3 min read

Progress on making eBPF work on Windows

eBPF is a well-known, but revolutionary, technology for providing programmability, extensibility, and agility. eBPF has been applied to use cases such as denial-of-service protection and observability. In May 2021, we announced the effort to make eBPF work on Windows, and were encouraged by the huge amount of interest. Six months have passed since then, and we have achieved some significant milestones worthy of mention.

Announcements and talks

In June, we did an eCHO live stream episode on eBPF for Windows. Less than two months later, we were part of another huge announcement for the whole eBPF ecosystem: the creation of the eBPF Foundation with Microsoft as one of the founding members!   We expect this foundation will encourage collaboration across the industry and help many projects, including eBPF for Windows.

A week later, we gave a keynote talk on eBPF for Windows at the eBPF Summit, and then an invited talk on the cross-platform future of eBPF at Cloud Native eBPF Day, co-located with KubeCon. We’ve been excited by the energy we’ve seen from others around these discussions and look forward to continued collaboration as we continue the journey on eBPF for Windows.

eBPF for Windows

Let’s talk about the great progress we’ve made over the past six months on the eBPF for Windows project. When we first announced the project, there were relatively few APIs available to eBPF programs, and no support yet for the de facto standard libbpf APIs. The table below shows the progress on several dimensions:

Dimension May 2021 November 2021
Standard libbpf APIs 0 68
Standard helper functions for eBPF programs 3 11
Standard map types 2 12
XDP hook actions 2 3

 

In particular, we have tried to focus on some of the most used APIs and map types, to unblock key application scenarios. For example, eBPF for Windows now includes the following eBPF features, among others:

  • Support for loops.
  • Support for tail calls, where an eBPF program can call another eBPF program.
  • Support for pinned programs and maps.
  • Support for many of the top commands in the bpftool utility used for managing eBPF programs on the local machine.
  • Support for the XDP_TX action to allow retransmitting a packet.
  • Improved readability and understandability of verifier failure messages.
  • Ability to verify a wider set of eBPF programs, including every eBPF program we’ve found so far that uses supported hooks and helper functions. The PREVAIL verifier itself has test cases verifying eBPF programs from Cilium, Falco, and various other projects, and we have been improving this, so more can be successfully verified, such as additional Cilium programs that were not previously part of the verifier test runs.
  • Various performance benchmarking and improvements.

In order to increase usability, we spent efforts making sure that all eBPF for Windows hooks, helper functions, and libbpf APIs are fully documented. The eBPF for Windows project also provides a framework where extensions can be added at any time, even during runtime, and so we created a sample extension and documentation on how to create a new extension with hooks and helpers.

Finally, we improved our test infrastructure so that every pull request is validated with the eBPF for Windows runtime running in kernel mode, using a constantly increasing set of hundreds of test cases.

Looking ahead

We’ve come a long way over the past six months, but let’s mention a few areas of focus for the path ahead. First, we’d like to enable other existing eBPF applications and projects to work on top of eBPF for Windows by continuing to collect requirements from customers and ensure that they can be met on top of Windows.

Second, and in support of the first goal, although we’ve made huge strides in terms of application APIs and eBPF program helper functions, we’d like to expand the set of eBPF program types and hook points to which they can be attached, to enable new scenarios for observability for example.  In fact, observability hooks are probably our most requested future feature, and we invite collaborators to contribute to this effort, whether through pull requests or extensions as discussed earlier.

And finally, we want to continue the security hardening work needed for eBPF for Windows to be ready for use in production.

How to collaborate

We welcome all contributions and suggestions and look forward to continued collaboration with the rest of the eBPF community on this exciting journey. You can reach us on our Slack channel, through our GitHub discussions, or join us at our weekly public Zoom meetings at 8:30 AM Pacific Time.