For USENIX LISA2021 I gave a 40 minute deep dive talk on BPF internals for Linux, focusing on observability tracing tools. Since there are already BPF internals references online (listed in this post) I used the opportunity to create some new content, showing how bpftrace instrumentation works from user space down to machine code. I break it down to all the small components involved, where you'll find it's actually quite easy.
The video is on youtube:
Thanks to USENIX LISA for not only hosting this talk, but also for suggesting it. Internals talks can feel like they don't have strong take-aways, so I usually share that content in websites and books instead where people can browse as needed. But other USENIX events have had success with these "Core Principles" topics, so I gave it a try this time. How do you like it? As this is content that otherwise wouldn't exist without USENIX's help, my thanks to everyone who supports USENIX.
Links from my references slide:
- Linux include/uapi/linux/bpf_common.h
- Linux include/uapi/linux/bpf.h
- Linux include/uapi/linux/filter.h
- BPF Performance Tools, Addison-Wesley 2020
Capabilities continue to be added to BPF, so to stay current you will need to keep an eye on updates to the Linux header files listed above. For high-frequency updates you can also subscribe to the bpf-next mailing list, or for low-frequency summaries search for "BPF" in the KernelNewbies summaries.
There is also a substantially different implementation of BPF internals that I didn't cover at all in this talk: eBPF on Windows by Microsoft, only recently made public.