From: Zhang Chen <chen.zhang@intel.com>
To: "Jason Wang" <jasowang@redhat.com>,
qemu-dev <qemu-devel@nongnu.org>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Daniel P. Berrangé" <berrange@redhat.com>,
"Eduardo Habkost" <eduardo@habkost.net>,
"Eric Blake" <eblake@redhat.com>,
"Markus Armbruster" <armbru@redhat.com>
Cc: Zhang Chen <chen.zhang@intel.com>,
Peter Maydell <peter.maydell@linaro.org>,
Thomas Huth <thuth@redhat.com>,
Laurent Vivier <lvivier@redhat.com>,
Yuri Benditovich <yuri.benditovich@daynix.com>,
Andrew Melnychenko <andrew@daynix.com>
Subject: [RFC PATCH 00/12] Introduce QEMU userspace ebpf support
Date: Fri, 17 Jun 2022 15:36:18 +0800 [thread overview]
Message-ID: <20220617073630.535914-1-chen.zhang@intel.com> (raw)
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=y, Size: 5490 bytes --]
Hi All,
The goal of this series is to bring the power of ebpf to QEMU.
It makes QEMU have the ability to extend the capabilities without
requiring changing source code. Just need to load the eBPF binary
file even at VM runtime. And already have some userspace ebpf
implementation like: Intel DPDK eBPF, windows eBPF, etc..
The original idea suggested by Jason Wang.
eBPF is a revolutionary technology with origins in the Linux kernel
that can run sandboxed programs in an operating system kernel. It is
used to safely and efficiently extend the capabilities of the kernel
without requiring to change kernel source code or load kernel
modules.(from https://ebpf.io/)
KVM already got benefits from it, but QEMU did not. Hence we want
to bring the power of eBPF to QEMU. It can load binary eBPF program
even when VM running. At the same time, add some hooks in QEMU as
the user space eBPF load point. Do the things on different layers.
That’s the advantages of kernel eBPF. Most of the functions can be
implemented in QEMU. This series just a start of the Power of Programmability.
1). Safety:
Building on the foundation of seeing and understanding all system
calls and combining that with a packet and socket-level view of all
networking operations allows for revolutionary new approaches to
securing systems.
2). Tracing & Profiling:
The ability to attach eBPF programs to trace points as well as kernel
and user application probe points allows unprecedented visibility into
the runtime behavior of applications and the system itself.
3). Networking:
The combination of programmability and efficiency makes eBPF a natural
fit for all packet processing requirements of networking solutions.
4). Observability & Monitoring:
Instead of relying on static counters and gauges exposed by the
perating system, eBPF enables the collection & in-kernel aggregation
of custom metrics and generation of visibility events based on a wide
range of possible sources.
QEMU userspace ebpf design based on ubpf project (https://github.com/iovisor/ubpf).
The most mature userspace ebpf implementation. This project officially
support by iovisor(Like BCC and bpftrace). This project includes an eBPF
assembler, disassembler, interpreter (for all platforms), and JIT compiler
(for x86-64 and Arm64 targets). Qemu userspace ebpf make the ubpf project
as the git submodule.
Current implementation support load ebpf program and run it in
net/filter-ubpf module, this filter can support any user defined rules
to hanle network packet. At the same time, it's easy for other developers
to use the ubpf infrastructue in QEMU's other modules from the function
in /ebpf/ubpf.c, and it support JIT.
For the uBPF License is Apache License 2.0, It's OK to compatible
with QEMU’s GPLv2 LICENSE same as mason.
TODO: Need to add more comments and test-case for ubpf, current
implementation not include ebpf verifier. But I think maybe it's not
a big problem, current ebpf load/unload API exposed by QMP command.
Qemu is a userspace program, if someone want to hack QEMU, no need to
load a malicious ubpf program, it can hack QEMU code or crash QEMU on
host directly(different from kernel ebpf needs strict inspection, but
yes, it still need basic check).
Any comments are welcome.
