xref: /linux/Documentation/bpf/btf.rst (revision 5b9b41617bf3e1282cc60f07d3d52e62399aa4ba) 
1=====================
2BPF Type Format (BTF)
3=====================
4
51. Introduction
6===============
7
8BTF (BPF Type Format) is the metadata format which encodes the debug info
9related to BPF program/map. The name BTF was used initially to describe data
10types. The BTF was later extended to include function info for defined
11subroutines, and line info for source/line information.
12
13The debug info is used for map pretty print, function signature, etc. The
14function signature enables better bpf program/function kernel symbol. The line
15info helps generate source annotated translated byte code, jited code and
16verifier log.
17
18The BTF specification contains two parts,
19  * BTF kernel API
20  * BTF ELF file format
21
22The kernel API is the contract between user space and kernel. The kernel
23verifies the BTF info before using it. The ELF file format is a user space
24contract between ELF file and libbpf loader.
25
26The type and string sections are part of the BTF kernel API, describing the
27debug info (mostly types related) referenced by the bpf program. These two
28sections are discussed in details in :ref:`BTF_Type_String`.
29
30.. _BTF_Type_String:
31
322. BTF Type and String Encoding
33===============================
34
35The file ``include/uapi/linux/btf.h`` provides high-level definition of how
36types/strings are encoded.
37
38The beginning of data blob must be::
39
40    struct btf_header {
41        __u16   magic;
42        __u8    version;
43        __u8    flags;
44        __u32   hdr_len;
45
46        /* All offsets are in bytes relative to the end of this header */
47        __u32   type_off;       /* offset of type section       */
48        __u32   type_len;       /* length of type section       */
49        __u32   str_off;        /* offset of string section     */
50        __u32   str_len;        /* length of string section     */
51    };
52
53The magic is ``0xeB9F``, which has different encoding for big and little
54endian systems, and can be used to test whether BTF is generated for big- or
55little-endian target. The ``btf_header`` is designed to be extensible with
56``hdr_len`` equal to ``sizeof(struct btf_header)`` when a data blob is
57generated.
58
592.1 String Encoding
60-------------------
61
62The first string in the string section must be a null string. The rest of
63string table is a concatenation of other null-terminated strings.
64
652.2 Type Encoding
66-----------------
67
68The type id ``0`` is reserved for ``void`` type. The type section is parsed
69sequentially and type id is assigned to each recognized type starting from id
70``1``. Currently, the following types are supported::
71
72    #define BTF_KIND_INT            1       /* Integer      */
73    #define BTF_KIND_PTR            2       /* Pointer      */
74    #define BTF_KIND_ARRAY          3       /* Array        */
75    #define BTF_KIND_STRUCT         4       /* Struct       */
76    #define BTF_KIND_UNION          5       /* Union        */
77    #define BTF_KIND_ENUM           6       /* Enumeration up to 32-bit values */
78    #define BTF_KIND_FWD            7       /* Forward      */
79    #define BTF_KIND_TYPEDEF        8       /* Typedef      */
80    #define BTF_KIND_VOLATILE       9       /* Volatile     */
81    #define BTF_KIND_CONST          10      /* Const        */
82    #define BTF_KIND_RESTRICT       11      /* Restrict     */
83    #define BTF_KIND_FUNC           12      /* Function     */
84    #define BTF_KIND_FUNC_PROTO     13      /* Function Proto       */
85    #define BTF_KIND_VAR            14      /* Variable     */
86    #define BTF_KIND_DATASEC        15      /* Section      */
87    #define BTF_KIND_FLOAT          16      /* Floating point       */
88    #define BTF_KIND_DECL_TAG       17      /* Decl Tag     */
89    #define BTF_KIND_TYPE_TAG       18      /* Type Tag     */
90    #define BTF_KIND_ENUM64         19      /* Enumeration up to 64-bit values */
91
92Note that the type section encodes debug info, not just pure types.
93``BTF_KIND_FUNC`` is not a type, and it represents a defined subprogram.
94
95Each type contains the following common data::
96
97    struct btf_type {
98        __u32 name_off;
99        /* "info" bits arrangement
100         * bits  0-15: vlen (e.g. # of struct's members)
101         * bits 16-23: unused
102         * bits 24-28: kind (e.g. int, ptr, array...etc)
103         * bits 29-30: unused
104         * bit     31: kind_flag, currently used by
105         *             struct, union, fwd, enum and enum64.
