eBPF for Windows
Loading...
Searching...
No Matches
ebpf_extension.h
Go to the documentation of this file.
1// Copyright (c) eBPF for Windows contributors
2// SPDX-License-Identifier: MIT
3#pragma once
4
5#include "ebpf_result.h"
6#include "ebpf_structs.h"
7#include "ebpf_windows.h"
8
9#define EBPF_MAP_OPERATION_HELPER 0x01 /* Called by a BPF program. When this flag is not set, the provider function is
10 * called in the context of the original user mode process, so the provider may
11 * implicitly use the current process's handle table (e.g., to resolve file
12 * descriptors passed as map values). */
13#define EBPF_MAP_OPERATION_UPDATE 0x02 /* Update operation. */
14#define EBPF_MAP_OPERATION_MAP_CLEANUP 0x04 /* Map cleanup operation. */
15
16typedef ebpf_result_t (*_ebpf_extension_dispatch_function)();
17
18typedef uint64_t epoch_state_t[4];
19
20typedef struct _ebpf_extension_dispatch_table
21{
22 uint16_t version;
23 uint16_t count;
24 _Field_size_(count) _ebpf_extension_dispatch_function function[1];
25} ebpf_extension_dispatch_table_t;
26
39typedef ebpf_result_t (*ebpf_program_invoke_function_t)(
40 _In_ const void* extension_client_binding_context, _Inout_ void* program_context, _Out_ uint32_t* result);
41
53typedef ebpf_result_t (*ebpf_program_batch_begin_invoke_function_t)(
54 size_t state_size, _Out_writes_(state_size) void* state);
55
67typedef ebpf_result_t (*ebpf_program_batch_invoke_function_t)(
68 _In_ const void* extension_client_binding_context,
69 _Inout_ void* program_context,
70 _Out_ uint32_t* result,
71 _In_ const void* state);
72
80typedef ebpf_result_t (*ebpf_program_batch_end_invoke_function_t)(_Inout_ void* state);
81
82typedef enum _ebpf_link_dispatch_table_version
83{
84 EBPF_LINK_DISPATCH_TABLE_VERSION_1 = 1,
85 EBPF_LINK_DISPATCH_TABLE_VERSION_CURRENT =
86 EBPF_LINK_DISPATCH_TABLE_VERSION_1,
87} ebpf_link_dispatch_table_version_t;
88
89#define EBPF_LINK_DISPATCH_TABLE_FUNCTION_COUNT_1 4
90#define EBPF_LINK_DISPATCH_TABLE_FUNCTION_COUNT_CURRENT \
91 EBPF_LINK_DISPATCH_TABLE_FUNCTION_COUNT_1
92
93typedef struct _ebpf_extension_program_dispatch_table
94{
95 uint16_t version;
96 uint16_t count;
97 ebpf_program_invoke_function_t ebpf_program_invoke_function;
98 ebpf_program_batch_begin_invoke_function_t ebpf_program_batch_begin_invoke_function;
99 ebpf_program_batch_invoke_function_t ebpf_program_batch_invoke_function;
107 size_t data_size;
115 bpf_attach_type_t bpf_attach_type;
116 enum bpf_link_type link_type;
117} ebpf_attach_provider_data_t;
118
119/***
120 * The state of the execution context when the eBPF program was invoked.
121 * This is used to cache state that won't change during the execution of
122 * the eBPF program and is expensive to query.
