Provided by: linux-tools-common_6.11.0-18.18_all 
NAME
bpftool-gen - tool for BPF code-generation
SYNOPSIS
bpftool [OPTIONS] gen COMMAND
OPTIONS := { { -j | --json } [{ -p | --pretty }] | { -d | --debug } | { -L | --use-loader } }
COMMAND := { object | skeleton | help }
GEN COMMANDS
bpftool gen object OUTPUT_FILE INPUT_FILE [INPUT_FILE...]
bpftool gen skeleton FILE [name OBJECT_NAME]
bpftool gen subskeleton FILE [name OBJECT_NAME]
bpftool gen min_core_btf INPUT OUTPUT OBJECT [OBJECT...]
bpftool gen help
DESCRIPTION
bpftool gen object OUTPUT_FILE INPUT_FILE [INPUT_FILE...]
Statically link (combine) together one or more INPUT_FILE's into a single resulting OUTPUT_FILE.
All the files involved are BPF ELF object files.
The rules of BPF static linking are mostly the same as for user-space object files, but in
addition to combining data and instruction sections, .BTF and .BTF.ext (if present in any of the
input files) data are combined together. .BTF data is deduplicated, so all the common types across
INPUT_FILE's will only be represented once in the resulting BTF information.
BPF static linking allows to partition BPF source code into individually compiled files that are
then linked into a single resulting BPF object file, which can be used to generated BPF skeleton
(with gen skeleton command) or passed directly into libbpf (using bpf_object__open() family of
APIs).
bpftool gen skeleton FILE
Generate BPF skeleton C header file for a given FILE.
BPF skeleton is an alternative interface to existing libbpf APIs for working with BPF objects.
Skeleton code is intended to significantly shorten and simplify code to load and work with BPF
programs from userspace side. Generated code is tailored to specific input BPF object FILE,
reflecting its structure by listing out available maps, program, variables, etc. Skeleton
eliminates the need to lookup mentioned components by name. Instead, if skeleton instantiation
succeeds, they are populated in skeleton structure as valid libbpf types (e.g., struct bpf_map
pointer) and can be passed to existing generic libbpf APIs.
In addition to simple and reliable access to maps and programs, skeleton provides a storage for
BPF links (struct bpf_link) for each BPF program within BPF object. When requested, supported BPF
programs will be automatically attached and resulting BPF links stored for further use by user in
pre-allocated fields in skeleton struct. For BPF programs that can't be automatically attached by
libbpf, user can attach them manually, but store resulting BPF link in per-program link field. All
such set up links will be automatically destroyed on BPF skeleton destruction. This eliminates the
need for users to manage links manually and rely on libbpf support to detach programs and free up
resources.
Another facility provided by BPF skeleton is an interface to global variables of all supported
kinds: mutable, read-only, as well as extern ones. This interface allows to pre-setup initial
values of variables before BPF object is loaded and verified by kernel. For non-read-only
variables, the same interface can be used to fetch values of global variables on userspace side,
even if they are modified by BPF code.
During skeleton generation, contents of source BPF object FILE is embedded within generated code
and is thus not necessary to keep around. This ensures skeleton and BPF object file are matching
1-to-1 and always stay in sync. Generated code is dual-licensed under LGPL-2.1 and BSD-2-Clause
licenses.
It is a design goal and guarantee that skeleton interfaces are interoperable with generic libbpf
APIs. User should always be able to use skeleton API to create and load BPF object, and later use
libbpf APIs to keep working with specific maps, programs, etc.
As part of skeleton, few custom functions are generated. Each of them is prefixed with object
name. Object name can either be derived from object file name, i.e., if BPF object file name is
example.o, BPF object name will be example. Object name can be also specified explicitly through
name OBJECT_NAME parameter. The following custom functions are provided (assuming example as the
object name):
• example__open and example__open_opts. These functions are used to instantiate skeleton. It
corresponds to libbpf's bpf_object__open() API. _opts variants accepts extra
bpf_object_open_opts options.
