| 1 |
On Sunday, 11 July 2021 14:41:08 BST caveman رَجُلُ الْكَهْفِ 穴居人 wrote: |
| 2 |
> On Sunday, July 11th, 2021 at 13:11, Nils Freydank <nils.freydank@××××××.de> |
| 3 |
wrote: |
| 4 |
> > Hi caveman, |
| 5 |
> > |
| 6 |
> > you should really train your search skills :-P |
| 7 |
> |
| 8 |
> lel. more like train my cognition. |
| 9 |
|
| 10 |
I could do with a bit of the same! ;-) |
| 11 |
|
| 12 |
|
| 13 |
> > (1) Just searching for "libbpf" and then for "bpf BTF" gives plenty |
| 14 |
> > webpages and |
| 15 |
> > |
| 16 |
> > links. In short: |
| 17 |
> > |
| 18 |
> > BPF: Berkeley packet filter, e.g.: |
| 19 |
> > https://en.wikipedia.org/wiki/Berkeley_Packet_Filter |
| 20 |
> > |
| 21 |
> > libbpf: a library to use it, e.g.: https://github.com/libbpf/libbpf |
| 22 |
> > |
| 23 |
> > BPF Type Format (BTF) https://www.kernel.org/doc/html/v5.9/bpf/btf.html |
| 24 |
> |
| 25 |
> i did this before asking here, but didn't fully |
| 26 |
> get it. |
| 27 |
> |
| 28 |
> wiki seems to say that it's for speeding up packer |
| 29 |
> filtering by having apps supply a filtering |
| 30 |
> program into the kernel, so that the whole thing |
| 31 |
> is done inside the kernel for speed. |
| 32 |
|
| 33 |
Right, the old Berkeley Packet Filter (BPF) was meant to filter packets and |
| 34 |
used in networking and security functions. However, from what I have |
| 35 |
understood so far, the BPF instruction set and architecture was deemed |
| 36 |
flexible enough to be extended for other functions, acting as if it were a |
| 37 |
virtual-machine within the Linux kernel to allow bytecode to run at various |
| 38 |
hook points in a safe manner. So think of BPF as a framework to leverage |
| 39 |
kernel functionality by various programs, safely and fast. BPF is used e.g. |
| 40 |
to implement networking policies early, hooking deep into the NIC driver, |
| 41 |
without moving packets in-out of kernel-user space. |
| 42 |
|
| 43 |
|
| 44 |
> but i also read elsewhere that it's being used to |
| 45 |
> generally run any apps inside the kernel, |
| 46 |
> ultimately making linux to slowly become into some |
| 47 |
> kind of a micro-kernel design. didn't fully get |
| 48 |
> it. |
| 49 |
|
| 50 |
Hmm ... not sure about this. I don't think BPF allows you to run apps inside |
| 51 |
the kernel as such. It allows apps to utilise *programmable* functionality |
| 52 |
like XDP (eXpress Data Path) to access kernel data at an earlier state than |
| 53 |
would otherwise be accessible; e.g. close to bare metal packet processing, |
| 54 |
before such data reaches the network stack for conventional processing. This |
| 55 |
is convenient for applying network policies for containers at an earlier stage |
| 56 |
than would be the case without BPF infrastructure and constraining kernel data |
| 57 |
and memory access in a secure way. |
| 58 |
|
| 59 |
BPF may have expanded into micro-kernel design, I can see how the BPF |
| 60 |
functionality would be desirable for this purpose, but I'm not sure BPF would |
| 61 |
reduce the kernel size as such. TBH, this is not a field I have looked into |
| 62 |
to be able to add anything useful. |
| 63 |
|
| 64 |
|
| 65 |
> but either way, this feature sort of freaks me. |
| 66 |
> is it harming my security? how can i know which |
| 67 |
> app is running its code inside my kernel? |
| 68 |
> |
| 69 |
> also, which apps would benefit from this? and why |
| 70 |
> did i end up having it? e.g. any idea which app |
| 71 |
> brought this feature? |
| 72 |
> |
| 73 |
> or did gentoo generally go to ship BTF by default? |
| 74 |
> without any app needing it? |
| 75 |
|
| 76 |
You can enable/disable BPF in your kernel. BTF is used to manage types of ELF |
| 77 |
executable binaries, so as to utilise the BPF ABI. LLVM, Clang and others |
| 78 |
utilise BPF to generate object files which can be loaded and run in the |
| 79 |
kernel. This is meant to happen securely following verification of |
| 80 |
instructions to establish they are legitimate, so that kernel and hardware is |
| 81 |
not compromised by loose coding. Apps like iproute2, suricata, network |
| 82 |
accounting/monitoring apps, etc. make use of BPF. However, I'm no dev so I |
| 83 |
have no idea what the potential for BPF harming Linux security might be. |
| 84 |
Other more knowledgeable M/L contributors may chime in to explain better. |
Archives