106         */
107        __u32 info;
108        /* "size" is used by INT, ENUM, STRUCT, UNION and ENUM64.
109         * "size" tells the size of the type it is describing.
110         *
111         * "type" is used by PTR, TYPEDEF, VOLATILE, CONST, RESTRICT,
112         * FUNC, FUNC_PROTO, DECL_TAG and TYPE_TAG.
113         * "type" is a type_id referring to another type.
114         */
115        union {
116                __u32 size;
117                __u32 type;
118        };
119    };
120
121For certain kinds, the common data are followed by kind-specific data. The
122``name_off`` in ``struct btf_type`` specifies the offset in the string table.
123The following sections detail encoding of each kind.
124
1252.2.1 BTF_KIND_INT
126~~~~~~~~~~~~~~~~~~
127
128``struct btf_type`` encoding requirement:
129 * ``name_off``: any valid offset
130 * ``info.kind_flag``: 0
131 * ``info.kind``: BTF_KIND_INT
132 * ``info.vlen``: 0
133 * ``size``: the size of the int type in bytes.
134
135``btf_type`` is followed by a ``u32`` with the following bits arrangement::
136
137  #define BTF_INT_ENCODING(VAL)   (((VAL) & 0x0f000000) >> 24)
138  #define BTF_INT_OFFSET(VAL)     (((VAL) & 0x00ff0000) >> 16)
139  #define BTF_INT_BITS(VAL)       ((VAL)  & 0x000000ff)
140
141The ``BTF_INT_ENCODING`` has the following attributes::
142
143  #define BTF_INT_SIGNED  (1 << 0)
144  #define BTF_INT_CHAR    (1 << 1)
145  #define BTF_INT_BOOL    (1 << 2)
146
147The ``BTF_INT_ENCODING()`` provides extra information: signedness, char, or
148bool, for the int type. The char and bool encoding are mostly useful for
149pretty print. At most one encoding can be specified for the int type.
150
151The ``BTF_INT_BITS()`` specifies the number of actual bits held by this int
152type. For example, a 4-bit bitfield encodes ``BTF_INT_BITS()`` equals to 4.
153The ``btf_type.size * 8`` must be equal to or greater than ``BTF_INT_BITS()``
154for the type. The maximum value of ``BTF_INT_BITS()`` is 128.
155
156The ``BTF_INT_OFFSET()`` specifies the starting bit offset to calculate values
157for this int. For example, a bitfield struct member has:
158
159 * btf member bit offset 100 from the start of the structure,
160 * btf member pointing to an int type,
161 * the int type has ``BTF_INT_OFFSET() = 2`` and ``BTF_INT_BITS() = 4``
162
163Then in the struct memory layout, this member will occupy ``4`` bits starting
164from bits ``100 + 2 = 102``.
165
166Alternatively, the bitfield struct member can be the following to access the
167same bits as the above:
168
169 * btf member bit offset 102,
170 * btf member pointing to an int type,
171 * the int type has ``BTF_INT_OFFSET() = 0`` and ``BTF_INT_BITS() = 4``
172
173The original intention of ``BTF_INT_OFFSET()`` is to provide flexibility of
174bitfield encoding. Currently, both llvm and pahole generate
175``BTF_INT_OFFSET() = 0`` for all int types.
176
1772.2.2 BTF_KIND_PTR
178~~~~~~~~~~~~~~~~~~
179
180``struct btf_type`` encoding requirement:
181  * ``name_off``: 0
182  * ``info.kind_flag``: 0
183  * ``info.kind``: BTF_KIND_PTR
184  * ``info.vlen``: 0
185  * ``type``: the pointee type of the pointer
186
187No additional type data follow ``btf_type``.
188
1892.2.3 BTF_KIND_ARRAY
190~~~~~~~~~~~~~~~~~~~~
191
192``struct btf_type`` encoding requirement:
193  * ``name_off``: 0
194  * ``info.kind_flag``: 0
195  * ``info.kind``: BTF_KIND_ARRAY
196  * ``info.vlen``: 0
197  * ``size/type``: 0, not used
198
199``btf_type`` is followed by one ``struct btf_array``::
200
201    struct btf_array {
202        __u32   type;
203        __u32   index_type;
204        __u32   nelems;
205    };
206
207The ``struct btf_array`` encoding:
208  * ``type``: the element type
209  * ``index_type``: the index type
210  * ``nelems``: the number of elements for this array (``0`` is also allowed).
