--- title: "eBPF’s Abilities and Limitations: The Truth" weight: 2 tags: - ebpf --- A talk by isovalent with a full room (one of the large ones). ## Baseline * eBPF lets you run custom code in the kernel -> close to hardware * Typical usecases: Networking, Observability, Tracing/Profiling, security * Question: Is eBPF truing complete and can it be used for more complex scenarios (TLS, LK7)? ## eBPF verifier * The verifier analyzes the program to verify safety * Principles * Read memory only with correct permissions * All writes to valid and safe memory * Valid in-bounds and well formed control flow * Execution on-cpu time is bounded: sleep, scheduled callbacks, interations, program acutally compketes * Aquire/release and reference count semantics ## Demo: Game of life * A random game of life map * Implemented as a tetragon plugin * Layout: Main control loop that loads the map, generates the next generation, and returns a next run function * The timer callback pattern is used for infinite run ## eBPF Limits & workarounds * Instruction limit to let the verifier actually verify the program in reasonable time * Limit is based on: Instruction limit and verifier step limit * nowadays the limit it 4096 unprivileged calls and 1 million privileged istructions * Only jump forward -> No loops * Is a basic limitation to ensure no infinite loops can ruin the day * Limitation: Only finite iterations can be performed * Loops: Newer versions support loops with upper bounds (`for x=0;: x<100`) * Is the instruction limit hard? * Solution: subprogram (aka function) and the limit is only for each function -> `x*subprogramms = x*limit` * Limit: Needs real skill * Programs have to terminate * Well eBPF really only wants to release the cpu, the program doesn't have to end per se * Iterator: walk abitrary lists of objects * Sleep on pagefault or other memory operations * Timer callbacks (including the timer 0 for run me asap) * Memory allocation * Maps are used as the memory management system ## Result * You can execure abitrary tasks via eBPF * It can be used for HTTP or TLS - it's just not implemented yet™