123 */
124typedef struct _ebpf_execution_context_state
125{
126 epoch_state_t epoch_state;
127 union
128 {
129 uint64_t thread;
130 uint32_t cpu;
131 } id;
132 uint8_t current_irql;
133 struct
134 {
135 const void* next_program;
136 uint32_t count;
137 } tail_call_state;
138} ebpf_execution_context_state_t;
139
140#define EBPF_CONTEXT_HEADER uint64_t context_header[8]
141#define EBPF_CONTEXT_HEADER_SIZE (sizeof(uint64_t) * 8)
142
166typedef ebpf_result_t (*ebpf_process_map_create_t)(
167 _In_ void* binding_context,
168 uint32_t map_type,
169 uint32_t key_size,
170 uint32_t value_size,
171 uint32_t max_entries,
172 _Out_ uint32_t* actual_value_size,
173 _Outptr_ void** map_context);
174
181typedef void (*ebpf_process_map_delete_t)(_In_ void* binding_context, _In_ _Post_invalid_ void* map_context);
182
207typedef ebpf_result_t (*ebpf_process_map_find_element_t)(
208 _In_ void* binding_context,
209 _In_ void* map_context,
210 size_t key_size,
211 _In_reads_opt_(key_size) const uint8_t* key,
212 size_t in_value_size,
213 _In_reads_(in_value_size) const uint8_t* in_value,
214 size_t out_value_size,
215 _Out_writes_opt_(out_value_size) uint8_t* out_value,
216 uint32_t flags);
217
243typedef ebpf_result_t (*ebpf_process_map_add_element_t)(
244 _In_ void* binding_context,
245 _In_ void* map_context,
246 size_t key_size,
247 _In_reads_opt_(key_size) const uint8_t* key,
248 size_t in_value_size,
249 _In_reads_(in_value_size) const uint8_t* in_value,
250 size_t out_value_size,
251 _Out_writes_opt_(out_value_size) uint8_t* out_value,
252 uint32_t flags);
253
282typedef ebpf_result_t (*ebpf_process_map_delete_element_t)(
283 _In_ void* binding_context,
284 _In_ void* map_context,
285 size_t key_size,
286 _In_reads_opt_(key_size) const uint8_t* key,
287 size_t value_size,
288 _In_reads_(value_size) const uint8_t* value,
289 uint32_t flags);
290
301typedef ebpf_result_t (*ebpf_map_associate_program_type_t)(
302 _In_ void* binding_context, _In_ void* map_context, _In_ const ebpf_program_type_t* program_type);
303
304typedef struct _ebpf_base_map_provider_properties
305{
306 ebpf_extension_header_t header;
307 bool updates_original_value; // Whether the provider updates the original value during map operations, which
308 // controls whether BPF programs can perform map CRUD operations.
309} ebpf_base_map_provider_properties_t;
310
315typedef struct _ebpf_map_provider_dispatch_table
316{
317 ebpf_extension_header_t header;
318 _Notnull_ ebpf_process_map_create_t process_map_create;
319 _Notnull_ ebpf_process_map_delete_t process_map_delete;
320 _Notnull_ ebpf_map_associate_program_type_t associate_program_function;
321 ebpf_process_map_find_element_t process_map_find_element;
322 ebpf_process_map_add_element_t process_map_add_element;
323 ebpf_process_map_delete_element_t process_map_delete_element;
324} ebpf_base_map_provider_dispatch_table_t;
325
334typedef _Ret_writes_maybenull_(size) void* (*ebpf_epoch_allocate_with_tag_t)(size_t size, uint32_t tag);
335
344typedef _Ret_writes_maybenull_(size) void* (*ebpf_epoch_allocate_cache_aligned_with_tag_t)(size_t size, uint32_t tag);
345
350typedef void (*ebpf_epoch_free_t)(_In_opt_ _Post_invalid_ void* memory);
351
356typedef void (*ebpf_epoch_free_cache_aligned_t)(_In_opt_ _Post_invalid_ void* pointer);
357
362typedef void (*ebpf_epoch_enter_t)(_Out_ void* epoch_state);
363
368typedef void (*ebpf_epoch_exit_t)(_In_ void* epoch_state);
369
381typedef ebpf_result_t (*ebpf_map_find_element_t)(
382 _In_ const void* map, _In_ const uint8_t* key, _Outptr_ uint8_t** value);
383
409typedef struct _ebpf_map_client_dispatch_table
410{
411 ebpf_extension_header_t header;
