1 |
On Sunday, 11 July 2021 14:41:08 BST caveman رَجُلُ الْكَهْفِ 穴居人 wrote: |
2 |
> On Sunday, July 11th, 2021 at 13:11, Nils Freydank <nils.freydank@××××××.de> |
3 |
wrote: |
4 |
> > Hi caveman, |
5 |
> > |
6 |
> > you should really train your search skills :-P |
7 |
> |
8 |
> lel. more like train my cognition. |
9 |
|
10 |
I could do with a bit of the same! ;-) |
11 |
|
12 |
|
13 |
> > (1) Just searching for "libbpf" and then for "bpf BTF" gives plenty |
14 |
> > webpages and |
15 |
> > |
16 |
> > links. In short: |
17 |
> > |
18 |
> > BPF: Berkeley packet filter, e.g.: |
19 |
> > https://en.wikipedia.org/wiki/Berkeley_Packet_Filter |
20 |
> > |
21 |
> > libbpf: a library to use it, e.g.: https://github.com/libbpf/libbpf |
22 |
> > |
23 |
> > BPF Type Format (BTF) https://www.kernel.org/doc/html/v5.9/bpf/btf.html |
24 |
> |
25 |
> i did this before asking here, but didn't fully |
26 |
> get it. |
27 |
> |
28 |
> wiki seems to say that it's for speeding up packer |
29 |
> filtering by having apps supply a filtering |
30 |
> program into the kernel, so that the whole thing |
31 |
> is done inside the kernel for speed. |
32 |
|
33 |
Right, the old Berkeley Packet Filter (BPF) was meant to filter packets and |
34 |
used in networking and security functions. However, from what I have |
35 |
understood so far, the BPF instruction set and architecture was deemed |
36 |
flexible enough to be extended for other functions, acting as if it were a |
37 |
virtual-machine within the Linux kernel to allow bytecode to run at various |
38 |
hook points in a safe manner. So think of BPF as a framework to leverage |
39 |
kernel functionality by various programs, safely and fast. BPF is used e.g. |
40 |
to implement networking policies early, hooking deep into the NIC driver, |
41 |
without moving packets in-out of kernel-user space. |
42 |
|
43 |
|
44 |
> but i also read elsewhere that it's being used to |
45 |
> generally run any apps inside the kernel, |
46 |
> ultimately making linux to slowly become into some |
47 |
> kind of a micro-kernel design. didn't fully get |
48 |
> it. |
49 |
|
50 |
Hmm ... not sure about this. I don't think BPF allows you to run apps inside |
51 |
the kernel as such. It allows apps to utilise *programmable* functionality |
52 |
like XDP (eXpress Data Path) to access kernel data at an earlier state than |
53 |
would otherwise be accessible; e.g. close to bare metal packet processing, |
54 |
before such data reaches the network stack for conventional processing. This |
55 |
is convenient for applying network policies for containers at an earlier stage |
56 |
than would be the case without BPF infrastructure and constraining kernel data |
57 |
and memory access in a secure way. |
58 |
|
59 |
BPF may have expanded into micro-kernel design, I can see how the BPF |
60 |
functionality would be desirable for this purpose, but I'm not sure BPF would |
61 |
reduce the kernel size as such. TBH, this is not a field I have looked into |
62 |
to be able to add anything useful. |
63 |
|
64 |
|
65 |
> but either way, this feature sort of freaks me. |
66 |
> is it harming my security? how can i know which |
67 |
> app is running its code inside my kernel? |
68 |
> |
69 |
> also, which apps would benefit from this? and why |
70 |
> did i end up having it? e.g. any idea which app |
71 |
> brought this feature? |
72 |
> |
73 |
> or did gentoo generally go to ship BTF by default? |
74 |
> without any app needing it? |
75 |
|
76 |
You can enable/disable BPF in your kernel. BTF is used to manage types of ELF |
77 |
executable binaries, so as to utilise the BPF ABI. LLVM, Clang and others |
78 |
utilise BPF to generate object files which can be loaded and run in the |
79 |
kernel. This is meant to happen securely following verification of |
80 |
instructions to establish they are legitimate, so that kernel and hardware is |
81 |
not compromised by loose coding. Apps like iproute2, suricata, network |
82 |
accounting/monitoring apps, etc. make use of BPF. However, I'm no dev so I |
83 |
have no idea what the potential for BPF harming Linux security might be. |
84 |
Other more knowledgeable M/L contributors may chime in to explain better. |