-program/virtualization-based-security-vbs-and-hypervisor-enforced-code/m-p/240571 )
2021-04-17 23:37:48 +03:00
is a mechanism
2021-04-30 01:22:29 +03:00
whereby a hypervisor, such as Hyper-V, uses hardware virtualization to protect kernel-mode processes against
2021-04-17 03:23:21 +03:00
the injection and execution of malicious or unverified code. Code integrity validation is performed in a secure
environment that is resistant to attack from malicious software, and page permissions for kernel mode are set and
maintained by the hypervisor.
Since a hypervisor doing such code integrity checks will refuse to accept code pages that aren't signed by
2021-04-17 23:37:48 +03:00
a key that the hypervisor trusts, this does impact eBPF programs running natively. As such, when HVCI
2022-04-20 02:59:31 +03:00
is enabled, eBPF programs work fine in interpreted mode, but not when using JIT compilation because the JIT
compiler does not have a key that the hypervisor trusts. And since interpreted
mode is absent in release builds, neither mode will work on an HVCI-enabled production system.
Instead, a third mode is also supported by eBPF for Windows, in addition to JIT compiled and interpreted modes.
This third mode entails compiling eBPF programs into regular Windows drivers that can be accepted by HVCI.
For more discussion, see the [Native Code Generation documentation ](docs/NativeCodeGeneration.md ).
