| Message ID | 20220617073630.535914-1-chen.zhang@intel.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | Introduce QEMU userspace ebpf support | expand |
Hi all, Nice idea. It would be great if future patches would add the BPF map support(if uBPF allows it). On Fri, Jun 17, 2022 at 10:51 AM Zhang Chen <chen.zhang@intel.com> wrote: > > Hi All, > > The goal of this series is to bring the power of ebpf to QEMU. > It makes QEMU have the ability to extend the capabilities without > requiring changing source code. Just need to load the eBPF binary > file even at VM runtime. And already have some userspace ebpf > implementation like: Intel DPDK eBPF, windows eBPF, etc.. > The original idea suggested by Jason Wang. > > eBPF is a revolutionary technology with origins in the Linux kernel > that can run sandboxed programs in an operating system kernel. It is > used to safely and efficiently extend the capabilities of the kernel > without requiring to change kernel source code or load kernel > modules.(from https://ebpf.io/) > > KVM already got benefits from it, but QEMU did not. Hence we want > to bring the power of eBPF to QEMU. It can load binary eBPF program > even when VM running. At the same time, add some hooks in QEMU as > the user space eBPF load point. Do the things on different layers. > > That’s the advantages of kernel eBPF. Most of the functions can be > implemented in QEMU. This series just a start of the Power of Programmability. > > 1). Safety: > > Building on the foundation of seeing and understanding all system > calls and combining that with a packet and socket-level view of all > networking operations allows for revolutionary new approaches to > securing systems. > > 2). Tracing & Profiling: > > The ability to attach eBPF programs to trace points as well as kernel > and user application probe points allows unprecedented visibility into > the runtime behavior of applications and the system itself. > > 3). Networking: > > The combination of programmability and efficiency makes eBPF a natural > fit for all packet processing requirements of networking solutions. > > 4). Observability & Monitoring: > > Instead of relying on static counters and gauges exposed by the > perating system, eBPF enables the collection & in-kernel aggregation > of custom metrics and generation of visibility events based on a wide > range of possible sources. > > QEMU userspace ebpf design based on ubpf project (https://github.com/iovisor/ubpf). > The most mature userspace ebpf implementation. This project officially > support by iovisor(Like BCC and bpftrace). This project includes an eBPF > assembler, disassembler, interpreter (for all platforms), and JIT compiler > (for x86-64 and Arm64 targets). Qemu userspace ebpf make the ubpf project > as the git submodule. > > Current implementation support load ebpf program and run it in > net/filter-ubpf module, this filter can support any user defined rules > to hanle network packet. At the same time, it's easy for other developers > to use the ubpf infrastructue in QEMU's other modules from the function > in /ebpf/ubpf.c, and it support JIT. > > For the uBPF License is Apache License 2.0, It's OK to compatible > with QEMU’s GPLv2 LICENSE same as mason. > > TODO: Need to add more comments and test-case for ubpf, current > implementation not include ebpf verifier. But I think maybe it's not > a big problem, current ebpf load/unload API exposed by QMP command. > Qemu is a userspace program, if someone want to hack QEMU, no need to > load a malicious ubpf program, it can hack QEMU code or crash QEMU on > host directly(different from kernel ebpf needs strict inspection, but > yes, it still need basic check). > > Any comments are welcome. > > Thanks > Chen > > > Zhang Chen (12): > configure: Add iovisor/ubpf project as a submodule for QEMU > meson: Add ubpf build config and misc > ebpf/uBPF: Introduce userspace ebpf data structure > ebpf/uBPF: Introduce ubpf initialize functions > ebpf/uBPF: Add qemu_prepare_ubpf to load ebpf binary > ebpf/uBPF: Add qemu_ubpf_run_once excute real ebpf program > net/filter: Introduce filter-ubpf module > qapi: Add FilterUbpfProperties and qemu-options > softmmu/vl.c: Add filter-ubpf for netdev as other netfilters > net/filter-ubpf.c: run the