1 .. contents::
2 .. sectnum::
3
4 ======================================
5 BPF Instruction Set Architecture (ISA)
6 ======================================
7
8 eBPF, also commonly
9 referred to as BPF, is a technology with origins in the Linux kernel
10 that can run untrusted programs in a privileged context such as an
11 operating system kernel. This document specifies the BPF instruction
12 set architecture (ISA).
13
14 As a historical note, BPF originally stood for Berkeley Packet Filter,
15 but now that it can do so much more than packet filtering, the acronym
16 no longer makes sense. BPF is now considered a standalone term that
17 does not stand for anything. The original BPF is sometimes referred to
18 as cBPF (classic BPF) to distinguish it from the now widely deployed
19 eBPF (extended BPF).
20
21 Documentation conventions
22 =========================
23
24 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
25 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
26 "OPTIONAL" in this document are to be interpreted as described in
27 BCP 14 `<https://www.rfc-editor.org/info/rfc2119>`_
28 `<https://www.rfc-editor.org/info/rfc8174>`_
29 when, and only when, they appear in all capitals, as shown here.
30
31 For brevity and consistency, this document refers to families
32 of types using a shorthand syntax and refers to several expository,
33 mnemonic functions when describing the semantics of instructions.
34 The range of valid values for those types and the semantics of those
35 functions are defined in the following subsections.
36
37 Types
38 -----
39 This document refers to integer types with the notation `SN` to specify
40 a type's signedness (`S`) and bit width (`N`), respectively.
41
42 .. table:: Meaning of signedness notation
43
44 ==== =========
45 S Meaning
46 ==== =========
47 u unsigned
48 s signed
49 ==== =========
50
51 .. table:: Meaning of bit-width notation
52
53 ===== =========
54 N Bit width
55 ===== =========
56 8 8 bits
57 16 16 bits
58 32 32 bits
59 64 64 bits
60 128 128 bits
61 ===== =========
62
63 For example, `u32` is a type whose valid values are all the 32-bit unsigned
64 numbers and `s16` is a type whose valid values are all the 16-bit signed
65 numbers.
66
67 Functions
68 ---------
69
70 The following byteswap functions are direction-agnostic. That is,
71 the same function is used for conversion in either direction discussed
72 below.
73
74 * be16: Takes an unsigned 16-bit number and converts it between
75 host byte order and big-endian
76 (`IEN137 <https://www.rfc-editor.org/ien/ien137.txt>`_) byte order.
77 * be32: Takes an unsigned 32-bit number and converts it between
78 host byte order and big-endian byte order.
79 * be64: Takes an unsigned 64-bit number and converts it between
80 host byte order and big-endian byte order.
81 * bswap16: Takes an unsigned 16-bit number in either big- or little-endian
82 format and returns the equivalent number with the same bit width but
83 opposite endianness.
84 * bswap32: Takes an unsigned 32-bit number in either big- or little-endian
85 format and returns the equivalent number with the same bit width but
86 opposite endianness.
87 * bswap64: Takes an unsigned 64-bit number in either big- or little-endian
88 format and returns the equivalent number with the same bit width but
89 opposite endianness.
90 * le16: Takes an unsigned 16-bit number and converts it between
91 host byte order and little-endian byte order.
92 * le32: Takes an unsigned 32-bit number and converts it between
93 host byte order and little-endian byte order.
94 * le64: Takes an unsigned 64-bit number and converts it between
95 host byte order and little-endian byte order.
96
97 Definitions
98 -----------
99
100 .. glossary::
101
102 Sign Extend
103 To `sign extend an` ``X`` `-bit number, A, to a` ``Y`` `-bit number, B ,` means to
104
105 #. Copy all ``X`` bits from `A` to the lower ``X`` bits of `B`.
106 #. Set the value of the remaining ``Y`` - ``X`` bits of `B` to the value of
107 the most-significant bit of `A`.
108
109 .. admonition:: Example
110
111 Sign extend an 8-bit number ``A`` to a 16-bit number ``B`` on a big-endian platform:
112 ::
113
114 A: 10000110
115 B: 11111111 10000110
116
117 Conformance groups
118 ------------------
119
120 An implementation does not need to support all instructions specified in this
121 document (e.g., deprecated instructions). Instead, a number of conformance
122 groups are specified. An implementation MUST support the base32 conformance
123 group and MAY support additional conformance groups, where supporting a
124 conformance group means it MUST support all instructions in that conformance
125 group.
