ebpf-assembler

ebpf-assembler copied to clipboard

An eBPF bytecode assembler and compiler that

• Assembles the bytecode to object code.
• Compiles the bytecode to C macro preprocessors.

A disassembler is provided and can be used with: ./disas-ebpf

Symbolic names are resolved during parsing and the bytecode is statically type checked during compile time.

Instructions that have 32-bit equivalents are suffixed with 32. For example: mov32 r0 8 or jne32 r1 r2 label. Some instructions cannot perform operations on certain bit-sizes and will in such cases default to a lower bit-size.

Emitting function calls is not possible, as the implementation of the called function must be present during compile-time of the assembler. Emitting calls BPF_EMIT_CALL(FUNC) can instead be invoked after compiling the bytecode to C preprocessing macros instead of object code. Relevant BPF functions may be implemented in the future.

The test folder contains useful utility tools to load eBPF object code into the kernel (load_ebpf) and to load bytecode defined in C preprocessing macros into the kernel (load_ebpf_macros).

Refer to the GCC backend, LLVM backend or netsniff-ng toolkit for other assemblers/compilers.

Building:

make

Usage: ./ebpf-as [options] options: {-O --opt}: Employ various compiler optimization strategies to the bytecode. {-c --cstruct} : Compile to preprocessing macros located in a C struct named . {-m --macros}: Compile to preprocessing macros. {-o --output} : Output to the succeeding argument. {-h --help}: Print this usage message.

Example:

; comment
mov r1 64
mov32 r2 32
jlt r2 r1 end
jge r1 r2 end
loop:
sub r1 1
add32 r2 1
jle r1 r2 loop
end:
mov r0 0
exit

The specification of the instruction set architecture (ISA) is outlined from the kernel source tree [1][2], the official specification [3][4] and its summary [5]:

Instruction encoding:

eBPF programs are a sequence of 64-bit instructions and are encoded in the following byte order by the host:

MSB LSB +------------------------+----------------+----+----+--------+ |immediate |offset |src |dst |opcode | +------------------------+----------------+----+----+--------+

where MSB denotes the most significant bit and LSB denotes the least significant bit. Each field has the following amount of bits encoded:

• 8 bit opcode (op)
• 4 bit destination register (dst)
• 4 bit source register (src)
• 16 bit offset (off)
• 32 bit immediate (imm)

The 3 LSBs of the opcode field are considered the instruction class:

LD/LDX/ST/STX opcode structure:

MSB LSB +----+---+----+ |mde |sz |cls | +----+---+----+

where the sz field specifies the size of the memory location and the mde field is the memory access mode.

ALU/ALU64/JMP opcode structure:

msb lsb +----+--+----+ |op |s |cls | +----+--+----+

where op specifies the ALU/branching instruction and s specifies the source operand. The source operand is an immediate if s is 0 or a register if s is 1.

ALU instructions:

64-bit:

32-bit:

Endianess conversion (Byteswap) instructions:

Atomic operations:

Memory instructions:

Branch instructions:

64-bit:

32-bit:

Special instructions:

Author:

Emil Masoumi

References: [1]: https://github.com/torvalds/linux/blob/master/include/linux/filter.h [2]: https://github.com/torvalds/linux/blob/master/include/uapi/linux/bpf.h [3]: https://docs.kernel.org/bpf/index.html [4]: https://www.kernel.org/doc/Documentation/networking/filter.txt [5]: https://github.com/iovisor/bpf-docs/blob/master/eBPF.md