412 ebpf_map_find_element_t find_element_function;
413 ebpf_epoch_enter_t epoch_enter;
414 ebpf_epoch_exit_t epoch_exit;
415 ebpf_epoch_allocate_with_tag_t epoch_allocate_with_tag;
416 ebpf_epoch_allocate_cache_aligned_with_tag_t epoch_allocate_cache_aligned_with_tag;
417 ebpf_epoch_free_t epoch_free;
418 ebpf_epoch_free_cache_aligned_t epoch_free_cache_aligned;
419} ebpf_base_map_client_dispatch_table_t;
420
424typedef struct _ebpf_map_provider_data
425{
426 ebpf_extension_header_t header;
427 uint32_t map_type;
428 uint32_t base_map_type;
429 ebpf_base_map_provider_properties_t* base_properties;
430 ebpf_base_map_provider_dispatch_table_t* base_provider_table;
431} ebpf_map_provider_data_t;
432
436typedef struct _ebpf_map_client_data
437{
438 ebpf_extension_header_t header;
439 uint64_t map_context_offset;
440 ebpf_base_map_client_dispatch_table_t* base_client_table;
441} ebpf_map_client_data_t;
442
443#define MAP_CONTEXT(map_pointer, offset) ((void**)(((uint8_t*)(map_pointer)) + (offset)))
ebpf_base_map_provider_properties_t
struct _ebpf_base_map_provider_properties ebpf_base_map_provider_properties_t
ebpf_program_batch_begin_invoke_function_t
ebpf_result_t(* ebpf_program_batch_begin_invoke_function_t)(size_t state_size, _Out_writes_(state_size) void *state)
Prepare the eBPF program for batch invocation.
Definition ebpf_extension.h:50
ebpf_attach_provider_data_t
struct _ebpf_attach_provider_data ebpf_attach_provider_data_t
ebpf_process_map_create_t
ebpf_result_t(* ebpf_process_map_create_t)(void *binding_context, uint32_t map_type, uint32_t key_size, uint32_t value_size, uint32_t max_entries, uint32_t *actual_value_size, void **map_context)
Process map creation notification.
Definition ebpf_extension.h:163
ebpf_process_map_delete_element_t
ebpf_result_t(* ebpf_process_map_delete_element_t)(void *binding_context, void *map_context, size_t key_size, _In_reads_opt_(key_size) const uint8_t *key, size_t value_size, _In_reads_(value_size) const uint8_t *value, uint32_t flags)
Delete an element from a provider-backed map.
Definition ebpf_extension.h:279
ebpf_map_find_element_t
ebpf_result_t(* ebpf_map_find_element_t)(const void *map, const uint8_t *key, uint8_t **value)
Find an element in an eBPF map (client/runtime helper version).
Definition ebpf_extension.h:378
ebpf_process_map_find_element_t
ebpf_result_t(* ebpf_process_map_find_element_t)(void *binding_context, void *map_context, size_t key_size, _In_reads_opt_(key_size) const uint8_t *key, size_t in_value_size, _In_reads_(in_value_size) const uint8_t *in_value, size_t out_value_size, _Out_writes_opt_(out_value_size) uint8_t *out_value, uint32_t flags)
Find (lookup) an element in a provider-backed map.
Definition ebpf_extension.h:204
ebpf_base_map_provider_dispatch_table_t
struct _ebpf_map_provider_dispatch_table ebpf_base_map_provider_dispatch_table_t
ebpf_extension_dispatch_table_t
struct _ebpf_extension_dispatch_table ebpf_extension_dispatch_table_t
ebpf_process_map_add_element_t
ebpf_result_t(* ebpf_process_map_add_element_t)(void *binding_context, void *map_context, size_t key_size, _In_reads_opt_(key_size) const uint8_t *key, size_t in_value_size, _In_reads_(in_value_size) const uint8_t *in_value, size_t out_value_size, _Out_writes_opt_(out_value_size) uint8_t *out_value, uint32_t flags)
Add or update (insert/replace) an element in a provider-backed map.
Definition ebpf_extension.h:240
ebpf_epoch_exit_t
void(* ebpf_epoch_exit_t)(void *epoch_state)
Exit an epoch-protected region.
Definition ebpf_extension.h:365
ebpf_epoch_free_t
void(* ebpf_epoch_free_t)(void *memory)
Free memory under epoch control.
