In order to guarantee safety, each eBPF bytecode has to be statically verified before execution. We use Prevail eBPF verifier for this purpose because it is an extensible verifier that can be used in other domains beyond the Linux kernel.
However, we need to extend the verifier to support specific jbpf features. For example, a context is passed every time a hook is called, and this context points to a fixed-size memory buffer. The verifier needs to know about this in order to verify memory access to that buffer from within the codelet. Also, the verifier needs to verify calls to helper functions provided by jbpf, to make sure that the way the parameters are passed matches the function signature.
For this reason, we provide the libjbpf_verifier, which acts as an extensible wrapper library on top of the prevail verifier.
This library provides an API call jbpf_verify() for verification (see here for an example).
We also provide a simple command-line (CLI) tool based on the this library.
To see how it works, build the first example, and in the same directory run:
$ ../../out/bin/jbpf_verifier_cli example_codelet.o
1,0.153241
Program terminates within 158 instructions
$ echo $?
0Number 1 printed on the screen and shell exit code 0 signify that the codelet is successfully verified.
Application developers can introduce new elements that require verifier extensions. This is done through the verifier API, which allows to extend the verifier's set of objects: