The Trojan Horse Inside Linux
In many ways, the extended Berkeley Packet Filter (eBPF) could be a Trojan Horse to the Linux kernel, suggested Daniel Borkmann, Linux kernel engineer for Cilium, in a technical session during the recent KubeCon + CloudNativeCon EU virtual conference. Initially, BPF was accepted into the Linux kernel as a simple tool for packet filtering. But now eBPF looks to provide an entirely new model, besides syscalls, to program the kernel.
When the upgrade was first offered up to the kernel keepers in 2013, it was rejected for being a big patch bomb, Borkmann recalled. Linus Torvalds himself said that he doesn’t mind “crazy” ideas as long as the contributor has a logical rationale for them. With this in mind, the eBPF designers stepped back and started incrementally, and significantly, upgrading the kernel’s existing BPF. They heavily extended the instruction set, swapped out the interpreter for a new one altogether, and added in a verifier to ensure the code is correct for the kernel. As a result, eBPF is now a full virtual machine within the kernel itself.
The potential use cases are many. Netflix is using it to run secure programs in the kernel. Cilium itself uses eBPF to offer what it claims is a fast version of KubeProxy for Kubernetes. Borkmann speculates that one day the majority of the functionality that is now in the kernel will be offloaded to eBPF functions, leaving only a very small, fast microkernel.
If this radical shift does come to pass then it would be a very effective Trojan Horse indeed. For when Linux creator Linus Torvalds had first created Linux, his design was criticized by Andrew S. Tanenbaum for its monolithic design. Torvalds had stuck by his decision. “I agree that microkernels are nicer,” he admitted, though for practical reasons — namely that the GNU kernel wasn’t ready — he created Linux as a monolith. “Linux wins heavily on points of being available now,” he wrote at the time.
So if eBPF is a Trojan Horse — it may well be a much-needed one.