ubpf program to handle network packet > docs/devel: Add userspace-ebpf.rst > test/qtest: Add ubpf basic test case > > .gitmodules | 3 + > configure | 20 +++ > docs/devel/userspace-ebpf.rst | 106 ++++++++++++++ > ebpf/meson.build | 1 + > ebpf/ubpf-stub.c | 35 +++++ > ebpf/ubpf.c | 217 ++++++++++++++++++++++++++++ > ebpf/ubpf.h | 44 ++++++ > meson.build | 47 ++++++ > meson_options.txt | 3 + > net/filter-ubpf.c | 185 ++++++++++++++++++++++++ > net/meson.build | 1 + > qapi/qom.json | 18 +++ > qemu-options.hx | 6 + > scripts/coverity-scan/COMPONENTS.md | 3 + > scripts/meson-buildoptions.sh | 5 + > softmmu/vl.c | 3 +- > tests/qtest/demo_ubpf.o | Bin 0 -> 544 bytes > tests/qtest/integer_5.mem | Bin 0 -> 4 bytes > tests/qtest/meson.build | 3 +- > tests/qtest/ubpf-test.c | 64 ++++++++ > ubpf | 1 + > 21 files changed, 763 insertions(+), 2 deletions(-) > create mode 100644 docs/devel/userspace-ebpf.rst > create mode 100644 ebpf/ubpf-stub.c > create mode 100644 ebpf/ubpf.c > create mode 100644 ebpf/ubpf.h > create mode 100644 net/filter-ubpf.c > create mode 100644 tests/qtest/demo_ubpf.o > create mode 100644 tests/qtest/integer_5.mem > create mode 100644 tests/qtest/ubpf-test.c > create mode 160000 ubpf > > -- > 2.25.1 >
> -----Original Message----- > From: Andrew Melnichenko <andrew@daynix.com> > Sent: Wednesday, June 29, 2022 6:43 PM > To: Zhang, Chen <chen.zhang@intel.com> > Cc: Jason Wang <jasowang@redhat.com>; qemu-dev <qemu- > devel@nongnu.org>; Paolo Bonzini <pbonzini@redhat.com>; Daniel P. > Berrangé <berrange@redhat.com>; Eduardo Habkost > <eduardo@habkost.net>; Eric Blake <eblake@redhat.com>; Markus > Armbruster <armbru@redhat.com>; Peter Maydell > <peter.maydell@linaro.org>; Thomas Huth <thuth@redhat.com>; Laurent > Vivier <lvivier@redhat.com>; Yuri Benditovich > <yuri.benditovich@daynix.com> > Subject: Re: [RFC PATCH 00/12] Introduce QEMU userspace ebpf support > > Hi all, > Nice idea. > It would be great if future patches would add the BPF map support(if uBPF > allows it). The BPF map support is very useful. But current uBPF project don't support this yet. According to the previous discussion with Thomas and Daniel, we should avoid Introduce new git submodule for QEMU. And related general discussion: Why we should avoid new submodules if possible: https://www.mail-archive.com/qemu-devel@nongnu.org/msg897339.html I think for the future development, we have to submit patch to the uBPF project. Thanks Chen > > On Fri, Jun 17, 2022 at 10:51 AM Zhang Chen <chen.zhang@intel.com> wrote: > > > > Hi All, > > > > The goal of this series is to bring the power of ebpf to QEMU. > > It makes QEMU have the ability to extend the capabilities without > > requiring changing source code. Just need to load the eBPF binary file > > even at VM runtime. And already have some userspace ebpf > > implementation like: Intel DPDK eBPF, windows eBPF, etc.. > > The original idea suggested by Jason Wang. > > > > eBPF is a revolutionary technology with origins in the Linux > > kernel that can run sandboxed programs in an operating system kernel. > > It is used to safely and efficiently extend the capabilities of the > > kernel without requiring to change kernel source code or load kernel > > modules.(from https://ebpf.io/) > > > > KVM already got benefits from it, but QEMU did not. Hence we want > > to bring the power of eBPF to QEMU. It can load binary eBPF program > > even when VM running. At the same time, add some hooks in QEMU as > the > > user space eBPF load point. Do the things on different layers. > > > > That’s the advantages of kernel eBPF. Most of the functions can be > > implemented in QEMU. This series just a start of the Power of > Programmability. > > > > 1). Safety: > > > > Building on the foundation of seeing and understanding all system > > calls and combining that with a packet and socket-level view of all > > networking operations allows for revolutionary new approaches to > > securing systems. > > > > 2). Tracing & Profiling: > > > > The ability to attach eBPF programs to trace points as well as kernel > > and user application probe points allows unprecedented visibility into > > the runtime behavior of applications and the system itself. > > > > 3). Networking: > > > > The combination of programmability and