Implementing eBPF for Windows

The primary benefit from subscribing to LWN is helping to keep us publishing, but, beyond that, subscribers get immediate access to all site content and access to a number of extra site features. Please sign up today!

Extended BPF (eBPF), the general-purpose execution engine inside of the Linux kernel, has proved helpful for tracing and monitoring the system, for processing network packets, or generally for extending the behavior of the kernel. So helpful, in fact, that developers working on other operating systems have been watching it. Dave Thaler and Poorna Gaddehosur, on behalf of Microsoft, recently published an implementation of eBPF for Windows. A Linux feature making its way to Windows, in itself, deserves attention. Even more so when that feature has brought new degrees of programmability to the Linux kernel over the last few years. This makes it especially interesting to look at what the new project can do, and to ponder how the current ecosystem might evolve as eBPF begins its journey toward Windows.

Simply named "eBPF for Windows", the project targets Windows 10 and Windows Server 2016 (and later). It is not a fork of the Linux code, presumably to avoid any GPL-related issues. Instead, Windows gets a different implementation, but not from scratch. Microsoft's project relies on pre-existing open-source components; it adds the missing pieces along with the necessary shims to interconnect them and to integrate them with Windows internals. It is available from GitHub as ebpf-for-windows, under the MIT license.

Leave a Comment