126
127 The use of named conformance groups enables interoperability between a runtime
128 that executes instructions, and tools such as compilers that generate
129 instructions for the runtime. Thus, capability discovery in terms of
130 conformance groups might be done manually by users or automatically by tools.
131
132 Each conformance group has a short ASCII label (e.g., "base32") that
133 corresponds to a set of instructions that are mandatory. That is, each
134 instruction has one or more conformance groups of which it is a member.
135
136 This document defines the following conformance groups:
137
138 * base32: includes all instructions defined in this
139 specification unless otherwise noted.
140 * base64: includes base32, plus instructions explicitly noted
141 as being in the base64 conformance group.
142 * atomic32: includes 32-bit atomic operation instructions (see `Atomic operations`_).
143 * atomic64: includes atomic32, plus 64-bit atomic operation instructions.
144 * divmul32: includes 32-bit division, multiplication, and modulo instructions.
145 * divmul64: includes divmul32, plus 64-bit division, multiplication,
146 and modulo instructions.
147 * packet: deprecated packet access instructions.
148
149 Instruction encoding
150 ====================
151
152 BPF has two instruction encodings:
153
154 * the basic instruction encoding, which uses 64 bits to encode an instruction
155 * the wide instruction encoding, which appends a second 64 bits
156 after the basic instruction for a total of 128 bits.
157
158 Basic instruction encoding
159 --------------------------
160
161 A basic instruction is encoded as follows::
162
163 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
164 | opcode | regs | offset |
165 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
166 | imm |
167 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
168
169 **opcode**
170 operation to perform, encoded as follows::
171
172 +-+-+-+-+-+-+-+-+
173 |specific |class|
174 +-+-+-+-+-+-+-+-+
175
176 **specific**
177 The format of these bits varies by instruction class
178
179 **class**
180 The instruction class (see `Instruction classes`_)
181
182 **regs**
183 The source and destination register numbers, encoded as follows
184 on a little-endian host::
185
186 +-+-+-+-+-+-+-+-+
187 |src_reg|dst_reg|
188 +-+-+-+-+-+-+-+-+
189
190 and as follows on a big-endian host::
191
192 +-+-+-+-+-+-+-+-+
193 |dst_reg|src_reg|
194 +-+-+-+-+-+-+-+-+
195
196 **src_reg**
197 the source register number (0-10), except where otherwise specified
198 (`64-bit immediate instructions`_ reuse this field for other purposes)
199
200 **dst_reg**
201 destination register number (0-10), unless otherwise specified
202 (future instructions might reuse this field for other purposes)
203
204 **offset**
205 signed integer offset used with pointer arithmetic, except where
206 otherwise specified (some arithmetic instructions reuse this field
207 for other purposes)
208
209 **imm**
210 signed integer immediate value
211
212 Note that the contents of multi-byte fields ('offset' and 'imm') are
213 stored using big-endian byte ordering on big-endian hosts and
214 little-endian byte ordering on little-endian hosts.
215
216 For example::
217
218 opcode offset imm assembly
219 src_reg dst_reg
220 07 0 1 00 00 44 33 22 11 r1 += 0x11223344 // little
221 dst_reg src_reg
222 07 1 0 00 00 11 22 33 44 r1 += 0x11223344 // big
223
224 Note that most instructions do not use all of the fields.
225 Unused fields SHALL be cleared to zero.
226
227 Wide instruction encoding
228 --------------------------
229
230 Some instructions are defined to use the wide instruction encoding,
231 which uses two 32-bit immediate values. The 64 bits following
232 the basic instruction format contain a pseudo instruction
233 with 'opcode', 'dst_reg', 'src_reg', and 'offset' all set to zero.