Definition ebpf_extension.h:347
ebpf_map_client_data_t
struct _ebpf_map_client_data ebpf_map_client_data_t
Custom map client data.
ebpf_extension_data_t
struct _ebpf_extension_data ebpf_extension_data_t
ebpf_extension_program_dispatch_table_t
struct _ebpf_extension_program_dispatch_table ebpf_extension_program_dispatch_table_t
ebpf_link_dispatch_table_version_t
enum _ebpf_link_dispatch_table_version ebpf_link_dispatch_table_version_t
_ebpf_extension_dispatch_function
ebpf_result_t(* _ebpf_extension_dispatch_function)()
Definition ebpf_extension.h:13
_Ret_writes_maybenull_
typedef _Ret_writes_maybenull_(size) void *(*ebpf_epoch_allocate_with_tag_t)(size_t size
Allocate memory under epoch control.
ebpf_base_map_client_dispatch_table_t
struct _ebpf_map_client_dispatch_table ebpf_base_map_client_dispatch_table_t
ebpf_program_batch_invoke_function_t
ebpf_result_t(* ebpf_program_batch_invoke_function_t)(const void *extension_client_binding_context, _Inout_ void *program_context, uint32_t *result, const void *state)
Invoke the eBPF program in batch mode.
Definition ebpf_extension.h:64
tag
uint32_t tag
Definition ebpf_extension.h:331
ebpf_map_provider_data_t
struct _ebpf_map_provider_data ebpf_map_provider_data_t
Custom map provider data.
ebpf_process_map_delete_t
void(* ebpf_process_map_delete_t)(void *binding_context, void *map_context)
Process a map delete notification.
Definition ebpf_extension.h:178
ebpf_execution_context_state_t
struct _ebpf_execution_context_state ebpf_execution_context_state_t
ebpf_epoch_enter_t
void(* ebpf_epoch_enter_t)(void *epoch_state)
Enter an epoch-protected region.
Definition ebpf_extension.h:359
ebpf_program_batch_end_invoke_function_t
ebpf_result_t(* ebpf_program_batch_end_invoke_function_t)(_Inout_ void *state)
Clean up the eBPF program after batch invocation.
Definition ebpf_extension.h:77
epoch_state_t
uint64_t epoch_state_t[4]
Definition ebpf_extension.h:15
ebpf_map_associate_program_type_t
ebpf_result_t(* ebpf_map_associate_program_type_t)(void *binding_context, void *map_context, const ebpf_program_type_t *program_type)
Associate a program type with the map, which allows the map to be used by programs of that type.
Definition ebpf_extension.h:298
ebpf_program_invoke_function_t
ebpf_result_t(* ebpf_program_invoke_function_t)(const void *extension_client_binding_context, _Inout_ void *program_context, uint32_t *result)
Invoke the eBPF program.
Definition ebpf_extension.h:36
_ebpf_link_dispatch_table_version
_ebpf_link_dispatch_table_version
Definition ebpf_extension.h:80
EBPF_LINK_DISPATCH_TABLE_VERSION_1
@ EBPF_LINK_DISPATCH_TABLE_VERSION_1
Initial version of the dispatch table.
Definition ebpf_extension.h:81
EBPF_LINK_DISPATCH_TABLE_VERSION_CURRENT
@ EBPF_LINK_DISPATCH_TABLE_VERSION_CURRENT
Current version of the dispatch table.
Definition ebpf_extension.h:82
ebpf_epoch_free_cache_aligned_t
void(* ebpf_epoch_free_cache_aligned_t)(void *pointer)
Free memory under epoch control.
