1Architecture of the library
2===
3
4 ELF -> Specifications -> Objects -> Links
5
6ELF
7---
8
9BPF is usually produced by using Clang to compile a subset of C. Clang outputs
10an ELF file which contains program byte code (aka BPF), but also metadata for
11maps used by the program. The metadata follows the conventions set by libbpf
12shipped with the kernel. Certain ELF sections have special meaning
13and contain structures defined by libbpf. Newer versions of clang emit
14additional metadata in BPF Type Format (aka BTF).
15
16The library aims to be compatible with libbpf so that moving from a C toolchain
17to a Go one creates little friction. To that end, the [ELF reader](elf_reader.go)
18is tested against the Linux selftests and avoids introducing custom behaviour
19if possible.
20
21The output of the ELF reader is a `CollectionSpec` which encodes
22all of the information contained in the ELF in a form that is easy to work with
23in Go.
24
25### BTF
26
27The BPF Type Format describes more than just the types used by a BPF program. It
28includes debug aids like which source line corresponds to which instructions and
29what global variables are used.
30
31[BTF parsing](internal/btf/) lives in a separate internal package since exposing
32it would mean an additional maintenance burden, and because the API still
33has sharp corners. The most important concept is the `btf.Type` interface, which
34also describes things that aren't really types like `.rodata` or `.bss` sections.
35`btf.Type`s can form cyclical graphs, which can easily lead to infinite loops if
36one is not careful. Hopefully a safe pattern to work with `btf.Type` emerges as
37we write more code that deals with it.
38
39Specifications
40---
41
42`CollectionSpec`, `ProgramSpec` and `MapSpec` are blueprints for in-kernel
43objects and contain everything necessary to execute the relevant `bpf(2)`
44syscalls. Since the ELF reader outputs a `CollectionSpec` it's possible to
45modify clang-compiled BPF code, for example to rewrite constants. At the same
46time the [asm](asm/) package provides an assembler that can be used to generate
47`ProgramSpec` on the fly.
48
49Creating a spec should never require any privileges or be restricted in any way,
50for example by only allowing programs in native endianness. This ensures that
51the library stays flexible.
52
53Objects
54---
55
56`Program` and `Map` are the result of loading specs into the kernel. Sometimes
57loading a spec will fail because the kernel is too old, or a feature is not
58enabled. There are multiple ways the library deals with that:
59
60* Fallback: older kernels don't allow naming programs and maps. The library
61 automatically detects support for names, and omits them during load if
62 necessary. This works since name is primarily a debug aid.
63
64* Sentinel error: sometimes it's possible to detect that a feature isn't available.
65 In that case the library will return an error wrapping `ErrNotSupported`.
66 This is also useful to skip tests that can't run on the current kernel.
67
68Once program and map objects are loaded they expose the kernel's low-level API,
69e.g. `NextKey`. Often this API is awkward to use in Go, so there are safer
70wrappers on top of the low-level API, like `MapIterator`. The low-level API is
71useful when our higher-level API doesn't support a particular use case.
72
73Links
74---
75
76BPF can be attached to many different points in the kernel and newer BPF hooks
77tend to use bpf_link to do so. Older hooks unfortunately use a combination of
78syscalls, netlink messages, etc. Adding support for a new link type should not
79pull in large dependencies like netlink, so XDP programs or tracepoints are
80out of scope.
81
82Each bpf_link_type has one corresponding Go type, e.g. `link.tracing` corresponds
83to BPF_LINK_TRACING. In general, these types should be unexported as long as they
84don't export methods outside of the Link interface. Each Go type may have multiple
85exported constructors. For example `AttachTracing` and `AttachLSM` create a
86tracing link, but are distinct functions since they may require different arguments.
View as plain text