Bouncing on trampolines to run eBPF programs
17 days ago
- #performance
- #kernel
- #eBPF
- eBPF trampoline is an internal mechanism to optimize eBPF program execution overhead.
- eBPF tracing programs include kprobe, tracepoint, raw tracepoint, perf event, and pure tracing programs.
- Pure tracing programs can be hooked to fentry, fexit, modify return, and iterator programs.
- Example provided: monitoring file open attempts using an eBPF program attached to the openat2 system call.
- Original kprobe mechanism involves patching instructions to generate exceptions, leading to overhead.
- eBPF trampoline avoids exceptions by directly calling eBPF programs, acting as an ABI bridge.
- Trampoline dynamically generates code to handle function arguments and calling conventions.
- Advanced use case: trampoline can handle both fentry and fexit programs for entry and exit instrumentation.
- ARM64 support for eBPF trampoline has been enhanced, including multi-kprobe attach and handling more than 8 arguments.
- Contributions funded by the eBPF Foundation have been integrated into kernel version 6.16.0.