eBPF for Windows
ebpf_windows.h
Go to the documentation of this file.
1 // Copyright (c) eBPF for Windows contributors
2 // SPDX-License-Identifier: MIT
3 #pragma once
4 
5 #define EBPF_OFFSET_OF(s, m) (((size_t) & ((s*)0)->m))
6 #define EBPF_FIELD_SIZE(s, m) (sizeof(((s*)0)->m))
7 #define EBPF_SIZE_INCLUDING_FIELD(s, m) (EBPF_OFFSET_OF(s, m) + EBPF_FIELD_SIZE(s, m))
8 
9 #ifdef _MSC_VER
10 #include <guiddef.h>
11 #else
12 typedef uint8_t GUID[16];
13 #endif
14 
15 #if !defined(NO_CRT) && !defined(_NO_CRT_STDIO_INLINE)
16 #include <stdbool.h>
17 #include <stddef.h>
18 #include <stdint.h>
19 #else
20 typedef unsigned char uint8_t;
21 typedef unsigned short uint16_t;
22 typedef unsigned short wchar_t;
23 typedef unsigned int uint32_t;
24 typedef unsigned long long uint64_t;
25 typedef unsigned long long size_t;
26 #define bool _Bool
27 #endif
28 
29 // This file contains eBPF definitions needed by eBPF programs as well as
30 // the verifier, execution context and extension drivers.
31 
32 #define EBPF_ROOT_REGISTRY_PATH L"\\Registry\\Machine\\Software\\eBPF"
33 #define EBPF_ROOT_RELATIVE_PATH L"Software\\eBPF"
34 #define EBPF_STORE_REGISTRY_PATH L"Software\\eBPF\\Providers"
35 
36 #define EBPF_PROVIDERS_REGISTRY_KEY L"Providers"
37 #define EBPF_SECTIONS_REGISTRY_KEY L"SectionData"
38 #define EBPF_PROGRAM_DATA_REGISTRY_KEY L"ProgramData"
39 #define EBPF_PROGRAM_TYPE_DESCRIPTOR_REGISTRY_KEY L"TypeDescriptor"
40 #define EBPF_PROGRAM_DATA_HELPERS_REGISTRY_KEY L"Helpers"
41 #define EBPF_GLOBAL_HELPERS_REGISTRY_KEY L"GlobalHelpers"
42 
43 #define EBPF_EXTENSION_HEADER_VERSION L"Version"
44 #define EBPF_EXTENSION_HEADER_SIZE L"Size"
45 
46 #define EBPF_SECTION_DATA_PROGRAM_TYPE L"ProgramType"
47 #define EBPF_SECTION_DATA_ATTACH_TYPE L"AttachType"
48 
49 #define EBPF_PROGRAM_DATA_NAME L"Name"
50 #define EBPF_PROGRAM_DATA_CONTEXT_DESCRIPTOR L"ContextDescriptor"
51 #define EBPF_PROGRAM_DATA_PLATFORM_SPECIFIC_DATA L"PlatformSpecificData"
52 #define EBPF_PROGRAM_DATA_PRIVILEGED L"IsPrivileged"
53 #define EBPF_PROGRAM_DATA_HELPER_COUNT L"HelperCount"
54 
55 #define EBPF_HELPER_DATA_PROTOTYPE L"Prototype"
56 #define EBPF_HELPER_DATA_REALLOCATE_PACKET L"ReallocatePacket"
57 
58 #define EBPF_DATA_BPF_PROG_TYPE L"BpfProgType"
59 #define EBPF_DATA_BPF_ATTACH_TYPE L"BpfAttachType"
60 
61 typedef GUID ebpf_program_type_t;
62 typedef GUID ebpf_attach_type_t;
63 
64 typedef enum _ebpf_helper_function
65 {
66  EBPF_LOOKUP_ELEMENT = 1,
67  EBPF_UPDATE_ELEMENT = 2,
68  EBPF_DELETE_ELEMENT = 3,
69 } ebpf_helper_function_t;
70 
71 #define EBPF_MAX_GENERAL_HELPER_FUNCTION 0xFFFF
72 
73 #define EBPF_ATTACH_CLIENT_DATA_CURRENT_VERSION 1
74 #define EBPF_PROGRAM_INFORMATION_CLIENT_DATA_CURRENT_VERSION 1
75 
76 // Version 1 of the eBPF extension data structures and their lengths.
