How about a slightly different modification of the Anton's idea.
Suppose that, as before, there is a special map type:
struct {
__uint(type, BPF_MAP_TYPE_ARRAY);
__type(key, __u32);
__type(value, __u32);
__uint(map_flags, BPF_F_STATIC_KEY);
__uint(max_entries, 1);
} skey1 SEC(".maps")
Which is used as below:
__attribute__((naked))
int foo(void) {
asm volatile (
"r0 = %[skey1] ll;"
"if r0 != r0 goto 1f;"
"r1 = r10;"
"r1 += -8;"
"r2 = 1;"
"call %[bpf_trace_printk];"
"1:"
"exit;"
:: __imm_addr(skey1),
__imm(bpf_trace_printk)
: __clobber_all
);
}
Disassembly of section .text:
0000000000000000 <foo>:
0: r0 = 0x0 ll
0000000000000000: R_BPF_64_64 skey1 ;; <---- Map relocation as usual
2: if r0 == r0 goto +0x4 <foo+0x38> ;; <---- Note condition
3: r1 = r10
4: r1 += -0x8
5: r2 = 0x1
6: call 0x6
7: exit
And suppose that verifier is modified in the following ways:
- treat instructions "if rX == rX" / "if rX != rX" (when rX points to
static key map) in a special way:
- when program is verified, the jump is considered non deterministic;
- when program is jitted, the jump is compiled as nop for "!=" and as
unconditional jump for "==";
- build a table of static keys based on a specific map referenced in
condition, e.g. for the example above it can be inferred that insn 2
associates with map skey1 because "r0" points to "skey1";
- jit "rX = <static key> ll;" as nop;
On the plus side:
- any kinds of jump tables are omitted from system call;
- no new instruction is needed;
- almost no modifications to libbpf are necessary (only a helper macro
to convince clang to keep "if rX == rX");
What do you think?
Thanks,
Eduard