211
212The ``index_type`` can be any regular int type (``u8``, ``u16``, ``u32``,
213``u64``, ``unsigned __int128``). The original design of including
214``index_type`` follows DWARF, which has an ``index_type`` for its array type.
215Currently in BTF, beyond type verification, the ``index_type`` is not used.
216
217The ``struct btf_array`` allows chaining through element type to represent
218multidimensional arrays. For example, for ``int a[5][6]``, the following type
219information illustrates the chaining:
220
221  * [1]: int
222  * [2]: array, ``btf_array.type = [1]``, ``btf_array.nelems = 6``
223  * [3]: array, ``btf_array.type = [2]``, ``btf_array.nelems = 5``
224
225Currently, both pahole and llvm collapse multidimensional array into
226one-dimensional array, e.g., for ``a[5][6]``, the ``btf_array.nelems`` is
227equal to ``30``. This is because the original use case is map pretty print
228where the whole array is dumped out so one-dimensional array is enough. As
229more BTF usage is explored, pahole and llvm can be changed to generate proper
230chained representation for multidimensional arrays.
231
2322.2.4 BTF_KIND_STRUCT
233~~~~~~~~~~~~~~~~~~~~~
2342.2.5 BTF_KIND_UNION
235~~~~~~~~~~~~~~~~~~~~
236
237``struct btf_type`` encoding requirement:
238  * ``name_off``: 0 or offset to a valid C identifier
239  * ``info.kind_flag``: 0 or 1
240  * ``info.kind``: BTF_KIND_STRUCT or BTF_KIND_UNION
241  * ``info.vlen``: the number of struct/union members
242  * ``info.size``: the size of the struct/union in bytes
243
244``btf_type`` is followed by ``info.vlen`` number of ``struct btf_member``.::
245
246    struct btf_member {
247        __u32   name_off;
248        __u32   type;
249        __u32   offset;
250    };
251
252``struct btf_member`` encoding:
253  * ``name_off``: offset to a valid C identifier
254  * ``type``: the member type
255  * ``offset``: <see below>
256
257If the type info ``kind_flag`` is not set, the offset contains only bit offset
258of the member. Note that the base type of the bitfield can only be int or enum
259type. If the bitfield size is 32, the base type can be either int or enum
260type. If the bitfield size is not 32, the base type must be int, and int type
261``BTF_INT_BITS()`` encodes the bitfield size.
262
263If the ``kind_flag`` is set, the ``btf_member.offset`` contains both member
264bitfield size and bit offset. The bitfield size and bit offset are calculated
265as below.::
266
267  #define BTF_MEMBER_BITFIELD_SIZE(val)   ((val) >> 24)
268  #define BTF_MEMBER_BIT_OFFSET(val)      ((val) & 0xffffff)
269
270In this case, if the base type is an int type, it must be a regular int type:
271
272  * ``BTF_INT_OFFSET()`` must be 0.
273  * ``BTF_INT_BITS()`` must be equal to ``{1,2,4,8,16} * 8``.
274
275Commit 9d5f9f701b18 introduced ``kind_flag`` and explains why both modes
276exist.
277
2782.2.6 BTF_KIND_ENUM
279~~~~~~~~~~~~~~~~~~~
280
281``struct btf_type`` encoding requirement:
282  * ``name_off``: 0 or offset to a valid C identifier
283  * ``info.kind_flag``: 0 for unsigned, 1 for signed
284  * ``info.kind``: BTF_KIND_ENUM
285  * ``info.vlen``: number of enum values
286  * ``size``: 1/2/4/8
287
288``btf_type`` is followed by ``info.vlen`` number of ``struct btf_enum``.::
289
290    struct btf_enum {
291        __u32   name_off;
292        __s32   val;
293    };
294
295The ``btf_enum`` encoding:
296  * ``name_off``: offset to a valid C identifier
297  * ``val``: any value
298
299If the original enum value is signed and the size is less than 4,
300that value will be sign extended into 4 bytes. If the size is 8,
301the value will be truncated into 4 bytes.