234
235 This is depicted in the following figure::
236
237 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
238 | opcode | regs | offset |
239 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
240 | imm |
241 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
242 | reserved |
243 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
244 | next_imm |
245 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
246
247 **opcode**
248 operation to perform, encoded as explained above
249
250 **regs**
251 The source and destination register numbers (unless otherwise
252 specified), encoded as explained above
253
254 **offset**
255 signed integer offset used with pointer arithmetic, unless
256 otherwise specified
257
258 **imm**
259 signed integer immediate value
260
261 **reserved**
262 unused, set to zero
263
264 **next_imm**
265 second signed integer immediate value
266
267 Instruction classes
268 -------------------
269
270 The three least significant bits of the 'opcode' field store the instruction class:
271
272 .. table:: Instruction class
273
274 ===== ===== =============================== ===================================
275 class value description reference
276 ===== ===== =============================== ===================================
277 LD 0x0 non-standard load operations `Load and store instructions`_
278 LDX 0x1 load into register operations `Load and store instructions`_
279 ST 0x2 store from immediate operations `Load and store instructions`_
280 STX 0x3 store from register operations `Load and store instructions`_
281 ALU 0x4 32-bit arithmetic operations `Arithmetic and jump instructions`_
282 JMP 0x5 64-bit jump operations `Arithmetic and jump instructions`_
283 JMP32 0x6 32-bit jump operations `Arithmetic and jump instructions`_
284 ALU64 0x7 64-bit arithmetic operations `Arithmetic and jump instructions`_
285 ===== ===== =============================== ===================================
286
287 Arithmetic and jump instructions
288 ================================
289
290 For arithmetic and jump instructions (``ALU``, ``ALU64``, ``JMP`` and
291 ``JMP32``), the 8-bit 'opcode' field is divided into three parts::
292
293 +-+-+-+-+-+-+-+-+
294 | code |s|class|
295 +-+-+-+-+-+-+-+-+
296
297 **code**
298 the operation code, whose meaning varies by instruction class
299
300 **s (source)**
301 the source operand location, which unless otherwise specified is one of:
302
303 .. table:: Source operand location
304
305 ====== ===== ==============================================
306 source value description
307 ====== ===== ==============================================
308 K 0 use 32-bit 'imm' value as source operand
309 X 1 use 'src_reg' register value as source operand
310 ====== ===== ==============================================
311
312 **instruction class**
313 the instruction class (see `Instruction classes`_)
314
315 Arithmetic instructions
316 -----------------------
317
318 ``ALU`` uses 32-bit wide operands while ``ALU64`` uses 64-bit wide operands for
319 otherwise identical operations. ``ALU64`` instructions belong to the
320 base64 conformance group unless noted otherwise.
321 The 'code' field encodes the operation as below, where 'src' refers to the
322 the source operand and 'dst' refers to the value of the destination
323 register.
324
325 .. table:: Arithmetic instructions
326
327 ===== ===== ======= ==========================================================
328 name code offset description
329 ===== ===== ======= ==========================================================
330 ADD 0x0 0 dst += src
331 SUB 0x1 0 dst -= src
332 MUL 0x2 0 dst \*= src
333 DIV 0x3 0 dst = (src != 0) ? (dst / src) : 0
334 SDIV 0x3 1 dst = (src != 0) ? (dst s/ src) : 0
335 OR 0x4 0 dst \|= src
336 AND 0x5 0 dst &= src
337 LSH 0x6 0 dst <<= (src & mask)
338 RSH 0x7 0 dst >>= (src & mask)
339 NEG 0x8 0 dst = -dst
340 MOD 0x9 0 dst = (src != 0) ? (dst % src) : dst
341 SMOD 0x9 1 dst = (src != 0) ? (dst s% src) : dst
342 XOR 0xa 0 dst ^= src
343 MOV 0xb 0 dst = src
344 MOVSX 0xb 8/16/32 dst = (s8,s16,s32)src
345 ARSH 0xc 0 :term:`sign extending<Sign Extend>` dst >>= (src & mask)
346 END 0xd 0 byte swap operations (see `Byte swap instructions`_ below)
347 ===== ===== ======= ==========================================================
348
349 Underflow and overflow are allowed during arithmetic operations, meaning
350 the 64-bit or 32-bit value will wrap. If BPF program execution would
351 result in division by zero, the destination register is instead set to zero.
352 If execution would result in modulo by zero, for ``ALU64`` the value of
353 the destination register is unchanged whereas for ``ALU`` the upper
354 32 bits of the destination register are zeroed.
355
356 ``{ADD, X, ALU}``, where 'code' = ``ADD``, 'source' = ``X``, and 'class' = ``ALU``, means::
357
358 dst = (u32) ((u32) dst + (u32) src)
359
360 where '(u32)' indicates that the upper 32 bits are zeroed.