• example__load. This function creates maps, loads and verifies BPF programs, initializes global
data maps. It corresponds to libppf's bpf_object__load() API.
• example__open_and_load combines example__open and example__load invocations in one commonly used
operation.
• example__attach and example__detach. This pair of functions allow to attach and detach,
correspondingly, already loaded BPF object. Only BPF programs of types supported by libbpf for
auto-attachment will be auto-attached and their corresponding BPF links instantiated. For other
BPF programs, user can manually create a BPF link and assign it to corresponding fields in
skeleton struct. example__detach will detach both links created automatically, as well as those
populated by user manually.
• example__destroy. Detach and unload BPF programs, free up all the resources used by skeleton
and BPF object.
If BPF object has global variables, corresponding structs with memory layout corresponding to
global data data section layout will be created. Currently supported ones are: .data, .bss,
.rodata, and .kconfig structs/data sections. These data sections/structs can be used to set up
initial values of variables, if set before example__load. Afterwards, if target kernel supports
memory-mapped BPF arrays, same structs can be used to fetch and update (non-read-only) data from
userspace, with same simplicity as for BPF side.
bpftool gen subskeleton FILE
Generate BPF subskeleton C header file for a given FILE.
Subskeletons are similar to skeletons, except they do not own the corresponding maps, programs, or
global variables. They require that the object file used to generate them is already loaded into a
bpf_object by some other means.
This functionality is useful when a library is included into a larger BPF program. A subskeleton
for the library would have access to all objects and globals defined in it, without having to know
about the larger program.
Consequently, there are only two functions defined for subskeletons:
• example__open(bpf_object*). Instantiates a subskeleton from an already opened (but not
necessarily loaded) bpf_object.
• example__destroy(). Frees the storage for the subskeleton but does not unload any BPF programs
or maps.
bpftool gen min_core_btf INPUT OUTPUT OBJECT [OBJECT...]
Generate a minimum BTF file as OUTPUT, derived from a given INPUT BTF file, containing all needed
BTF types so one, or more, given eBPF objects CO-RE relocations may be satisfied.
When kernels aren't compiled with CONFIG_DEBUG_INFO_BTF, libbpf, when loading an eBPF object, has
to rely on external BTF files to be able to calculate CO-RE relocations.
Usually, an external BTF file is built from existing kernel DWARF data using pahole. It contains
all the types used by its respective kernel image and, because of that, is big.
The min_core_btf feature builds smaller BTF files, customized to one or multiple eBPF objects, so
they can be distributed together with an eBPF CO-RE based application, turning the application
portable to different kernel versions.
Check examples bellow for more information how to use it.
bpftool gen help
Print short help message.
OPTIONS
-h, --help
Print short help message (similar to bpftool help).
-V, --version
Print bpftool's version number (similar to bpftool version), the number of the libbpf version in
use, and optional features that were included when bpftool was compiled. Optional features include
linking against LLVM or libbfd to provide the disassembler for JIT-ted programs (bpftool prog dump
jited) and usage of BPF skeletons (some features like bpftool prog profile or showing pids
associated to BPF objects may rely on it).
-j, --json
Generate JSON output. For commands that cannot produce JSON, this option has no effect.
-p, --pretty
Generate human-readable JSON output. Implies -j.
-d, --debug
Print all logs available, even debug-level information. This includes logs from libbpf as well as
from the verifier, when attempting to load programs.
-L, --use-loader
For skeletons, generate a "light" skeleton (also known as "loader" skeleton). A light skeleton
contains a loader eBPF program. It does not use the majority of the libbpf infrastructure, and
does not need libelf.
