eBPF

Started 2026-02-24

Marketed as JavaScript for the Kernel, eBPF is a technology that helps extend the Linux kernel without modifying and recompiling the kernel itself. Think of browser plugins.

eBPF is closely related to my research. I intend this section to be directory of eBPF-related resources with personal notes and explanations.

Documentation

• eBPF documentation from: Linux 6.18 | Latest -- sections include Syscall API, BTF, kfuncs, FAQ, etc.
• eBPF instruction set

Tutorials

• Building BPF applications with libbpf-bootstrap by Andrii Nakryiko -- explains how one could write portable eBPF programs with the help of a scaffolding called libbpf-bootstrap.

eBPF Verifier

The Linux kernel has a component called the eBPF verifier which performs various safety and security checks on eBPF programs before letting them execute in the privileged context of the kernel.

• verifier.c, the main source file of the verifier
• Verifier documentation -- not very organized, but it contains some details on register value tracking, register liveness tracking, pruning, and more. It also contains some examples to help understand the cryptic error messages produced by the verifier, which is often a source of criticism.
• Complexity of the BPF Verifier -- discusses the growth in size and cyclomatic complexity of the verifier over time. Lists top ten most complex functions (mainly checks) in the verifier.
• [VIDEO] Peeking into the eBPF verifier - Shung-Hsi Yu -- A five minute presentation by a SuSE engineer with a couple of examples illustrating the type checking and bounds checking performed by the verifier.

Research

• A collection of eBPF-related research papers by an engineer at Cisco/Isovalent