eBPF Is Coming for Windows
At the virtual eBPF Summit last month, Thomas Graf, who is CTO and cofounder of Isovalent, talked about the future of the open source filter-turned kernel engine. And that future includes Microsoft Windows, he noted.
Microsoft researchers have embarked on a project to make a version of eBPF for Windows, which is to say give the Windows kernel a similar programmable interface.
Since its inclusion in the kernel a decade ago, the Linux-based eBPF has found widespread adoption, particularly for observability, security and compliance tools that benefit from its programmable in-line speed to analyze and filter packets without the need for cumbersome modules or dangerous kernel modifications.
With the promised cross-platform compatibility between Windows and Linux, tool makers can write binaries that run on both platforms.
eBPF … For Windows
Like the Linux eBPF, Windows eBPF will offer a sandbox to execute small programs within the kernel itself, using an enclaved in-kernel interpreter to execute eBPF bytecode, once the code is verified.
The Microsoft project, captured on GitHub, shows 43 contributors, with the code mostly written in C, with a smattering of C++.
The package will bring bytecode compatibility with Linux eBPF, Graf said, and also feature a similar interpreter and just-in-time compiler for bytecode execution. But the hook points where eBPF connects to the kernel may differ, given the differences with the Windows system calls.
Microsoft’s architecture for its eBPF for Windows kernel (Windows)
All the tooling that has been done for the Linux eBPF will also be ported over to Windows environs “in the coming years,” Graf said.
He warned that this will bring more challenges to the community. Going forward, tool makers will need to ensure that their wares work in both environments.
Hence the need for standardization.
eBPF Standardization
Originally, eBPF (which, the keepers now agree, no longer stands for anything) evolved as a set of code; it did not follow a pre-defined specification that it was implementing, Graf pointed out. As a result, the code itself “is the standard” that the tool makers must write to, he said.
The Internet Engineering Task Force (IETF) has embarked on a project to solidify things a bit more, as to guarantee as much “cross-platform” compatibility between Windows and Linux as possible, explained Dave Thaler, a technical advisor for the working group who is also one of the main contributors to the Microsoft eBPF project, in an earlier presentation this year for the Linux Foundation‘s Storage Summit.
The first task of IETF eBPF Working Group plans to solidify the Instruction Set Architecture (ISA) for the virtual machine that runs the eBPF programs. The body has largely finished the document that describes ISA, minus some last call feedback.
After the ISA work is finished, the group plans to also develop a set of expectations for the verifier, which guarantee the safe execution of untrusted eBPF programs. What should a verified do to ensure code is safe? What security properties does a verifier guarantee? For this work, the group can build from the Linux kernel’s verifier.rst for eBPF.
The group also plans to create a format for producing portable eBPF binaries via an ABI (application binary interface) specification, perhaps based on one of those already existing.