Definition ebpf_extension.h:353
ebpf_result.h
ebpf_result_t
enum ebpf_result ebpf_result_t
ebpf_structs.h
This file contains eBPF definitions common to eBPF programs, core execution engine as well as eBPF AP...
bpf_link_type
bpf_link_type
Definition ebpf_structs.h:272
bpf_attach_type_t
enum bpf_attach_type bpf_attach_type_t
Definition ebpf_structs.h:353
ebpf_windows.h
ebpf_program_type_t
GUID ebpf_program_type_t
Definition ebpf_windows.h:61
_ebpf_attach_provider_data
Definition ebpf_extension.h:109
_ebpf_attach_provider_data::header
ebpf_extension_header_t header
Definition ebpf_extension.h:110
_ebpf_attach_provider_data::supported_program_type
ebpf_program_type_t supported_program_type
Definition ebpf_extension.h:111
_ebpf_attach_provider_data::bpf_attach_type
bpf_attach_type_t bpf_attach_type
Definition ebpf_extension.h:112
_ebpf_attach_provider_data::link_type
enum bpf_link_type link_type
Definition ebpf_extension.h:113
_ebpf_base_map_provider_properties
Definition ebpf_extension.h:302
_ebpf_base_map_provider_properties::updates_original_value
bool updates_original_value
Definition ebpf_extension.h:304
_ebpf_base_map_provider_properties::header
ebpf_extension_header_t header
Definition ebpf_extension.h:303
_ebpf_execution_context_state
Definition ebpf_extension.h:122
_ebpf_execution_context_state::id
union _ebpf_execution_context_state::@6 id
_ebpf_execution_context_state::tail_call_state
struct _ebpf_execution_context_state::@7 tail_call_state
_ebpf_execution_context_state::current_irql
uint8_t current_irql
Definition ebpf_extension.h:129
_ebpf_execution_context_state::count
uint32_t count
Definition ebpf_extension.h:133
_ebpf_execution_context_state::epoch_state
epoch_state_t epoch_state
Definition ebpf_extension.h:123
_ebpf_execution_context_state::thread
uint64_t thread
Definition ebpf_extension.h:126
_ebpf_execution_context_state::next_program
const void * next_program
Definition ebpf_extension.h:132
_ebpf_execution_context_state::cpu
uint32_t cpu
Definition ebpf_extension.h:127
_ebpf_extension_data
Definition ebpf_extension.h:101
_ebpf_extension_data::prog_attach_flags
uint64_t prog_attach_flags
Definition ebpf_extension.h:105
_ebpf_extension_data::header
ebpf_extension_header_t header
Definition ebpf_extension.h:102
_ebpf_extension_data::data
const void * data
Definition ebpf_extension.h:103
_ebpf_extension_data::data_size
size_t data_size
Definition ebpf_extension.h:104
_ebpf_extension_dispatch_table
Definition ebpf_extension.h:18
_ebpf_extension_dispatch_table::version
uint16_t version
Version of the dispatch table.
Definition ebpf_extension.h:19
_ebpf_extension_dispatch_table::count
uint16_t count
Number of entries in the dispatch table.
Definition ebpf_extension.h:20
_ebpf_extension_dispatch_table::_Field_size_
_Field_size_(count) _ebpf_extension_dispatch_function function[1]
_ebpf_extension_header
Header of an eBPF extension data structure. Every eBPF extension data structure must start with this ...
Definition ebpf_windows.h:196
_ebpf_extension_program_dispatch_table
Definition ebpf_extension.h:91
_ebpf_extension_program_dispatch_table::ebpf_program_invoke_function
ebpf_program_invoke_function_t ebpf_program_invoke_function
Definition ebpf_extension.h:94
_ebpf_extension_program_dispatch_table::ebpf_program_batch_begin_invoke_function
ebpf_program_batch_begin_invoke_function_t ebpf_program_batch_begin_invoke_function
Definition ebpf_extension.h:95
_ebpf_extension_program_dispatch_table::ebpf_program_batch_end_invoke_function
ebpf_program_batch_end_invoke_function_t ebpf_program_batch_end_invoke_function
Definition ebpf_extension.h:97
_ebpf_extension_program_dispatch_table::version
uint16_t version
Version of the dispatch table.
Definition ebpf_extension.h:92
_ebpf_extension_program_dispatch_table::ebpf_program_batch_invoke_function
ebpf_program_batch_invoke_function_t ebpf_program_batch_invoke_function
Definition ebpf_extension.h:96
_ebpf_extension_program_dispatch_table::count
uint16_t count
Number of entries in the dispatch table.