302
3032.2.7 BTF_KIND_FWD
304~~~~~~~~~~~~~~~~~~
305
306``struct btf_type`` encoding requirement:
307  * ``name_off``: offset to a valid C identifier
308  * ``info.kind_flag``: 0 for struct, 1 for union
309  * ``info.kind``: BTF_KIND_FWD
310  * ``info.vlen``: 0
311  * ``type``: 0
312
313No additional type data follow ``btf_type``.
314
3152.2.8 BTF_KIND_TYPEDEF
316~~~~~~~~~~~~~~~~~~~~~~
317
318``struct btf_type`` encoding requirement:
319  * ``name_off``: offset to a valid C identifier
320  * ``info.kind_flag``: 0
321  * ``info.kind``: BTF_KIND_TYPEDEF
322  * ``info.vlen``: 0
323  * ``type``: the type which can be referred by name at ``name_off``
324
325No additional type data follow ``btf_type``.
326
3272.2.9 BTF_KIND_VOLATILE
328~~~~~~~~~~~~~~~~~~~~~~~
329
330``struct btf_type`` encoding requirement:
331  * ``name_off``: 0
332  * ``info.kind_flag``: 0
333  * ``info.kind``: BTF_KIND_VOLATILE
334  * ``info.vlen``: 0
335  * ``type``: the type with ``volatile`` qualifier
336
337No additional type data follow ``btf_type``.
338
3392.2.10 BTF_KIND_CONST
340~~~~~~~~~~~~~~~~~~~~~
341
342``struct btf_type`` encoding requirement:
343  * ``name_off``: 0
344  * ``info.kind_flag``: 0
345  * ``info.kind``: BTF_KIND_CONST
346  * ``info.vlen``: 0
347  * ``type``: the type with ``const`` qualifier
348
349No additional type data follow ``btf_type``.
350
3512.2.11 BTF_KIND_RESTRICT
352~~~~~~~~~~~~~~~~~~~~~~~~
353
354``struct btf_type`` encoding requirement:
355  * ``name_off``: 0
356  * ``info.kind_flag``: 0
357  * ``info.kind``: BTF_KIND_RESTRICT
358  * ``info.vlen``: 0
359  * ``type``: the type with ``restrict`` qualifier
360
361No additional type data follow ``btf_type``.
362
3632.2.12 BTF_KIND_FUNC
364~~~~~~~~~~~~~~~~~~~~
365
366``struct btf_type`` encoding requirement:
367  * ``name_off``: offset to a valid C identifier
368  * ``info.kind_flag``: 0
369  * ``info.kind``: BTF_KIND_FUNC
370  * ``info.vlen``: linkage information (BTF_FUNC_STATIC, BTF_FUNC_GLOBAL
371                   or BTF_FUNC_EXTERN)
372  * ``type``: a BTF_KIND_FUNC_PROTO type
373
374No additional type data follow ``btf_type``.
375
376A BTF_KIND_FUNC defines not a type, but a subprogram (function) whose
377signature is defined by ``type``. The subprogram is thus an instance of that
378type. The BTF_KIND_FUNC may in turn be referenced by a func_info in the
379:ref:`BTF_Ext_Section` (ELF) or in the arguments to :ref:`BPF_Prog_Load`
380(ABI).
381
382Currently, only linkage values of BTF_FUNC_STATIC and BTF_FUNC_GLOBAL are
383supported in the kernel.
384
3852.2.13 BTF_KIND_FUNC_PROTO
386~~~~~~~~~~~~~~~~~~~~~~~~~~
387
388``struct btf_type`` encoding requirement:
389  * ``name_off``: 0
390  * ``info.kind_flag``: 0
391  * ``info.kind``: BTF_KIND_FUNC_PROTO
392  * ``info.vlen``: # of parameters
393  * ``type``: the return type
394
395``btf_type`` is followed by ``info.vlen`` number of ``struct btf_param``.::
396
397    struct btf_param {
398        __u32   name_off;
399        __u32   type;
400    };
401
402If a BTF_KIND_FUNC_PROTO type is referred by a BTF_KIND_FUNC type, then
403``btf_param.name_off`` must point to a valid C identifier except for the
404possible last argument representing the variable argument. The btf_param.type
405refers to parameter type.
406
407If the function has variable arguments, the last parameter is encoded with
408``name_off = 0`` and ``type = 0``.
