From nobody Mon Oct 14 01:26:57 2024
X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XRfkm18tfz5YtDt;
	Mon, 14 Oct 2024 01:28:32 +0000 (UTC)
	(envelope-from kpn@neutralgood.org)
Received: from gunsight1.NeutralGood.ORG (gunsight1.neutralgood.org [206.196.19.100])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "gunsight1.neutralgood.org", Issuer "R11" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4XRfkk45C9z48Bl;
	Mon, 14 Oct 2024 01:28:30 +0000 (UTC)
	(envelope-from kpn@neutralgood.org)
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	spf=pass (mx1.freebsd.org: domain of kpn@neutralgood.org designates 206.196.19.100 as permitted sender) smtp.mailfrom=kpn@neutralgood.org;
	dmarc=none
Received: from gunsight1.NeutralGood.ORG (localhost [127.0.0.1])
	by gunsight1.NeutralGood.ORG (8.18.1/8.18.1) with ESMTPS id 49E1Qw6E012674
	(version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO);
	Sun, 13 Oct 2024 21:26:58 -0400 (EDT)
	(envelope-from kpn@gunsight1.NeutralGood.ORG)
Received: (from kpn@localhost)
	by gunsight1.NeutralGood.ORG (8.18.1/8.18.1/Submit) id 49E1QvmB012671;
	Sun, 13 Oct 2024 21:26:57 -0400 (EDT)
	(envelope-from kpn)
Date: Sun, 13 Oct 2024 21:26:57 -0400
From: "Kevin P. Neal" <kpn@neutralgood.org>
To: "Gavin D. Howard" <gavin@gavinhoward.com>
Cc: freebsd-arch@freebsd.org, freebsd-hackers@freebsd.org,
        freebsd-net@freebsd.org, tcpdump-workers@lists.tcpdump.org,
        tech-net@netbsd.org, Alexander Nasonov <alnsn@netbsd.org>
Subject: Re:  BPF64: proposal of platform-independent hardware-friendly
 backwards-compatible eBPF alternative
Message-ID: <ZwxzYa3ngC3oeZsZ@neutralgood.org>
References: <20240910040544.125245ad@nuclight.lan>
 <wLzD36W8VSXSlBByVmK745ezszNVGM-hfWOobdrCb1vmx9snihwW_gBgeAlvtKWL55fnAZgr9G5ztIO3UjD3Wou3-YPxmLkMp9AFuGHwXsA=@gavinhoward.com>
List-Id: Technical discussions relating to FreeBSD <freebsd-hackers.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-hackers
List-Help: <mailto:freebsd-hackers+help@freebsd.org>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Subscribe: <mailto:freebsd-hackers+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-hackers+unsubscribe@freebsd.org>
Sender: owner-freebsd-hackers@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <wLzD36W8VSXSlBByVmK745ezszNVGM-hfWOobdrCb1vmx9snihwW_gBgeAlvtKWL55fnAZgr9G5ztIO3UjD3Wou3-YPxmLkMp9AFuGHwXsA=@gavinhoward.com>
X-No-archive: Yes
X-Spamd-Result: default: False [-3.30 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-1.000];
	R_SPF_ALLOW(-0.20)[+mx];
	MIME_GOOD(-0.10)[text/plain];
	MID_RHS_MATCH_FROM(0.00)[];
	ARC_NA(0.00)[];
	MISSING_XM_UA(0.00)[];
	ASN(0.00)[asn:13649, ipnet:206.196.0.0/19, country:US];
	MIME_TRACE(0.00)[0:+];
	RCPT_COUNT_SEVEN(0.00)[7];
	R_DKIM_NA(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-hackers@freebsd.org,freebsd-net@freebsd.org,freebsd-arch@freebsd.org];
	RCVD_COUNT_TWO(0.00)[2];
	FROM_EQ_ENVFROM(0.00)[];
	TO_DN_SOME(0.00)[];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	DMARC_NA(0.00)[neutralgood.org];
	RCVD_TLS_LAST(0.00)[];
	FROM_HAS_DN(0.00)[]
X-Rspamd-Queue-Id: 4XRfkk45C9z48Bl
X-Spamd-Bar: ---

On Tue, Sep 10, 2024 at 02:41:20PM +0000, Gavin D. Howard wrote:
> But the good thing about this is that FreeBSD could use LLVM IR as the
> BPF64 language, which means any language that compiles to LLVM is a
> possible target.

Please don't do this.

The LLVM IR language is a moving target. IR that works in one version is
not guaranteed to work in prior versions. There is an upgrade step where
it tries to read in older IR, but writing out older IR is a problem. It
can be solved, I think the DirectX LLVM backend ("DXIL") does this, but I
still suggest you not do this.
 
> As for restricting access, I think it would be possible to check the
> instructions in LLVM IR for any unsafe instructions or calls to
> restricted functions.
> 
> The downsides:
> 
> * Someone would need to write an LLVM analyze pass or whatever they're
>   called. Maybe more than one.

Close. "Analysis pass".

> * The kernel would need the ability to compile LLVM IR, making LLVM part
>   of the Ring 0 domain.
> 	* Either that, or someone builds an LLVM-to-bytecode translator.
> 	* But the analysis pass(es) must still live in the kernel.

LLVM is huge. Really huge. A codebase that large has no business being in
the kernel.
-- 
Kevin P. Neal                                http://www.pobox.com/~kpn/
"14. Re-reading No. 13, I realize that it's quite possible I'm losing my
mind. I'm glad that for the most part I'm not aware it's happening."
  -- from "20 things I'm thankful for": Fortune, Nov 29, 2004, page 230