efficiency makes eBPF a natural > > fit for all packet processing requirements of networking solutions. > > > > 4). Observability & Monitoring: > > > > Instead of relying on static counters and gauges exposed by the > > perating system, eBPF enables the collection & in-kernel aggregation > > of custom metrics and generation of visibility events based on a wide > > range of possible sources. > > > > QEMU userspace ebpf design based on ubpf project > (https://github.com/iovisor/ubpf). > > The most mature userspace ebpf implementation. This project officially > > support by iovisor(Like BCC and bpftrace). This project includes an > > eBPF assembler, disassembler, interpreter (for all platforms), and JIT > > compiler (for x86-64 and Arm64 targets). Qemu userspace ebpf make the > > ubpf project as the git submodule. > > > > Current implementation support load ebpf program and run it in > > net/filter-ubpf module, this filter can support any user defined rules > > to hanle network packet. At the same time, it's easy for other > > developers to use the ubpf infrastructue in QEMU's other modules from > > the function in /ebpf/ubpf.c, and it support JIT. > > > > For the uBPF License is Apache License 2.0, It's OK to compatible > > with QEMU’s GPLv2 LICENSE same as mason. > > > > TODO: Need to add more comments and test-case for ubpf, current > > implementation not include ebpf verifier. But I think maybe it's not a > > big problem, current ebpf load/unload API exposed by QMP command. > > Qemu is a userspace program, if someone want to hack QEMU, no need to > > load a malicious ubpf program, it can hack QEMU code or crash QEMU on > > host directly(different from kernel ebpf needs strict inspection, but > > yes, it still need basic check). > > > > Any comments are welcome. > > > > Thanks > > Chen > > > > > > Zhang Chen (12): > > configure: Add iovisor/ubpf project as a submodule for QEMU > > meson: Add ubpf build config and misc > > ebpf/uBPF: Introduce userspace ebpf data structure > > ebpf/uBPF: Introduce ubpf initialize functions > > ebpf/uBPF: Add qemu_prepare_ubpf to load ebpf binary > > ebpf/uBPF: Add qemu_ubpf_run_once excute real ebpf program > > net/filter: Introduce filter-ubpf module > > qapi: Add FilterUbpfProperties and qemu-options > > softmmu/vl.c: Add filter-ubpf for netdev as other netfilters > > net/filter-ubpf.c: run the ubpf program to handle network packet > > docs/devel: Add userspace-ebpf.rst > > test/qtest: Add ubpf basic test case > > > > .gitmodules | 3 + > > configure | 20 +++ > > docs/devel/userspace-ebpf.rst | 106 ++++++++++++++ > > ebpf/meson.build | 1 + > > ebpf/ubpf-stub.c | 35 +++++ > > ebpf/ubpf.c | 217 ++++++++++++++++++++++++++++ > > ebpf/ubpf.h | 44 ++++++ > > meson.build | 47 ++++++ > > meson_options.txt | 3 + > > net/filter-ubpf.c | 185 ++++++++++++++++++++++++ > > net/meson.build | 1 + > > qapi/qom.json | 18 +++ > > qemu-options.hx | 6 + > > scripts/coverity-scan/COMPONENTS.md | 3 + > > scripts/meson-buildoptions.sh | 5 + > > softmmu/vl.c | 3 +- > > tests/qtest/demo_ubpf.o | Bin 0 -> 544 bytes > > tests/qtest/integer_5.mem | Bin 0 -> 4 bytes > > tests/qtest/meson.build | 3 +- > > tests/qtest/ubpf-test.c | 64 ++++++++ > > ubpf | 1 + > > 21 files changed, 763 insertions(+), 2 deletions(-) create mode > > 100644 docs/devel/userspace-ebpf.rst create mode 100644 > > ebpf/ubpf-stub.c create mode 100644 ebpf/ubpf.c create mode 100644 > > ebpf/ubpf.h create mode 100644 net/filter-ubpf.c create mode 100644 > > tests/qtest/demo_ubpf.o create mode 100644 > tests/qtest/integer_5.mem > > create mode 100644 tests/qtest/ubpf-test.c create mode 160000 ubpf > > > > -- > > 2.25.1 > >
