eBPF for Windows
All Data Structures Files Functions Variables Typedefs Enumerations Enumerator Macros Pages
ebpf_windows.h
Go to the documentation of this file.
1// Copyright (c) eBPF for Windows contributors
2// SPDX-License-Identifier: MIT
3#pragma once
4
5#define EBPF_OFFSET_OF(s, m) (((size_t) & ((s*)0)->m))
6#define EBPF_FIELD_SIZE(s, m) (sizeof(((s*)0)->m))
7#define EBPF_SIZE_INCLUDING_FIELD(s, m) (EBPF_OFFSET_OF(s, m) + EBPF_FIELD_SIZE(s, m))
8
9#ifdef _MSC_VER
10#include <guiddef.h>
11#else
12typedef uint8_t GUID[16];
13#endif
14
15#if !defined(NO_CRT) && !defined(_NO_CRT_STDIO_INLINE)
16#include <stdbool.h>
17#include <stddef.h>
18#include <stdint.h>
19#else
20typedef unsigned char uint8_t;
21typedef unsigned short uint16_t;
22typedef unsigned short wchar_t;
23typedef unsigned int uint32_t;
24typedef unsigned long long uint64_t;
25typedef unsigned long long size_t;
26#define bool _Bool
27#endif
28
29// This file contains eBPF definitions needed by eBPF programs as well as
30// the verifier, execution context and extension drivers.
31
32#define EBPF_ROOT_REGISTRY_PATH L"\\Registry\\Machine\\Software\\eBPF"
33#define EBPF_ROOT_RELATIVE_PATH L"Software\\eBPF"
34#define EBPF_STORE_REGISTRY_PATH L"Software\\eBPF\\Providers"
35
36#define EBPF_PROVIDERS_REGISTRY_KEY L"Providers"
37#define EBPF_SECTIONS_REGISTRY_KEY L"SectionData"
38#define EBPF_PROGRAM_DATA_REGISTRY_KEY L"ProgramData"
39#define EBPF_PROGRAM_TYPE_DESCRIPTOR_REGISTRY_KEY L"TypeDescriptor"
40#define EBPF_PROGRAM_DATA_HELPERS_REGISTRY_KEY L"Helpers"
41#define EBPF_GLOBAL_HELPERS_REGISTRY_KEY L"GlobalHelpers"
42
43#define EBPF_EXTENSION_HEADER_VERSION L"Version"
44#define EBPF_EXTENSION_HEADER_SIZE L"Size"
45
46#define EBPF_SECTION_DATA_PROGRAM_TYPE L"ProgramType"
47#define EBPF_SECTION_DATA_ATTACH_TYPE L"AttachType"
48
49#define EBPF_PROGRAM_DATA_NAME L"Name"
50#define EBPF_PROGRAM_DATA_CONTEXT_DESCRIPTOR L"ContextDescriptor"
51#define EBPF_PROGRAM_DATA_PLATFORM_SPECIFIC_DATA L"PlatformSpecificData"
52#define EBPF_PROGRAM_DATA_PRIVILEGED L"IsPrivileged"
53#define EBPF_PROGRAM_DATA_HELPER_COUNT L"HelperCount"
54
55#define EBPF_HELPER_DATA_PROTOTYPE L"Prototype"
56#define EBPF_HELPER_DATA_REALLOCATE_PACKET L"ReallocatePacket"
57
58#define EBPF_DATA_BPF_PROG_TYPE L"BpfProgType"
59#define EBPF_DATA_BPF_ATTACH_TYPE L"BpfAttachType"
60
61typedef GUID ebpf_program_type_t;
62typedef GUID ebpf_attach_type_t;
63
70
71#define EBPF_MAX_GENERAL_HELPER_FUNCTION 0xFFFF
72
73#define EBPF_ATTACH_CLIENT_DATA_CURRENT_VERSION 1
74
75#define EBPF_ATTACH_CLIENT_DATA_VERSION_SIZE EBPF_SIZE_INCLUDING_FIELD(ebpf_extension_data_t, prog_attach_flags)
76#define EBPF_ATTACH_CLIENT_DATA_VERSION_TOTAL_SIZE sizeof(ebpf_extension_data_t)
77#define EBPF_ATTACH_CLIENT_DATA_HEADER_VERSION \
78 { \
79 EBPF_ATTACH_CLIENT_DATA_CURRENT_VERSION, EBPF_ATTACH_CLIENT_DATA_VERSION_SIZE, \
80 EBPF_ATTACH_CLIENT_DATA_VERSION_TOTAL_SIZE \
81 }
82
83// Version 1 of the eBPF extension data structures and their lengths.