EXAMPLES
$ cat example1.bpf.c
#include <stdbool.h>
#include <linux/ptrace.h>
#include <linux/bpf.h>
#include <bpf/bpf_helpers.h>
const volatile int param1 = 42;
bool global_flag = true;
struct { int x; } data = {};
SEC("raw_tp/sys_enter")
int handle_sys_enter(struct pt_regs *ctx)
{
static long my_static_var;
if (global_flag)
my_static_var++;
else
data.x += param1;
return 0;
}
$ cat example2.bpf.c
#include <linux/ptrace.h>
#include <linux/bpf.h>
#include <bpf/bpf_helpers.h>
struct {
__uint(type, BPF_MAP_TYPE_HASH);
__uint(max_entries, 128);
__type(key, int);
__type(value, long);
} my_map SEC(".maps");
SEC("raw_tp/sys_exit")
int handle_sys_exit(struct pt_regs *ctx)
{
int zero = 0;
bpf_map_lookup_elem(&my_map, &zero);
return 0;
}
$ cat example3.bpf.c
#include <linux/ptrace.h>
#include <linux/bpf.h>
#include <bpf/bpf_helpers.h>
/* This header file is provided by the bpf_testmod module. */
#include "bpf_testmod.h"
int test_2_result = 0;
/* bpf_Testmod.ko calls this function, passing a "4"
* and testmod_map->data.
*/
SEC("struct_ops/test_2")
void BPF_PROG(test_2, int a, int b)
{
test_2_result = a + b;
}
SEC(".struct_ops")
struct bpf_testmod_ops testmod_map = {
.test_2 = (void *)test_2,
.data = 0x1,
};
This is example BPF application with three BPF programs and a mix of BPF maps and global variables.
Source code is split across three source code files.
$ clang --target=bpf -g example1.bpf.c -o example1.bpf.o
$ clang --target=bpf -g example2.bpf.c -o example2.bpf.o
$ clang --target=bpf -g example3.bpf.c -o example3.bpf.o
$ bpftool gen object example.bpf.o example1.bpf.o example2.bpf.o example3.bpf.o
This set of commands compiles example1.bpf.c, example2.bpf.c and example3.bpf.c individually and then
statically links respective object files into the final BPF ELF object file example.bpf.o.
$ bpftool gen skeleton example.bpf.o name example | tee example.skel.h
/* SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause) */
/* THIS FILE IS AUTOGENERATED! */
#ifndef __EXAMPLE_SKEL_H__
#define __EXAMPLE_SKEL_H__
#include <stdlib.h>
#include <bpf/libbpf.h>
struct example {
struct bpf_object_skeleton *skeleton;
struct bpf_object *obj;
struct {
struct bpf_map *rodata;
struct bpf_map *data;
struct bpf_map *bss;
struct bpf_map *my_map;
struct bpf_map *testmod_map;
} maps;
struct {
struct example__testmod_map__bpf_testmod_ops {
const struct bpf_program *test_1;
const struct bpf_program *test_2;
int data;
} *testmod_map;
} struct_ops;
struct {
struct bpf_program *handle_sys_enter;
struct bpf_program *handle_sys_exit;
} progs;
struct {
struct bpf_link *handle_sys_enter;
struct bpf_link *handle_sys_exit;
} links;
struct example__bss {
struct {
int x;
} data;
int test_2_result;
} *bss;
struct example__data {
_Bool global_flag;
long int handle_sys_enter_my_static_var;
} *data;
struct example__rodata {
int param1;
} *rodata;
};
static void example__destroy(struct example *obj);
static inline struct example *example__open_opts(
const struct bpf_object_open_opts *opts);
static inline struct example *example__open();
static inline int example__load(struct example *obj);
static inline struct example *example__open_and_load();
static inline int example__attach(struct example *obj);
static inline void example__detach(struct example *obj);
#endif /* __EXAMPLE_SKEL_H__ */
$ cat example.c
#include "example.skel.h"
int main()
{
struct example *skel;
int err = 0;
skel = example__open();
if (!skel)
goto cleanup;
skel->rodata->param1 = 128;
/* Change the value through the pointer of shadow type */
skel->struct_ops.testmod_map->data = 13;
err = example__load(skel);
if (err)
goto cleanup;
/* The result of the function test_2() */
printf("test_2_result: %d\n", skel->bss->test_2_result);
err = example__attach(skel);
if (err)
goto cleanup;
/* all libbpf APIs are usable */
printf("my_map name: %s\n", bpf_map__name(skel->maps.my_map));
printf("sys_enter prog FD: %d\n",
bpf_program__fd(skel->progs.handle_sys_enter));
/* detach and re-attach sys_exit program */
bpf_link__destroy(skel->links.handle_sys_exit);
skel->links.handle_sys_exit =
bpf_program__attach(skel->progs.handle_sys_exit);
printf("my_static_var: %ld\n",
skel->bss->handle_sys_enter_my_static_var);
cleanup:
example__destroy(skel);
return err;
}
# ./example
test_2_result: 17
my_map name: my_map
sys_enter prog FD: 8
my_static_var: 7
This is a stripped-out version of skeleton generated for above example code.
