bpftime icon indicating copy to clipboard operation
bpftime copied to clipboard

Published 20 hours ago verified publisher icon eunomia-bpf

[FEATURE] Enable userspace verifier by default

Open yunwei37 opened this issue 1 year ago • 6 comments

Is your feature request related to a problem? Please describe.

The PREVAIL should be enable by default, and:

  • Add runtime option to bypass the userspace verifier
  • Add prompt to let user using kernel verifier when the userspace verifer is not pass

Describe the solution you'd like

yunwei37 avatar Aug 14 '24 07:08 yunwei37

Note that ebpf-verifier lacks a lot of features, enabling it may cause a lot of confusion

Officeyutong avatar Aug 14 '24 08:08 Officeyutong

Yes. So when there is error occur in userspace verifier, we should treat it as a warning.

If the error is due to unsupport features, there should be a warning and default operation is just continue, and tell user how to use kernel verifier if they want. If the error sounds like a realy bug, it should block it but also tell user how to bypass it or use the kernel verifier.

We maybe can have 3 mode:

  • BPFTIME_VERIFY_STRICT: all verifier wanring are errors, you should pass either kernel or userspace verifier.
  • BPFTIME_VERIFY_WARNING: userspace verifier are warning, kernel verifier are error.
  • BPFTIME_NO_VERIFY: no verify.

yunwei37 avatar Aug 14 '24 11:08 yunwei37

Yes. So when there is error occur in userspace verifier, we should treat it as a warning.

If the error is due to unsupport features, there should be a warning and default operation is just continue, and tell user how to use kernel verifier if they want. If the error sounds like a realy bug, it should block it but also tell user how to bypass it or use the kernel verifier.

We maybe can have 3 mode:

  • BPFTIME_VERIFY_STRICT: all verifier wanring are errors, you should pass either kernel or userspace verifier.
  • BPFTIME_VERIFY_WARNING: userspace verifier are warning, kernel verifier are error.
  • BPFTIME_NO_VERIFY: no verify.

But we even don't know which features are supported by ebpf-verifier, making it hard to distinguish whether it's a lack of feature or bug

Officeyutong avatar Aug 14 '24 11:08 Officeyutong

Ok, so maybe just 3 levels? The default level is verify warning

yunwei37 avatar Aug 14 '24 11:08 yunwei37

Ok, so maybe just 3 levels? The default level is verify warning

Agree

Officeyutong avatar Aug 14 '24 22:08 Officeyutong

Hi all, as the chief maintainer of Prevail, I'm happy to help with feature requests (within the reach of abstract interpretation frameworks). Additions to the ebpf-samples repository are also greatly appreciated.

elazarg avatar Sep 26 '25 11:09 elazarg