Resources

Source code

eBPF is always evolving, and obviously the kernel documentation is not following up. To get a better understanding of eBPF, you should always check out the kernel source code.

Don't panic. Linux source code is neat.

The kernel interpreter:
- kernel/bpf/core.c#___bpf_prog_run
The kernel verifier:
- The header at linux/bpf_verifier.h
- Most of the code is at kernel/bpf/verifier.c: you might want to start reading at the end of the file where bpf_check lies.
The kernel JIT compilers:
- Header for riscv64
- Code for riscv64
The eBPF VM is actually designed to be RISC, so JIT compilers for RISC architectures can be more understandable (provided that you are willing to learn about it).
The syscall interface:
- kernel/bpf/syscall.c
- include/uapi/linux/bpf.h

TIP

When reading lengthy code, an IDE really makes your life better. (I mainly use one to collapse the code I have comprehended.)

Personally I find github.dev satisfactory. For any GitHub URL, replacing github.com with github.dev does the job.

Kernel documentation

TIP

Ongoing efforts to update relevant documentation:

Update ISA documentation
The updated ISA draft lies here.
eBPF.md: Add missing instructions and instruction variants (32-bit jumps, atomic instructions, call and lddw variants)

Despite being a little bit outdated, the kernel documentation documents the gist of some decisions and can give you a vague impression of how things work.

The instruction set "specification" is too incomplete to be a spec but can be a good starting point.
The verifier documentation provides an overview of the verifier implementation.
- The verifier supports some bounded loops now. Check out the LWN article Bounded loops in BPF for the 5.3 kernel for more details.
An introduction to BTF introduce you to a format storing symbol names, function signatures and other debug info.
man 2 bpf documents some important syscall cmd.
bpf() subcommand reference seems more complete than the previous one.

Third party documentation

Third party documents and blog are good. Things may change, but the code structure as well as the ABI usually stays the same.

Here is a non-exhaustive list, and you can always search for ones that suit your need.

BPF and XDP Reference Guide - Cilium documentation
A series of blog posts about BPF - Oracle Linux Blog
Libbpf: A Beginners Guide - ContainIQ
Understanding struct __sk_buff: Talks about context access conversion

eBPF programming

XDP Programming Hands-On Tutorial: While it focuses on XDP, it covers libbpf usages and some eBPF caveats. If you want to take a glimpse into user space eBPF programming (with libbpf), this is absolutely a good starting point.
The art of writing eBPF programs: a primer.: An introduction to writing eBPF programs attaching to trace points.

Resources #

Source code #

Kernel documentation #

Third party documentation #

eBPF programming #

Resources

Source code

Kernel documentation

Third party documentation

eBPF programming