84#define EBPF_ATTACH_PROVIDER_DATA_CURRENT_VERSION 1
85#define EBPF_ATTACH_PROVIDER_DATA_CURRENT_VERSION_SIZE EBPF_SIZE_INCLUDING_FIELD(ebpf_attach_provider_data_t, link_type)
86#define EBPF_ATTACH_PROVIDER_DATA_CURRENT_VERSION_TOTAL_SIZE sizeof(ebpf_attach_provider_data_t)
87#define EBPF_ATTACH_PROVIDER_DATA_HEADER \
88 {EBPF_ATTACH_PROVIDER_DATA_CURRENT_VERSION, \
89 EBPF_ATTACH_PROVIDER_DATA_CURRENT_VERSION_SIZE, \
90 EBPF_ATTACH_PROVIDER_DATA_CURRENT_VERSION_TOTAL_SIZE}
91
92#define EBPF_PROGRAM_TYPE_DESCRIPTOR_CURRENT_VERSION 1
93#define EBPF_PROGRAM_TYPE_DESCRIPTOR_CURRENT_VERSION_SIZE \
94 EBPF_SIZE_INCLUDING_FIELD(ebpf_program_type_descriptor_t, is_privileged)
95#define EBPF_PROGRAM_TYPE_DESCRIPTOR_CURRENT_VERSION_TOTAL_SIZE sizeof(ebpf_program_type_descriptor_t)
96#define EBPF_PROGRAM_TYPE_DESCRIPTOR_HEADER \
97 {EBPF_PROGRAM_TYPE_DESCRIPTOR_CURRENT_VERSION, \
98 EBPF_PROGRAM_TYPE_DESCRIPTOR_CURRENT_VERSION_SIZE, \
99 EBPF_PROGRAM_TYPE_DESCRIPTOR_CURRENT_VERSION_TOTAL_SIZE}
100
101#define EBPF_HELPER_FUNCTION_PROTOTYPE_CURRENT_VERSION 1
102#define EBPF_HELPER_FUNCTION_PROTOTYPE_CURRENT_VERSION_SIZE \
103 EBPF_SIZE_INCLUDING_FIELD(ebpf_helper_function_prototype_t, implicit_context)
104#define EBPF_HELPER_FUNCTION_PROTOTYPE_CURRENT_VERSION_TOTAL_SIZE sizeof(ebpf_helper_function_prototype_t)
105#define EBPF_HELPER_FUNCTION_PROTOTYPE_HEADER \
106 {EBPF_HELPER_FUNCTION_PROTOTYPE_CURRENT_VERSION, \
107 EBPF_HELPER_FUNCTION_PROTOTYPE_CURRENT_VERSION_SIZE, \
108 EBPF_HELPER_FUNCTION_PROTOTYPE_CURRENT_VERSION_TOTAL_SIZE}
109
110#define EBPF_PROGRAM_INFORMATION_CURRENT_VERSION 1
111#define EBPF_PROGRAM_INFORMATION_CURRENT_VERSION_SIZE \
112 EBPF_SIZE_INCLUDING_FIELD(ebpf_program_info_t, global_helper_prototype)
113#define EBPF_PROGRAM_INFORMATION_CURRENT_VERSION_TOTAL_SIZE sizeof(ebpf_program_info_t)
114#define EBPF_PROGRAM_INFORMATION_HEADER \
115 {EBPF_PROGRAM_INFORMATION_CURRENT_VERSION, \
116 EBPF_PROGRAM_INFORMATION_CURRENT_VERSION_SIZE, \
117 EBPF_PROGRAM_INFORMATION_CURRENT_VERSION_TOTAL_SIZE}
118
119#define EBPF_HELPER_FUNCTION_ADDRESSES_CURRENT_VERSION 1
120#define EBPF_HELPER_FUNCTION_ADDRESSES_CURRENT_VERSION_SIZE \
121 EBPF_SIZE_INCLUDING_FIELD(ebpf_helper_function_addresses_t, helper_function_address)
122#define EBPF_HELPER_FUNCTION_ADDRESSES_CURRENT_VERSION_TOTAL_SIZE sizeof(ebpf_helper_function_addresses_t)
123#define EBPF_HELPER_FUNCTION_ADDRESSES_HEADER \
124 {EBPF_HELPER_FUNCTION_ADDRESSES_CURRENT_VERSION, \