77 #define EBPF_ATTACH_PROVIDER_DATA_CURRENT_VERSION 1
78 #define EBPF_ATTACH_PROVIDER_DATA_CURRENT_VERSION_SIZE EBPF_SIZE_INCLUDING_FIELD(ebpf_attach_provider_data_t, link_type)
79 #define EBPF_ATTACH_PROVIDER_DATA_CURRENT_VERSION_TOTAL_SIZE sizeof(ebpf_attach_provider_data_t)
80 #define EBPF_ATTACH_PROVIDER_DATA_HEADER \
81  { \
82  EBPF_ATTACH_PROVIDER_DATA_CURRENT_VERSION, EBPF_ATTACH_PROVIDER_DATA_CURRENT_VERSION_SIZE, \
83  EBPF_ATTACH_PROVIDER_DATA_CURRENT_VERSION_TOTAL_SIZE \
84  }
85 
86 #define EBPF_PROGRAM_TYPE_DESCRIPTOR_CURRENT_VERSION 1
87 #define EBPF_PROGRAM_TYPE_DESCRIPTOR_CURRENT_VERSION_SIZE \
88  EBPF_SIZE_INCLUDING_FIELD(ebpf_program_type_descriptor_t, is_privileged)
89 #define EBPF_PROGRAM_TYPE_DESCRIPTOR_CURRENT_VERSION_TOTAL_SIZE sizeof(ebpf_program_type_descriptor_t)
90 #define EBPF_PROGRAM_TYPE_DESCRIPTOR_HEADER \
91  { \
92  EBPF_PROGRAM_TYPE_DESCRIPTOR_CURRENT_VERSION, EBPF_PROGRAM_TYPE_DESCRIPTOR_CURRENT_VERSION_SIZE, \
93  EBPF_PROGRAM_TYPE_DESCRIPTOR_CURRENT_VERSION_TOTAL_SIZE \
94  }
95 
96 #define EBPF_HELPER_FUNCTION_PROTOTYPE_CURRENT_VERSION 1
97 #define EBPF_HELPER_FUNCTION_PROTOTYPE_CURRENT_VERSION_SIZE \
98  EBPF_SIZE_INCLUDING_FIELD(ebpf_helper_function_prototype_t, implicit_context)
99 #define EBPF_HELPER_FUNCTION_PROTOTYPE_CURRENT_VERSION_TOTAL_SIZE sizeof(ebpf_helper_function_prototype_t)
100 #define EBPF_HELPER_FUNCTION_PROTOTYPE_HEADER \
101  { \
102  EBPF_HELPER_FUNCTION_PROTOTYPE_CURRENT_VERSION, EBPF_HELPER_FUNCTION_PROTOTYPE_CURRENT_VERSION_SIZE, \
103  EBPF_HELPER_FUNCTION_PROTOTYPE_CURRENT_VERSION_TOTAL_SIZE \
104  }
105 
106 #define EBPF_PROGRAM_INFORMATION_CURRENT_VERSION 1
107 #define EBPF_PROGRAM_INFORMATION_CURRENT_VERSION_SIZE \
108  EBPF_SIZE_INCLUDING_FIELD(ebpf_program_info_t, global_helper_prototype)
109 #define EBPF_PROGRAM_INFORMATION_CURRENT_VERSION_TOTAL_SIZE sizeof(ebpf_program_info_t)
110 #define EBPF_PROGRAM_INFORMATION_HEADER \
111  { \
112  EBPF_PROGRAM_INFORMATION_CURRENT_VERSION, EBPF_PROGRAM_INFORMATION_CURRENT_VERSION_SIZE, \
113  EBPF_PROGRAM_INFORMATION_CURRENT_VERSION_TOTAL_SIZE \
114  }
115 
116 #define EBPF_HELPER_FUNCTION_ADDRESSES_CURRENT_VERSION 1
117 #define EBPF_HELPER_FUNCTION_ADDRESSES_CURRENT_VERSION_SIZE \
118  EBPF_SIZE_INCLUDING_FIELD(ebpf_helper_function_addresses_t, helper_function_address)
119 #define EBPF_HELPER_FUNCTION_ADDRESSES_CURRENT_VERSION_TOTAL_SIZE sizeof(ebpf_helper_function_addresses_t)
120 #define EBPF_HELPER_FUNCTION_ADDRESSES_HEADER \
121  { \
122  EBPF_HELPER_FUNCTION_ADDRESSES_CURRENT_VERSION, EBPF_HELPER_FUNCTION_ADDRESSES_CURRENT_VERSION_SIZE, \
