An eBPF overview, part 2: Machine and bytecode

The eBPF program type supplied at load-time determines exactly what subset of kernel functions are available for calling, as well as what “context” argument gets supplied via r1 at program startup. In the example studied in part 1 of the series, we used some helpful kernel macros to create an eBPF bytecode instruction array using the following structure (all instructions are encoded this way):

Let’s look at the BPF_JMP_IMM instruction which encodes a conditional jump against an immediate value. In this part we took a closer look at the eBPF VM registers and instruction set, we learned how eBPF-accessible kernel functions are called from bytecode and how they are defined via a syscall-like special purpouse API by the core kernel.

Source: www.collabora.com