Definition ebpf_extension.h:93
_ebpf_map_client_data
Custom map client data.
Definition ebpf_extension.h:434
_ebpf_map_client_data::base_client_table
ebpf_base_map_client_dispatch_table_t * base_client_table
Pointer to base map client dispatch table.
Definition ebpf_extension.h:437
_ebpf_map_client_data::map_context_offset
uint64_t map_context_offset
Offset within the map structure where the provider context data is stored.
Definition ebpf_extension.h:436
_ebpf_map_client_data::header
ebpf_extension_header_t header
Standard extension header containing version and size information.
Definition ebpf_extension.h:435
_ebpf_map_client_dispatch_table
Definition ebpf_extension.h:407
_ebpf_map_client_dispatch_table::epoch_free_cache_aligned
ebpf_epoch_free_cache_aligned_t epoch_free_cache_aligned
Definition ebpf_extension.h:415
_ebpf_map_client_dispatch_table::epoch_allocate_cache_aligned_with_tag
ebpf_epoch_allocate_cache_aligned_with_tag_t epoch_allocate_cache_aligned_with_tag
Definition ebpf_extension.h:413
_ebpf_map_client_dispatch_table::epoch_exit
ebpf_epoch_exit_t epoch_exit
Definition ebpf_extension.h:411
_ebpf_map_client_dispatch_table::epoch_enter
ebpf_epoch_enter_t epoch_enter
Definition ebpf_extension.h:410
_ebpf_map_client_dispatch_table::epoch_allocate_with_tag
ebpf_epoch_allocate_with_tag_t epoch_allocate_with_tag
Definition ebpf_extension.h:412
_ebpf_map_client_dispatch_table::epoch_free
ebpf_epoch_free_t epoch_free
Definition ebpf_extension.h:414
_ebpf_map_client_dispatch_table::header
ebpf_extension_header_t header
Definition ebpf_extension.h:408
_ebpf_map_client_dispatch_table::find_element_function
ebpf_map_find_element_t find_element_function
Definition ebpf_extension.h:409
_ebpf_map_provider_data
Custom map provider data.
Definition ebpf_extension.h:422
_ebpf_map_provider_data::header
ebpf_extension_header_t header
Definition ebpf_extension.h:423
_ebpf_map_provider_data::base_provider_table
ebpf_base_map_provider_dispatch_table_t * base_provider_table
Pointer to base map provider dispatch table.
Definition ebpf_extension.h:427
_ebpf_map_provider_data::map_type
uint32_t map_type
Custom map type implemented by the provider.
Definition ebpf_extension.h:424
_ebpf_map_provider_data::base_map_type
uint32_t base_map_type
Base map type used to implement the custom map.
Definition ebpf_extension.h:425
_ebpf_map_provider_data::base_properties
ebpf_base_map_provider_properties_t * base_properties
Base map provider properties.
Definition ebpf_extension.h:426
_ebpf_map_provider_dispatch_table
Definition ebpf_extension.h:313
_ebpf_map_provider_dispatch_table::associate_program_function
_Notnull_ ebpf_map_associate_program_type_t associate_program_function
Definition ebpf_extension.h:317
_ebpf_map_provider_dispatch_table::process_map_delete
_Notnull_ ebpf_process_map_delete_t process_map_delete
Definition ebpf_extension.h:316
_ebpf_map_provider_dispatch_table::process_map_add_element
ebpf_process_map_add_element_t process_map_add_element
Definition ebpf_extension.h:319
_ebpf_map_provider_dispatch_table::process_map_create
_Notnull_ ebpf_process_map_create_t process_map_create
Definition ebpf_extension.h:315
_ebpf_map_provider_dispatch_table::process_map_delete_element
ebpf_process_map_delete_element_t process_map_delete_element
Definition ebpf_extension.h:320
_ebpf_map_provider_dispatch_table::header
ebpf_extension_header_t header
Definition ebpf_extension.h:314
_ebpf_map_provider_dispatch_table::process_map_find_element
ebpf_process_map_find_element_t process_map_find_element
Definition ebpf_extension.h:318
Generated by doxygen 1.9.8