409
4102.2.14 BTF_KIND_VAR
411~~~~~~~~~~~~~~~~~~~
412
413``struct btf_type`` encoding requirement:
414  * ``name_off``: offset to a valid C identifier
415  * ``info.kind_flag``: 0
416  * ``info.kind``: BTF_KIND_VAR
417  * ``info.vlen``: 0
418  * ``type``: the type of the variable
419
420``btf_type`` is followed by a single ``struct btf_variable`` with the
421following data::
422
423    struct btf_var {
424        __u32   linkage;
425    };
426
427``struct btf_var`` encoding:
428  * ``linkage``: currently only static variable 0, or globally allocated
429                 variable in ELF sections 1
430
431Not all type of global variables are supported by LLVM at this point.
432The following is currently available:
433
434  * static variables with or without section attributes
435  * global variables with section attributes
436
437The latter is for future extraction of map key/value type id's from a
438map definition.
439
4402.2.15 BTF_KIND_DATASEC
441~~~~~~~~~~~~~~~~~~~~~~~
442
443``struct btf_type`` encoding requirement:
444  * ``name_off``: offset to a valid name associated with a variable or
445                  one of .data/.bss/.rodata
446  * ``info.kind_flag``: 0
447  * ``info.kind``: BTF_KIND_DATASEC
448  * ``info.vlen``: # of variables
449  * ``size``: total section size in bytes (0 at compilation time, patched
450              to actual size by BPF loaders such as libbpf)
451
452``btf_type`` is followed by ``info.vlen`` number of ``struct btf_var_secinfo``.::
453
454    struct btf_var_secinfo {
455        __u32   type;
456        __u32   offset;
457        __u32   size;
458    };
459
460``struct btf_var_secinfo`` encoding:
461  * ``type``: the type of the BTF_KIND_VAR variable
462  * ``offset``: the in-section offset of the variable
463  * ``size``: the size of the variable in bytes
464
4652.2.16 BTF_KIND_FLOAT
466~~~~~~~~~~~~~~~~~~~~~
467
468``struct btf_type`` encoding requirement:
469 * ``name_off``: any valid offset
470 * ``info.kind_flag``: 0
471 * ``info.kind``: BTF_KIND_FLOAT
472 * ``info.vlen``: 0
473 * ``size``: the size of the float type in bytes: 2, 4, 8, 12 or 16.
474
475No additional type data follow ``btf_type``.
476
4772.2.17 BTF_KIND_DECL_TAG
478~~~~~~~~~~~~~~~~~~~~~~~~
479
480``struct btf_type`` encoding requirement:
481 * ``name_off``: offset to a non-empty string
482 * ``info.kind_flag``: 0
483 * ``info.kind``: BTF_KIND_DECL_TAG
484 * ``info.vlen``: 0
485 * ``type``: ``struct``, ``union``, ``func``, ``var`` or ``typedef``
486
487``btf_type`` is followed by ``struct btf_decl_tag``.::
488
489    struct btf_decl_tag {
490        __u32   component_idx;
491    };
492
493The ``name_off`` encodes btf_decl_tag attribute string.
494The ``type`` should be ``struct``, ``union``, ``func``, ``var`` or ``typedef``.
495For ``var`` or ``typedef`` type, ``btf_decl_tag.component_idx`` must be ``-1``.
496For the other three types, if the btf_decl_tag attribute is
497applied to the ``struct``, ``union`` or ``func`` itself,
498``btf_decl_tag.component_idx`` must be ``-1``. Otherwise,
499the attribute is applied to a ``struct``/``union`` member or
500a ``func`` argument, and ``btf_decl_tag.component_idx`` should be a
501valid index (starting from 0) pointing to a member or an argument.
502
5032.2.18 BTF_KIND_TYPE_TAG
504~~~~~~~~~~~~~~~~~~~~~~~~
505
506``struct btf_type`` encoding requirement:
507 * ``name_off``: offset to a non-empty string
508 * ``info.kind_flag``: 0
509 * ``info.kind``: BTF_KIND_TYPE_TAG
510 * ``info.vlen``: 0
511 * ``type``: the type with ``btf_type_tag`` attribute
512
513Currently, ``BTF_KIND_TYPE_TAG`` is only emitted for pointer types.
514It has the following btf type chain:
515::
516
517  ptr -> [type_tag]*
518      -> [const | volatile | restrict | typedef]*
519      -> base_type
520
521Basically, a pointer type points to zero or more
522type_tag, then zero or more const/volatile/restrict/typedef
523and finally the base type. The base type is one of
524int, ptr, array, struct, union, enum, func_proto and float types.