Thanks
Chen
Zhang Chen (12):
configure: Add iovisor/ubpf project as a submodule for QEMU
meson: Add ubpf build config and misc
ebpf/uBPF: Introduce userspace ebpf data structure
ebpf/uBPF: Introduce ubpf initialize functions
ebpf/uBPF: Add qemu_prepare_ubpf to load ebpf binary
ebpf/uBPF: Add qemu_ubpf_run_once excute real ebpf program
net/filter: Introduce filter-ubpf module
qapi: Add FilterUbpfProperties and qemu-options
softmmu/vl.c: Add filter-ubpf for netdev as other netfilters
net/filter-ubpf.c: run the ubpf program to handle network packet
docs/devel: Add userspace-ebpf.rst
test/qtest: Add ubpf basic test case
.gitmodules | 3 +
configure | 20 +++
docs/devel/userspace-ebpf.rst | 106 ++++++++++++++
ebpf/meson.build | 1 +
ebpf/ubpf-stub.c | 35 +++++
ebpf/ubpf.c | 217 ++++++++++++++++++++++++++++
ebpf/ubpf.h | 44 ++++++
meson.build | 47 ++++++
meson_options.txt | 3 +
net/filter-ubpf.c | 185 ++++++++++++++++++++++++
net/meson.build | 1 +
qapi/qom.json | 18 +++
qemu-options.hx | 6 +
scripts/coverity-scan/COMPONENTS.md | 3 +
scripts/meson-buildoptions.sh | 5 +
softmmu/vl.c | 3 +-
tests/qtest/demo_ubpf.o | Bin 0 -> 544 bytes
tests/qtest/integer_5.mem | Bin 0 -> 4 bytes
tests/qtest/meson.build | 3 +-
tests/qtest/ubpf-test.c | 64 ++++++++
ubpf | 1 +
21 files changed, 763 insertions(+), 2 deletions(-)
create mode 100644 docs/devel/userspace-ebpf.rst
create mode 100644 ebpf/ubpf-stub.c
create mode 100644 ebpf/ubpf.c
create mode 100644 ebpf/ubpf.h
create mode 100644 net/filter-ubpf.c
create mode 100644 tests/qtest/demo_ubpf.o
create mode 100644 tests/qtest/integer_5.mem
create mode 100644 tests/qtest/ubpf-test.c
create mode 160000 ubpf
--
2.25.1
next reply other threads:[~2022-06-17 7:58 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-17 7:36 Zhang Chen [this message]
2022-06-17 7:36 ` [RFC PATCH 01/12] configure: Add iovisor/ubpf project as a submodule for QEMU Zhang Chen
2022-06-17 8:05 ` Daniel P. Berrangé
2022-06-20 5:59 ` Zhang, Chen
2022-06-20 8:11 ` Daniel P. Berrangé
2022-06-20 8:46 ` Thomas Huth
2022-06-20 9:29 ` Zhang, Chen
2022-06-20 9:43 ` Thomas Huth
2022-06-20 10:29 ` Zhang, Chen
2022-06-20 10:37 ` Daniel P. Berrangé
2022-06-22 9:21 ` Zhang, Chen
2022-06-20 10:00 ` Daniel P. Berrangé
2022-06-20 10:22 ` Zhang, Chen
2022-06-17 7:36 ` [RFC PATCH 02/12] meson: Add ubpf build config and misc Zhang Chen
2022-06-17 7:36 ` [RFC PATCH 03/12] ebpf/uBPF: Introduce userspace ebpf data structure Zhang Chen
2022-06-17 7:36 ` [RFC PATCH 04/12] ebpf/uBPF: Introduce ubpf initialize functions Zhang Chen
2022-06-17 7:36 ` [RFC PATCH 05/12] ebpf/uBPF: Add qemu_prepare_ubpf to load ebpf binary Zhang Chen
2022-06-17 7:36 ` [RFC PATCH 06/12] ebpf/uBPF: Add qemu_ubpf_run_once excute real ebpf program Zhang Chen
2022-06-17 7:36 ` [RFC PATCH 07/12] net/filter: Introduce filter-ubpf module Zhang Chen
2022-06-17 7:36 ` [RFC PATCH 08/12] qapi: Add FilterUbpfProperties and qemu-options Zhang Chen
2022-06-20 7:45 ` Markus Armbruster
2022-06-20 9:40 ` Zhang, Chen
2022-06-17 7:36 ` [RFC PATCH 09/12] softmmu/vl.c: Add filter-ubpf for netdev as other netfilters Zhang Chen
2022-06-17 7:36 ` [RFC PATCH 10/12] net/filter-ubpf.c: run the ubpf program to handle network packet Zhang Chen
2022-06-17 7:36 ` [RFC PATCH 11/12] docs/devel: Add userspace-ebpf.rst Zhang Chen
2022-06-17 7:36 ` [RFC PATCH 12/12] test/qtest: Add ubpf basic test case Zhang Chen
2022-06-17 9:34 ` Thomas Huth
2022-06-20 9:31 ` Zhang, Chen
2022-06-20 9:51 ` Thomas Huth
2022-06-29 10:43 ` [RFC PATCH 00/12] Introduce QEMU userspace ebpf support Andrew Melnichenko
2022-07-01 6:14 ` Zhang, Chen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220617073630.535914-1-chen.zhang@intel.com \
--to=chen.zhang@intel.com \
--cc=andrew@daynix.com \
--cc=armbru@redhat.com \
--cc=berrange@redhat.com \
--cc=eblake@redhat.com \
--cc=eduardo@habkost.net \
--cc=jasowang@redhat.com \
--cc=lvivier@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=thuth@redhat.com \
--cc=yuri.benditovich@daynix.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.