Hi All, The goal of this series is to bring the power of ebpf to QEMU. It makes QEMU have the ability to extend the capabilities without requiring changing source code. Just need to load the eBPF binary file even at VM runtime. And already have some userspace ebpf implementation like: Intel DPDK eBPF, windows eBPF, etc.. The original idea suggested by Jason Wang. eBPF is a revolutionary technology with origins in the Linux kernel that can run sandboxed programs in an operating system kernel. It is used to safely and efficiently extend the capabilities of the kernel without requiring to change kernel source code or load kernel modules.(from https://ebpf.io/) KVM already got benefits from it, but QEMU did not. Hence we want to bring the power of eBPF to QEMU. It can load binary eBPF program even when VM running. At the same time, add some hooks in QEMU as the user space eBPF load point. Do the things on different layers. That’s the advantages of kernel eBPF. Most of the functions can be implemented in QEMU. This series just a start of the Power of Programmability. 1). Safety: Building on the foundation of seeing and understanding all system calls and combining that with a packet and socket-level view of all networking operations allows for revolutionary new approaches to securing systems. 2). Tracing & Profiling: The ability to attach eBPF programs to trace points as well as kernel and user application probe points allows unprecedented visibility into the runtime behavior of applications and the system itself. 3). Networking: The combination of programmability and efficiency makes eBPF a natural fit for all packet processing requirements of networking solutions. 4). Observability & Monitoring: Instead of relying on static counters and gauges exposed by the perating system, eBPF enables the collection & in-kernel aggregation of custom metrics and generation of visibility events based on a wide range of possible sources. QEMU userspace ebpf design based on ubpf project (https://github.com/iovisor/ubpf). The most mature userspace ebpf implementation. This project officially support by iovisor(Like BCC and bpftrace). This project includes an eBPF assembler, disassembler, interpreter (for all platforms), and JIT compiler (for x86-64 and Arm64 targets). Qemu userspace ebpf make the ubpf project as the git submodule. Current implementation support load ebpf program and run it in net/filter-ubpf module, this filter can support any user defined rules to hanle network packet. At the same time, it's easy for other developers to use the ubpf infrastructue in QEMU's other modules from the function in /ebpf/ubpf.c, and it support JIT. For the uBPF License is Apache License 2.0, It's OK to compatible with QEMU’s GPLv2 LICENSE same as mason. TODO: Need to add more comments and test-case for ubpf, current implementation not include ebpf verifier. But I think maybe it's not a big problem, current ebpf load/unload API exposed by QMP command. Qemu is a userspace program, if someone want to hack QEMU, no need to load a malicious ubpf program, it can hack QEMU code or crash QEMU on host directly(different from kernel ebpf needs strict inspection, but yes, it still need basic check). Any comments are welcome. Thanks Chen Zhang Chen (12): configure: Add iovisor/ubpf project as a submodule for QEMU meson: Add ubpf build config and misc ebpf/uBPF: Introduce userspace ebpf data structure ebpf/uBPF: Introduce ubpf initialize functions ebpf/uBPF: Add qemu_prepare_ubpf to load ebpf binary ebpf/uBPF: Add qemu_ubpf_run_once excute real ebpf program net/filter: Introduce filter-ubpf module qapi: Add FilterUbpfProperties and qemu-options softmmu/vl.c: Add filter-ubpf for netdev as other netfilters net/filter-ubpf.c: run the ubpf program to handle network packet docs/devel: Add userspace-ebpf.rst test/qtest: Add ubpf basic test case .gitmodules | 3 + configure | 20 +++ docs/devel/userspace-ebpf.rst | 106 ++++++++++++++ ebpf/meson.build | 1 + ebpf/ubpf-stub.c | 35 +++++ ebpf/ubpf.c | 217 ++++++++++++++++++++++++++++ ebpf/ubpf.h | 44 ++++++ meson.build | 47 ++++++ meson_options.txt | 3 + net/filter-ubpf.c | 185 ++++++++++++++++++++++++ net/meson.build | 1 + qapi/qom.json | 18 +++ qemu-options.hx | 6 + scripts/coverity-scan/COMPONENTS.md | 3 + scripts/meson-buildoptions.sh | 5 + softmmu/vl.c | 3 +- tests/qtest/demo_ubpf.o | Bin 0 -> 544 bytes tests/qtest/integer_5.mem | Bin 0 -> 4 bytes tests/qtest/meson.build | 3 +- tests/qtest/ubpf-test.c | 64 ++++++++ ubpf | 1 + 21 files changed, 763 insertions(+), 2 deletions(-) create mode 100644 docs/devel/userspace-ebpf.rst create mode 100644 ebpf/ubpf-stub.c create mode 100644 ebpf/ubpf.c create mode 100644 ebpf/ubpf.h create mode 100644 net/filter-ubpf.c create mode 100644 tests/qtest/demo_ubpf.o create mode 100644 tests/qtest/integer_5.mem create mode 100644 tests/qtest/ubpf-test.c create mode 160000 ubpf