361
362 ``{ADD, X, ALU64}`` means::
363
364 dst = dst + src
365
366 ``{XOR, K, ALU}`` means::
367
368 dst = (u32) dst ^ (u32) imm
369
370 ``{XOR, K, ALU64}`` means::
371
372 dst = dst ^ imm
373
374 Note that most arithmetic instructions have 'offset' set to 0. Only three instructions
375 (``SDIV``, ``SMOD``, ``MOVSX``) have a non-zero 'offset'.
376
377 Division, multiplication, and modulo operations for ``ALU`` are part
378 of the "divmul32" conformance group, and division, multiplication, and
379 modulo operations for ``ALU64`` are part of the "divmul64" conformance
380 group.
381 The division and modulo operations support both unsigned and signed flavors.
382
383 For unsigned operations (``DIV`` and ``MOD``), for ``ALU``,
384 'imm' is interpreted as a 32-bit unsigned value. For ``ALU64``,
385 'imm' is first :term:`sign extended<Sign Extend>` from 32 to 64 bits, and then
386 interpreted as a 64-bit unsigned value.
387
388 For signed operations (``SDIV`` and ``SMOD``), for ``ALU``,
389 'imm' is interpreted as a 32-bit signed value. For ``ALU64``, 'imm'
390 is first :term:`sign extended<Sign Extend>` from 32 to 64 bits, and then
391 interpreted as a 64-bit signed value.
392
393 Note that there are varying definitions of the signed modulo operation
394 when the dividend or divisor are negative, where implementations often
395 vary by language such that Python, Ruby, etc. differ from C, Go, Java,
396 etc. This specification requires that signed modulo MUST use truncated division
397 (where -13 % 3 == -1) as implemented in C, Go, etc.::
398
399 a % n = a - n * trunc(a / n)
400
401 The ``MOVSX`` instruction does a move operation with sign extension.
402 ``{MOVSX, X, ALU}`` :term:`sign extends<Sign Extend>` 8-bit and 16-bit operands into
403 32-bit operands, and zeroes the remaining upper 32 bits.
404 ``{MOVSX, X, ALU64}`` :term:`sign extends<Sign Extend>` 8-bit, 16-bit, and 32-bit
405 operands into 64-bit operands. Unlike other arithmetic instructions,
406 ``MOVSX`` is only defined for register source operands (``X``).
407
408 ``{MOV, K, ALU64}`` means::
409
410 dst = (s64)imm
411
412 ``{MOV, X, ALU}`` means::
413
414 dst = (u32)src
415
416 ``{MOVSX, X, ALU}`` with 'offset' 8 means::
417
418 dst = (u32)(s32)(s8)src
419
420
421 The ``NEG`` instruction is only defined when the source bit is clear
422 (``K``).
423
424 Shift operations use a mask of 0x3F (63) for 64-bit operations and 0x1F (31)
425 for 32-bit operations.
426
427 Byte swap instructions
428 ----------------------
429
430 The byte swap instructions use instruction classes of ``ALU`` and ``ALU64``
431 and a 4-bit 'code' field of ``END``.
432
433 The byte swap instructions operate on the destination register
434 only and do not use a separate source register or immediate value.
435
436 For ``ALU``, the 1-bit source operand field in the opcode is used to
437 select what byte order the operation converts from or to. For
438 ``ALU64``, the 1-bit source operand field in the opcode is reserved
439 and MUST be set to 0.
440
441 .. table:: Byte swap instructions
442
443 ===== ======== ===== =================================================
444 class source value description
445 ===== ======== ===== =================================================
446 ALU LE 0 convert between host byte order and little endian
447 ALU BE 1 convert between host byte order and big endian
448 ALU64 Reserved 0 do byte swap unconditionally
449 ===== ======== ===== =================================================
450
451 The 'imm' field encodes the width of the swap operations. The following widths
452 are supported: 16, 32 and 64. Width 64 operations belong to the base64
453 conformance group and other swap operations belong to the base32
454 conformance group.