525
5262.2.19 BTF_KIND_ENUM64
527~~~~~~~~~~~~~~~~~~~~~~
528
529``struct btf_type`` encoding requirement:
530  * ``name_off``: 0 or offset to a valid C identifier
531  * ``info.kind_flag``: 0 for unsigned, 1 for signed
532  * ``info.kind``: BTF_KIND_ENUM64
533  * ``info.vlen``: number of enum values
534  * ``size``: 1/2/4/8
535
536``btf_type`` is followed by ``info.vlen`` number of ``struct btf_enum64``.::
537
538    struct btf_enum64 {
539        __u32   name_off;
540        __u32   val_lo32;
541        __u32   val_hi32;
542    };
543
544The ``btf_enum64`` encoding:
545  * ``name_off``: offset to a valid C identifier
546  * ``val_lo32``: lower 32-bit value for a 64-bit value
547  * ``val_hi32``: high 32-bit value for a 64-bit value
548
549If the original enum value is signed and the size is less than 8,
550that value will be sign extended into 8 bytes.
551
5523. BTF Kernel API
553=================
554
555The following bpf syscall command involves BTF:
556   * BPF_BTF_LOAD: load a blob of BTF data into kernel
557   * BPF_MAP_CREATE: map creation with btf key and value type info.
558   * BPF_PROG_LOAD: prog load with btf function and line info.
559   * BPF_BTF_GET_FD_BY_ID: get a btf fd
560   * BPF_OBJ_GET_INFO_BY_FD: btf, func_info, line_info
561     and other btf related info are returned.
562
563The workflow typically looks like:
564::
565
566  Application:
567      BPF_BTF_LOAD
568          |
569          v
570      BPF_MAP_CREATE and BPF_PROG_LOAD
571          |
572          V
573      ......
574
575  Introspection tool:
576      ......
577      BPF_{PROG,MAP}_GET_NEXT_ID (get prog/map id's)
578          |
579          V
580      BPF_{PROG,MAP}_GET_FD_BY_ID (get a prog/map fd)
581          |
582          V
583      BPF_OBJ_GET_INFO_BY_FD (get bpf_prog_info/bpf_map_info with btf_id)
584          |                                     |
585          V                                     |
586      BPF_BTF_GET_FD_BY_ID (get btf_fd)         |
587          |                                     |
588          V                                     |
589      BPF_OBJ_GET_INFO_BY_FD (get btf)          |
590          |                                     |
591          V                                     V
592      pretty print types, dump func signatures and line info, etc.
593
594
5953.1 BPF_BTF_LOAD
596----------------
597
598Load a blob of BTF data into kernel. A blob of data, described in
599:ref:`BTF_Type_String`, can be directly loaded into the kernel. A ``btf_fd``
600is returned to a userspace.
601
6023.2 BPF_MAP_CREATE
603------------------
604
605A map can be created with ``btf_fd`` and specified key/value type id.::
606
607    __u32   btf_fd;         /* fd pointing to a BTF type data */
608    __u32   btf_key_type_id;        /* BTF type_id of the key */
609    __u32   btf_value_type_id;      /* BTF type_id of the value */
610
611In libbpf, the map can be defined with extra annotation like below:
612::
613
614    struct {
615        __uint(type, BPF_MAP_TYPE_ARRAY);
616        __type(key, int);
617        __type(value, struct ipv_counts);
618        __uint(max_entries, 4);
619    } btf_map SEC(".maps");
620
621During ELF parsing, libbpf is able to extract key/value type_id's and assign
622them to BPF_MAP_CREATE attributes automatically.
623
624.. _BPF_Prog_Load:
625
6263.3 BPF_PROG_LOAD
627-----------------
628
629During prog_load, func_info and line_info can be passed to kernel with proper
630values for the following attributes:
631::
632
633    __u32           insn_cnt;
634    __aligned_u64   insns;
635    ......
