ePass is an in-kernel LLVM-like compiler framework that introduces an SSA-based intermediate representation (IR) for eBPF programs. It provides a lifter that lifts eBPF bytecode to ePass IR, a pass runner that runs user-defined passes, and a code generator that compiles IR to eBPF bytecode. Users could write flexible passes using our LLVM-like APIs to analyze and manipulate the IR. ePass also provides an in-kernel supervisor that cooperates ePass core with the verifier to improve its flexibility (i.e. reduce false rejections) and safety (i.e. reduce false acceptance at runtime). It could also be used in userspace for testing.
- IR-based compilation: Converts BPF programs to an SSA-based intermediate representation for code rewriting
- Flexible passes: ePass core provides various APIs to analyze and manipulate the IR, allowing users to write flexible passes including static analyzing, runtime checks, and optimization.
- Verifier aware: ePass works with the existing verifier. The verifier is better for static verification while ePass focuses more on code rewriting and runtime verification.
- User-friendly debugging: ePass supports compiling to both kernel and userspace for easier debugging.
⚠️ Warning: ePass is under active development and we are improving its usability and safety for production use. We welcome any suggestions and feedback. Feel free to open issues or contact us.
- Flexible passes for diverse use cases
- Working with existing verifier instead of replacing its
- Keeping kernel safety
- Support both userspace and kernel
- clang >= 17
- Ninja (optional, for faster compilation)
- libbpf
ePass core: the core compiler framework, including a userspace CLIePass kernel: Linux kernel 6.5 with ePass core built-in, along with the kernel component and kernel passesePass libbpf: libbpf with ePass support for userspace ePass testing
There are some testing projects including bpftool, xdp-tools, falcolib in third-party. They depend on ePass libbpf.
There are two ways to use ePass. The first way is to build a linux kernel with ePass builtin, which is used for production. Users could specify ePass options when calling the BPF system call. See Kernel Testing.
The second way is to build ePass in userspace and testing programs without changing the kernel, which is used mainly for testing. Users could specify ePass options via environment variable and use ePass libbpf. Programs will be modified in userspace before sending to the kernel. See Userspace Testing.
We recommend users trying ePass in userspace before switching to the ePass kernel version!
See Testing.
See Development.
Feel free to open an issue for question, bug report or feature request! You could also email xiangyiming2002@gmail.com.
ePass is sponsored by OrderLab from University of Michigan.