min_core_btf
$ bpftool btf dump file 5.4.0-example.btf format raw
[1] INT 'long unsigned int' size=8 bits_offset=0 nr_bits=64 encoding=(none)
[2] CONST '(anon)' type_id=1
[3] VOLATILE '(anon)' type_id=1
[4] ARRAY '(anon)' type_id=1 index_type_id=21 nr_elems=2
[5] PTR '(anon)' type_id=8
[6] CONST '(anon)' type_id=5
[7] INT 'char' size=1 bits_offset=0 nr_bits=8 encoding=(none)
[8] CONST '(anon)' type_id=7
[9] INT 'unsigned int' size=4 bits_offset=0 nr_bits=32 encoding=(none)
<long output>
$ bpftool btf dump file one.bpf.o format raw
[1] PTR '(anon)' type_id=2
[2] STRUCT 'trace_event_raw_sys_enter' size=64 vlen=4
'ent' type_id=3 bits_offset=0
'id' type_id=7 bits_offset=64
'args' type_id=9 bits_offset=128
'__data' type_id=12 bits_offset=512
[3] STRUCT 'trace_entry' size=8 vlen=4
'type' type_id=4 bits_offset=0
'flags' type_id=5 bits_offset=16
'preempt_count' type_id=5 bits_offset=24
<long output>
$ bpftool gen min_core_btf 5.4.0-example.btf 5.4.0-smaller.btf one.bpf.o
$ bpftool btf dump file 5.4.0-smaller.btf format raw
[1] TYPEDEF 'pid_t' type_id=6
[2] STRUCT 'trace_event_raw_sys_enter' size=64 vlen=1
'args' type_id=4 bits_offset=128
[3] STRUCT 'task_struct' size=9216 vlen=2
'pid' type_id=1 bits_offset=17920
'real_parent' type_id=7 bits_offset=18048
[4] ARRAY '(anon)' type_id=5 index_type_id=8 nr_elems=6
[5] INT 'long unsigned int' size=8 bits_offset=0 nr_bits=64 encoding=(none)
[6] TYPEDEF '__kernel_pid_t' type_id=8
[7] PTR '(anon)' type_id=3
[8] INT 'int' size=4 bits_offset=0 nr_bits=32 encoding=SIGNED
<end>
Now, the "5.4.0-smaller.btf" file may be used by libbpf as an external BTF file when loading the
"one.bpf.o" object into the "5.4.0-example" kernel. Note that the generated BTF file won't allow other
eBPF objects to be loaded, just the ones given to min_core_btf.
LIBBPF_OPTS(bpf_object_open_opts, opts, .btf_custom_path = "5.4.0-smaller.btf");
struct bpf_object *obj;
obj = bpf_object__open_file("one.bpf.o", &opts);
...
SEE ALSO
bpf(2), bpf-helpers(7), bpftool(8), bpftool-btf(8), bpftool-cgroup(8), bpftool-feature(8), bpftool-iter(8), bpftool-link(8), bpftool-map(8), bpftool-net(8), bpftool-perf(8), bpftool-prog(8), bpftool-struct_ops(8) BPFTOOL-GEN(8)