125 EBPF_HELPER_FUNCTION_ADDRESSES_CURRENT_VERSION_SIZE, \
126 EBPF_HELPER_FUNCTION_ADDRESSES_CURRENT_VERSION_TOTAL_SIZE}
127
128#define EBPF_PROGRAM_DATA_CURRENT_VERSION 1
129#define EBPF_PROGRAM_DATA_CURRENT_VERSION_SIZE EBPF_SIZE_INCLUDING_FIELD(ebpf_program_data_t, capabilities)
130#define EBPF_PROGRAM_DATA_CURRENT_VERSION_TOTAL_SIZE sizeof(ebpf_program_data_t)
131#define EBPF_PROGRAM_DATA_HEADER \
132 {EBPF_PROGRAM_DATA_CURRENT_VERSION, \
133 EBPF_PROGRAM_DATA_CURRENT_VERSION_SIZE, \
134 EBPF_PROGRAM_DATA_CURRENT_VERSION_TOTAL_SIZE}
135
136#define EBPF_PROGRAM_SECTION_INFORMATION_CURRENT_VERSION 1
137#define EBPF_PROGRAM_SECTION_INFORMATION_CURRENT_VERSION_SIZE \
138 EBPF_SIZE_INCLUDING_FIELD(ebpf_program_section_info_t, bpf_attach_type)
139#define EBPF_PROGRAM_SECTION_INFORMATION_CURRENT_VERSION_TOTAL_SIZE sizeof(ebpf_program_section_info_t)
140#define EBPF_PROGRAM_SECTION_INFORMATION_HEADER \
141 {EBPF_PROGRAM_SECTION_INFORMATION_CURRENT_VERSION, \
142 EBPF_PROGRAM_SECTION_INFORMATION_CURRENT_VERSION_SIZE, \
143 EBPF_PROGRAM_SECTION_INFORMATION_CURRENT_VERSION_TOTAL_SIZE}
144
ebpf_attach_type_t
GUID ebpf_attach_type_t
Definition ebpf_windows.h:62
_ebpf_helper_function
_ebpf_helper_function
Definition ebpf_windows.h:65
EBPF_LOOKUP_ELEMENT
@ EBPF_LOOKUP_ELEMENT
Look up a map element.
Definition ebpf_windows.h:66
EBPF_DELETE_ELEMENT
@ EBPF_DELETE_ELEMENT
Delete a map element.
Definition ebpf_windows.h:68
EBPF_UPDATE_ELEMENT
@ EBPF_UPDATE_ELEMENT
Update map element.
Definition ebpf_windows.h:67
ebpf_extension_header_t
struct _ebpf_extension_header ebpf_extension_header_t
Header of an eBPF extension data structure. Every eBPF extension data structure must start with this ...
ebpf_program_type_t
GUID ebpf_program_type_t
Definition ebpf_windows.h:61
GUID
uint8_t GUID[16]
Definition ebpf_windows.h:12
ebpf_helper_function_t
enum _ebpf_helper_function ebpf_helper_function_t
_ebpf_extension_header
Header of an eBPF extension data structure. Every eBPF extension data structure must start with this ...
Definition ebpf_windows.h:153
_ebpf_extension_header::size
size_t size
Size of the extension data structure not including any padding.
Definition ebpf_windows.h:155
_ebpf_extension_header::total_size
size_t total_size
Total size of the extension data structure including any padding.
Definition ebpf_windows.h:156
_ebpf_extension_header::version
uint16_t version
Version of the extension data structure.
Definition ebpf_windows.h:154
Generated by doxygen 1.9.8