455
456 Examples:
457
458 ``{END, LE, ALU}`` with 'imm' = 16/32/64 means::
459
460 dst = le16(dst)
461 dst = le32(dst)
462 dst = le64(dst)
463
464 ``{END, BE, ALU}`` with 'imm' = 16/32/64 means::
465
466 dst = be16(dst)
467 dst = be32(dst)
468 dst = be64(dst)
469
470 ``{END, TO, ALU64}`` with 'imm' = 16/32/64 means::
471
472 dst = bswap16(dst)
473 dst = bswap32(dst)
474 dst = bswap64(dst)
475
476 Jump instructions
477 -----------------
478
479 ``JMP32`` uses 32-bit wide operands and indicates the base32
480 conformance group, while ``JMP`` uses 64-bit wide operands for
481 otherwise identical operations, and indicates the base64 conformance
482 group unless otherwise specified.
483 The 'code' field encodes the operation as below:
484
485 .. table:: Jump instructions
486
487 ======== ===== ======= ================================= ===================================================
488 code value src_reg description notes
489 ======== ===== ======= ================================= ===================================================
490 JA 0x0 0x0 PC += offset {JA, K, JMP} only
491 JA 0x0 0x0 PC += imm {JA, K, JMP32} only
492 JEQ 0x1 any PC += offset if dst == src
493 JGT 0x2 any PC += offset if dst > src unsigned
494 JGE 0x3 any PC += offset if dst >= src unsigned
495 JSET 0x4 any PC += offset if dst & src
496 JNE 0x5 any PC += offset if dst != src
497 JSGT 0x6 any PC += offset if dst > src signed
498 JSGE 0x7 any PC += offset if dst >= src signed
499 CALL 0x8 0x0 call helper function by static ID {CALL, K, JMP} only, see `Helper functions`_
500 CALL 0x8 0x1 call PC += imm {CALL, K, JMP} only, see `Program-local functions`_
501 CALL 0x8 0x2 call helper function by BTF ID {CALL, K, JMP} only, see `Helper functions`_
502 EXIT 0x9 0x0 return {CALL, K, JMP} only
503 JLT 0xa any PC += offset if dst < src unsigned
504 JLE 0xb any PC += offset if dst <= src unsigned
505 JSLT 0xc any PC += offset if dst < src signed
506 JSLE 0xd any PC += offset if dst <= src signed
507 ======== ===== ======= ================================= ===================================================
508
509 where 'PC' denotes the program counter, and the offset to increment by
510 is in units of 64-bit instructions relative to the instruction following
511 the jump instruction. Thus 'PC += 1' skips execution of the next
512 instruction if it's a basic instruction or results in undefined behavior
513 if the next instruction is a 128-bit wide instruction.
514
515 Example:
516
517 ``{JSGE, X, JMP32}`` means::
518
519 if (s32)dst s>= (s32)src goto +offset
520
521 where 's>=' indicates a signed '>=' comparison.
522
523 ``{JLE, K, JMP}`` means::
524
525 if dst <= (u64)(s64)imm goto +offset
526
527 ``{JA, K, JMP32}`` means::
528
529 gotol +imm
530
531 where 'imm' means the branch offset comes from the 'imm' field.
532
533 Note that there are two flavors of ``JA`` instructions. The
534 ``JMP`` class permits a 16-bit jump offset specified by the 'offset'
535 field, whereas the ``JMP32`` class permits a 32-bit jump offset
536 specified by the 'imm' field. A > 16-bit conditional jump may be
537 converted to a < 16-bit conditional jump plus a 32-bit unconditional
538 jump.
539
540 All ``CALL`` and ``JA`` instructions belong to the
541 base32 conformance group.
542
543 Helper functions
544 ~~~~~~~~~~~~~~~~
545
546 Helper functions are a concept whereby BPF programs can call into a
547 set of function calls exposed by the underlying platform.
548
549 Historically, each helper function was identified by a static ID
550 encoded in the 'imm' field. Further documentation of helper functions
551 is outside the scope of this document and standardization is left for
552 future work, but use is widely deployed and more information can be
553 found in platform-specific documentation (e.g., Linux kernel documentation).
554
555 Platforms that support the BPF Type Format (BTF) support identifying
556 a helper function by a BTF ID encoded in the 'imm' field, where the BTF ID
557 identifies the helper name and type. Further documentation of BTF
558 is outside the scope of this document and standardization is left for
559 future work, but use is widely deployed and more information can be
560 found in platform-specific documentation (e.g., Linux kernel documentation).
561
562 Program-local functions
563 ~~~~~~~~~~~~~~~~~~~~~~~
564 Program-local functions are functions exposed by the same BPF program as the
565 caller, and are referenced by offset from the instruction following the call
566 instruction, similar to ``JA``. The offset is encoded in the 'imm' field of
567 the call instruction. An ``EXIT`` within the program-local function will
568 return to the caller.
