The eBPF Runtime in the Linux Kernel

TL;DR

This paper provides a comprehensive overview of the design, implementation, and adoption of the eBPF runtime in the Linux kernel, highlighting its safety, flexibility, and growing use in kernel programming.

Contribution

It offers the first detailed description of eBPF's implementation in Linux, emphasizing its safety, versatility, and increasing role in kernel customization.

Findings

eBPF is a mature, safe, and flexible runtime for kernel programming.

Wide adoption of eBPF enables dynamic kernel modifications.

eBPF is used to program entire kernel components while maintaining safety.

Abstract

Extended Berkeley Packet Filter (eBPF) is a runtime that enables users to load programs into the operating system (OS) kernel, like Linux or Windows, and execute them safely and efficiently at designated kernel hooks. Each program passes through a verifier that reasons about the safety guarantees for execution. Hosting a safe virtual machine runtime within the kernel makes it dynamically programmable. Unlike the popular approach of bypassing or completely replacing the kernel, eBPF gives users the flexibility to modify the kernel on the fly, rapidly experiment and iterate, and deploy solutions to achieve their workload-specific needs, while working in concert with the kernel. In this paper, we present the first comprehensive description of the design and implementation of the eBPF runtime in the Linux kernel. We argue that eBPF today provides a mature and safe programming environment for the kernel. It has seen wide adoption since its inception and is increasingly being used not just to extend, but program entire components of the kernel, while preserving its runtime integrity. We outline the compelling advantages it offers for real-world production usage, and illustrate current use cases. Finally, we identify its key challenges, and discuss possible future directions.