636    __u32           prog_btf_fd;    /* fd pointing to BTF type data */
637    __u32           func_info_rec_size;     /* userspace bpf_func_info size */
638    __aligned_u64   func_info;      /* func info */
639    __u32           func_info_cnt;  /* number of bpf_func_info records */
640    __u32           line_info_rec_size;     /* userspace bpf_line_info size */
641    __aligned_u64   line_info;      /* line info */
642    __u32           line_info_cnt;  /* number of bpf_line_info records */
643
644The func_info and line_info are an array of below, respectively.::
645
646    struct bpf_func_info {
647        __u32   insn_off; /* [0, insn_cnt - 1] */
648        __u32   type_id;  /* pointing to a BTF_KIND_FUNC type */
649    };
650    struct bpf_line_info {
651        __u32   insn_off; /* [0, insn_cnt - 1] */
652        __u32   file_name_off; /* offset to string table for the filename */
653        __u32   line_off; /* offset to string table for the source line */
654        __u32   line_col; /* line number and column number */
655    };
656
657func_info_rec_size is the size of each func_info record, and
658line_info_rec_size is the size of each line_info record. Passing the record
659size to kernel make it possible to extend the record itself in the future.
660
661Below are requirements for func_info:
662  * func_info[0].insn_off must be 0.
663  * the func_info insn_off is in strictly increasing order and matches
664    bpf func boundaries.
665
666Below are requirements for line_info:
667  * the first insn in each func must have a line_info record pointing to it.
668  * the line_info insn_off is in strictly increasing order.
669
670For line_info, the line number and column number are defined as below:
671::
672
673    #define BPF_LINE_INFO_LINE_NUM(line_col)        ((line_col) >> 10)
674    #define BPF_LINE_INFO_LINE_COL(line_col)        ((line_col) & 0x3ff)
675
6763.4 BPF_{PROG,MAP}_GET_NEXT_ID
677------------------------------
678
679In kernel, every loaded program, map or btf has a unique id. The id won't
680change during the lifetime of a program, map, or btf.
681
682The bpf syscall command BPF_{PROG,MAP}_GET_NEXT_ID returns all id's, one for
683each command, to user space, for bpf program or maps, respectively, so an
684inspection tool can inspect all programs and maps.
685
6863.5 BPF_{PROG,MAP}_GET_FD_BY_ID
687-------------------------------
688
689An introspection tool cannot use id to get details about program or maps.
690A file descriptor needs to be obtained first for reference-counting purpose.
691
6923.6 BPF_OBJ_GET_INFO_BY_FD
693--------------------------
694
695Once a program/map fd is acquired, an introspection tool can get the detailed
696information from kernel about this fd, some of which are BTF-related. For
697example, ``bpf_map_info`` returns ``btf_id`` and key/value type ids.
698``bpf_prog_info`` returns ``btf_id``, func_info, and line info for translated
699bpf byte codes, and jited_line_info.
700
7013.7 BPF_BTF_GET_FD_BY_ID
702------------------------
703
704With ``btf_id`` obtained in ``bpf_map_info`` and ``bpf_prog_info``, bpf
705syscall command BPF_BTF_GET_FD_BY_ID can retrieve a btf fd. Then, with
706command BPF_OBJ_GET_INFO_BY_FD, the btf blob, originally loaded into the
707kernel with BPF_BTF_LOAD, can be retrieved.
708
709With the btf blob, ``bpf_map_info``, and ``bpf_prog_info``, an introspection
710tool has full btf knowledge and is able to pretty print map key/values, dump
711func signatures and line info, along with byte/jit codes.
712
7134. ELF File Format Interface
714============================
715
7164.1 .BTF section
717----------------
718
719The .BTF section contains type and string data. The format of this section is
720same as the one describe in :ref:`BTF_Type_String`.
721
722.. _BTF_Ext_Section:
723
7244.2 .BTF.ext section
725--------------------
726
727The .BTF.ext section encodes func_info, line_info and CO-RE relocations
728which needs loader manipulation before loading into the kernel.
729
730The specification for .BTF.ext section is defined at ``tools/lib/bpf/btf.h``
731and ``tools/lib/bpf/btf.c``.
732
733The current header of .BTF.ext section::
734
735    struct btf_ext_header {
736        __u16   magic;
737        __u8    version;
738        __u8    flags;
739        __u32   hdr_len;
740
741        /* All offsets are in bytes relative to the end of this header */
742        __u32   func_info_off;
743        __u32   func_info_len;
744        __u32   line_info_off;
745        __u32   line_info_len;
746
747        /* optional part of .BTF.ext header */
748        __u32   core_relo_off;
749        __u32   core_relo_len;
750    };
751
752It is very similar to .BTF section. Instead of type/string section, it
753contains func_info, line_info and core_relo sub-sections.