569
570 Load and store instructions
571 ===========================
572
573 For load and store instructions (``LD``, ``LDX``, ``ST``, and ``STX``), the
574 8-bit 'opcode' field is divided as follows::
575
576 +-+-+-+-+-+-+-+-+
577 |mode |sz |class|
578 +-+-+-+-+-+-+-+-+
579
580 **mode**
581 The mode modifier is one of:
582
583 .. table:: Mode modifier
584
585 ============= ===== ==================================== =============
586 mode modifier value description reference
587 ============= ===== ==================================== =============
588 IMM 0 64-bit immediate instructions `64-bit immediate instructions`_
589 ABS 1 legacy BPF packet access (absolute) `Legacy BPF Packet access instructions`_
590 IND 2 legacy BPF packet access (indirect) `Legacy BPF Packet access instructions`_
591 MEM 3 regular load and store operations `Regular load and store operations`_
592 MEMSX 4 sign-extension load operations `Sign-extension load operations`_
593 ATOMIC 6 atomic operations `Atomic operations`_
594 ============= ===== ==================================== =============
595
596 **sz (size)**
597 The size modifier is one of:
598
599 .. table:: Size modifier
600
601 ==== ===== =====================
602 size value description
603 ==== ===== =====================
604 W 0 word (4 bytes)
605 H 1 half word (2 bytes)
606 B 2 byte
607 DW 3 double word (8 bytes)
608 ==== ===== =====================
609
610 Instructions using ``DW`` belong to the base64 conformance group.
611
612 **class**
613 The instruction class (see `Instruction classes`_)
614
615 Regular load and store operations
616 ---------------------------------
617
618 The ``MEM`` mode modifier is used to encode regular load and store
619 instructions that transfer data between a register and memory.
620
621 ``{MEM, <size>, STX}`` means::
622
623 *(size *) (dst + offset) = src
624
625 ``{MEM, <size>, ST}`` means::
626
627 *(size *) (dst + offset) = imm
628
629 ``{MEM, <size>, LDX}`` means::
630
631 dst = *(unsigned size *) (src + offset)
632
633 Where '<size>' is one of: ``B``, ``H``, ``W``, or ``DW``, and
634 'unsigned size' is one of: u8, u16, u32, or u64.
635
636 Sign-extension load operations
637 ------------------------------
638
639 The ``MEMSX`` mode modifier is used to encode :term:`sign-extension<Sign Extend>` load
640 instructions that transfer data between a register and memory.
641
642 ``{MEMSX, <size>, LDX}`` means::
643
644 dst = *(signed size *) (src + offset)
645
646 Where '<size>' is one of: ``B``, ``H``, or ``W``, and
647 'signed size' is one of: s8, s16, or s32.
648
649 Atomic operations
650 -----------------
651
652 Atomic operations are operations that operate on memory and can not be
653 interrupted or corrupted by other access to the same memory region
654 by other BPF programs or means outside of this specification.
655
656 All atomic operations supported by BPF are encoded as store operations
657 that use the ``ATOMIC`` mode modifier as follows:
658
659 * ``{ATOMIC, W, STX}`` for 32-bit operations, which are
660 part of the "atomic32" conformance group.
661 * ``{ATOMIC, DW, STX}`` for 64-bit operations, which are
662 part of the "atomic64" conformance group.
663 * 8-bit and 16-bit wide atomic operations are not supported.
664
665 The 'imm' field is used to encode the actual atomic operation.
666 Simple atomic operation use a subset of the values defined to encode
667 arithmetic operations in the 'imm' field to encode the atomic operation:
668
669 .. table:: Simple atomic operations
670
671 ======== ===== ===========
672 imm value description
673 ======== ===== ===========
674 ADD 0x00 atomic add
675 OR 0x40 atomic or
676 AND 0x50 atomic and
677 XOR 0xa0 atomic xor
678 ======== ===== ===========
679
680
681 ``{ATOMIC, W, STX}`` with 'imm' = ADD means::
682
683 *(u32 *)(dst + offset) += src
684
685 ``{ATOMIC, DW, STX}`` with 'imm' = ADD means::
686
687 *(u64 *)(dst + offset) += src
688
689 In addition to the simple atomic operations, there also is a modifier and
690 two complex atomic operations:
691
692 .. table:: Complex atomic operations
693
694 =========== ================ ===========================
695 imm value description
696 =========== ================ ===========================
697 FETCH 0x01 modifier: return old value
698 XCHG 0xe0 | FETCH atomic exchange
699 CMPXCHG 0xf0 | FETCH atomic compare and exchange
700 =========== ================ ===========================
701
702 The ``FETCH`` modifier is optional for simple atomic operations, and
703 always set for the complex atomic operations. If the ``FETCH`` flag
704 is set, then the operation also overwrites ``src`` with the value that
705 was in memory before it was modified.