123  EBPF_HELPER_FUNCTION_ADDRESSES_CURRENT_VERSION_TOTAL_SIZE \
124  }
125 
126 #define EBPF_PROGRAM_DATA_CURRENT_VERSION 1
127 #define EBPF_PROGRAM_DATA_CURRENT_VERSION_SIZE EBPF_SIZE_INCLUDING_FIELD(ebpf_program_data_t, capabilities)
128 #define EBPF_PROGRAM_DATA_CURRENT_VERSION_TOTAL_SIZE sizeof(ebpf_program_data_t)
129 #define EBPF_PROGRAM_DATA_HEADER \
130  { \
131  EBPF_PROGRAM_DATA_CURRENT_VERSION, EBPF_PROGRAM_DATA_CURRENT_VERSION_SIZE, \
132  EBPF_PROGRAM_DATA_CURRENT_VERSION_TOTAL_SIZE \
133  }
134 
135 #define EBPF_PROGRAM_SECTION_INFORMATION_CURRENT_VERSION 1
136 #define EBPF_PROGRAM_SECTION_INFORMATION_CURRENT_VERSION_SIZE \
137  EBPF_SIZE_INCLUDING_FIELD(ebpf_program_section_info_t, bpf_attach_type)
138 #define EBPF_PROGRAM_SECTION_INFORMATION_CURRENT_VERSION_TOTAL_SIZE sizeof(ebpf_program_section_info_t)
139 #define EBPF_PROGRAM_SECTION_INFORMATION_HEADER \
140  { \
141  EBPF_PROGRAM_SECTION_INFORMATION_CURRENT_VERSION, EBPF_PROGRAM_SECTION_INFORMATION_CURRENT_VERSION_SIZE, \
142  EBPF_PROGRAM_SECTION_INFORMATION_CURRENT_VERSION_TOTAL_SIZE \
143  }
144 
152 typedef struct _ebpf_extension_header
153 {
154  uint16_t version;
155  size_t size;
156  size_t total_size;
157 } ebpf_extension_header_t;
ebpf_attach_type_t
GUID ebpf_attach_type_t
Definition: ebpf_windows.h:62
_ebpf_helper_function
_ebpf_helper_function
Definition: ebpf_windows.h:65
EBPF_LOOKUP_ELEMENT
@ EBPF_LOOKUP_ELEMENT
Look up a map element.
Definition: ebpf_windows.h:66
EBPF_DELETE_ELEMENT
@ EBPF_DELETE_ELEMENT
Delete a map element.
Definition: ebpf_windows.h:68
EBPF_UPDATE_ELEMENT
@ EBPF_UPDATE_ELEMENT
Update map element.
Definition: ebpf_windows.h:67
ebpf_extension_header_t
struct _ebpf_extension_header ebpf_extension_header_t
Header of an eBPF extension data structure. Every eBPF extension data structure must start with this ...
ebpf_program_type_t
GUID ebpf_program_type_t
Definition: ebpf_windows.h:61
GUID
uint8_t GUID[16]
Definition: ebpf_windows.h:12
ebpf_helper_function_t
enum _ebpf_helper_function ebpf_helper_function_t
_ebpf_extension_header
Header of an eBPF extension data structure. Every eBPF extension data structure must start with this ...
Definition: ebpf_windows.h:153
_ebpf_extension_header::size
size_t size
Size of the extension data structure not including any padding.
Definition: ebpf_windows.h:155
_ebpf_extension_header::total_size
size_t total_size
Total size of the extension data structure including any padding.
Definition: ebpf_windows.h:156
_ebpf_extension_header::version
uint16_t version
Version of the extension data structure.
Definition: ebpf_windows.h:154
Generated by doxygen 1.9.1