Linux kernel's eBPF feature put to unexpected new uses

The internal traffic-filtering tool can be used for much more than firewalls

Linux Plumbers Conference The Linux Plumbers Conference in Dublin ends today and some of the talks have revealed interesting new uses for the eBPF functionality.

Several different teams presented tools that all use a part of the kernel originally intended to control packet filtering for new and totally different purposes. Google's ghOSt allows for adjusting process scheduling, while Red Hat's HID-BPF will make it easier to accommodate new input devices.

Both of these use the eBPF facility introduced in kernel 3.18. The Register talked about eBPF when Microsoft introduced its own version for Windows. eBPF gives the kernel an intentionally limited register-based virtual machine, which allows tiny, strictly limited programs to execute inside the kernel itself.

It derives from the 30-year-old Berkeley Packet Filter tool, intended to provide flexible tools for filtering data flowing in and out of the Unix kernel. The Linux extended implementation is more general, and what's interesting about these projects is that they're not directly related to networking, firewalls or packet filtering at all.

Google coder Barret Rhoden's talk introduced the company's ghOSt project, which allows adjustment and control of the kernel's Completely Fair Scheduler (CFS) from programs running in user space – outside the kernel itself.

The tool is divided into two parts: ghOSt kernel and ghOSt userspace. The second link has an overview of what it does. The talk is online, as are the slides [PDF].

Red Hat's Bernard Tissoires introduced HID-BPF, which will allow on-the-fly adjustments to Human Interface Devices (HIDs) without modifying the kernel.

Almost anything that lets you control a computer using a USB device is an HID: pointing devices, keyboards, webcams, styluses, and so on. USB-HID is a very old standard, dating back to Windows 95, and most devices use generic drivers which are very stable and rarely change.

The problem is when a device needs a tweak to one of the generic drivers. Mostly, the changes are very small adjustments, but that still means a custom driver – and that means a kernel rebuild. HID-BPF will allow minor tweaks, such as inverting the X axis, or adjusting a scaling factor, to be done on the fly. The talk is on YouTube and Tissoires' presentation [PDF] explains how it works.

HID-BPF is still a work in progress, and the developers are currently targeting kernel 6.2; the kernel patch was first submitted earlier this year.

The ghOSt facility strikes us as rather niche, although it will probably prove useful to teams building specific Linux-based products. HID-BPF is much more general. It's not a new kind of device driver, so it won't require kernel rebuilds or even a reboot. Once it is included, end users will be able to just copy a tiny file onto their machine, which can customize how an input device works. One example given in the talk allows Microsoft's Surface Dial device to be redefined, on the fly, as a scroll wheel. No software installation or rebooting required.

So far, the WebAssembly tool for cross-platform binaries has received much more coverage. eBPF is superficially comparable, inasmuch as it's a new CPU-independent runtime, but it's a lot smaller, simpler, and more limited… though it has great potential too, and it's good to see some of it being realized. ®

Similar topics


Other stories you might like

Biting the hand that feeds IT © 1998–2022