706
707 The ``XCHG`` operation atomically exchanges ``src`` with the value
708 addressed by ``dst + offset``.
709
710 The ``CMPXCHG`` operation atomically compares the value addressed by
711 ``dst + offset`` with ``R0``. If they match, the value addressed by
712 ``dst + offset`` is replaced with ``src``. In either case, the
713 value that was at ``dst + offset`` before the operation is zero-extended
714 and loaded back to ``R0``.
715
716 64-bit immediate instructions
717 -----------------------------
718
719 Instructions with the ``IMM`` 'mode' modifier use the wide instruction
720 encoding defined in `Instruction encoding`_, and use the 'src_reg' field of the
721 basic instruction to hold an opcode subtype.
722
723 The following table defines a set of ``{IMM, DW, LD}`` instructions
724 with opcode subtypes in the 'src_reg' field, using new terms such as "map"
725 defined further below:
726
727 .. table:: 64-bit immediate instructions
728
729 ======= ========================================= =========== ==============
730 src_reg pseudocode imm type dst type
731 ======= ========================================= =========== ==============
732 0x0 dst = (next_imm << 32) | imm integer integer
733 0x1 dst = map_by_fd(imm) map fd map
734 0x2 dst = map_val(map_by_fd(imm)) + next_imm map fd data address
735 0x3 dst = var_addr(imm) variable id data address
736 0x4 dst = code_addr(imm) integer code address
737 0x5 dst = map_by_idx(imm) map index map
738 0x6 dst = map_val(map_by_idx(imm)) + next_imm map index data address
739 ======= ========================================= =========== ==============
740
741 where
742
743 * map_by_fd(imm) means to convert a 32-bit file descriptor into an address of a map (see `Maps`_)
744 * map_by_idx(imm) means to convert a 32-bit index into an address of a map
745 * map_val(map) gets the address of the first value in a given map
746 * var_addr(imm) gets the address of a platform variable (see `Platform Variables`_) with a given id
747 * code_addr(imm) gets the address of the instruction at a specified relative offset in number of (64-bit) instructions
748 * the 'imm type' can be used by disassemblers for display
749 * the 'dst type' can be used for verification and JIT compilation purposes
750
751 Maps
752 ~~~~
753
754 Maps are shared memory regions accessible by BPF programs on some platforms.
755 A map can have various semantics as defined in a separate document, and may or
756 may not have a single contiguous memory region, but the 'map_val(map)' is
757 currently only defined for maps that do have a single contiguous memory region.
758
759 Each map can have a file descriptor (fd) if supported by the platform, where
760 'map_by_fd(imm)' means to get the map with the specified file descriptor. Each
761 BPF program can also be defined to use a set of maps associated with the
762 program at load time, and 'map_by_idx(imm)' means to get the map with the given
763 index in the set associated with the BPF program containing the instruction.
764
765 Platform Variables
766 ~~~~~~~~~~~~~~~~~~
767
768 Platform variables are memory regions, identified by integer ids, exposed by
769 the runtime and accessible by BPF programs on some platforms. The
770 'var_addr(imm)' operation means to get the address of the memory region
771 identified by the given id.
772
773 Legacy BPF Packet access instructions
774 -------------------------------------
775
776 BPF previously introduced special instructions for access to packet data that were
777 carried over from classic BPF. These instructions used an instruction
778 class of ``LD``, a size modifier of ``W``, ``H``, or ``B``, and a
779 mode modifier of ``ABS`` or ``IND``. The 'dst_reg' and 'offset' fields were
780 set to zero, and 'src_reg' was set to zero for ``ABS``. However, these
781 instructions are deprecated and SHOULD no longer be used. All legacy packet
782 access instructions belong to the "packet" conformance group.
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.