754See :ref:`BPF_Prog_Load` for details about func_info and line_info
755record format.
756
757The func_info is organized as below.::
758
759     func_info_rec_size              /* __u32 value */
760     btf_ext_info_sec for section #1 /* func_info for section #1 */
761     btf_ext_info_sec for section #2 /* func_info for section #2 */
762     ...
763
764``func_info_rec_size`` specifies the size of ``bpf_func_info`` structure when
765.BTF.ext is generated. ``btf_ext_info_sec``, defined below, is a collection of
766func_info for each specific ELF section.::
767
768     struct btf_ext_info_sec {
769        __u32   sec_name_off; /* offset to section name */
770        __u32   num_info;
771        /* Followed by num_info * record_size number of bytes */
772        __u8    data[0];
773     };
774
775Here, num_info must be greater than 0.
776
777The line_info is organized as below.::
778
779     line_info_rec_size              /* __u32 value */
780     btf_ext_info_sec for section #1 /* line_info for section #1 */
781     btf_ext_info_sec for section #2 /* line_info for section #2 */
782     ...
783
784``line_info_rec_size`` specifies the size of ``bpf_line_info`` structure when
785.BTF.ext is generated.
786
787The interpretation of ``bpf_func_info->insn_off`` and
788``bpf_line_info->insn_off`` is different between kernel API and ELF API. For
789kernel API, the ``insn_off`` is the instruction offset in the unit of ``struct
790bpf_insn``. For ELF API, the ``insn_off`` is the byte offset from the
791beginning of section (``btf_ext_info_sec->sec_name_off``).
792
793The core_relo is organized as below.::
794
795     core_relo_rec_size              /* __u32 value */
796     btf_ext_info_sec for section #1 /* core_relo for section #1 */
797     btf_ext_info_sec for section #2 /* core_relo for section #2 */
798
799``core_relo_rec_size`` specifies the size of ``bpf_core_relo``
800structure when .BTF.ext is generated. All ``bpf_core_relo`` structures
801within a single ``btf_ext_info_sec`` describe relocations applied to
802section named by ``btf_ext_info_sec->sec_name_off``.
803
804See :ref:`Documentation/bpf/llvm_reloc.rst <btf-co-re-relocations>`
805for more information on CO-RE relocations.
806
8074.2 .BTF_ids section
808--------------------
809
810The .BTF_ids section encodes BTF ID values that are used within the kernel.
811
812This section is created during the kernel compilation with the help of
813macros defined in ``include/linux/btf_ids.h`` header file. Kernel code can
814use them to create lists and sets (sorted lists) of BTF ID values.
815
816The ``BTF_ID_LIST`` and ``BTF_ID`` macros define unsorted list of BTF ID values,
817with following syntax::
818
819  BTF_ID_LIST(list)
820  BTF_ID(type1, name1)
821  BTF_ID(type2, name2)
822
823resulting in following layout in .BTF_ids section::
824
825  __BTF_ID__type1__name1__1:
826  .zero 4
827  __BTF_ID__type2__name2__2:
828  .zero 4
829
830The ``u32 list[];`` variable is defined to access the list.
831
832The ``BTF_ID_UNUSED`` macro defines 4 zero bytes. It's used when we
833want to define unused entry in BTF_ID_LIST, like::
834
835      BTF_ID_LIST(bpf_skb_output_btf_ids)
836      BTF_ID(struct, sk_buff)
837      BTF_ID_UNUSED
838      BTF_ID(struct, task_struct)
839
840The ``BTF_SET_START/END`` macros pair defines sorted list of BTF ID values
841and their count, with following syntax::
842
843  BTF_SET_START(set)
844  BTF_ID(type1, name1)
845  BTF_ID(type2, name2)
846  BTF_SET_END(set)
847
848resulting in following layout in .BTF_ids section::
849
850  __BTF_ID__set__set:
851  .zero 4
852  __BTF_ID__type1__name1__3:
853  .zero 4
854  __BTF_ID__type2__name2__4:
855  .zero 4
856
857The ``struct btf_id_set set;`` variable is defined to access the list.
858
859The ``typeX`` name can be one of following::
860
861   struct, union, typedef, func
862
863and is used as a filter when resolving the BTF ID value.
864
865All the BTF ID lists and sets are compiled in the .BTF_ids section and
866resolved during the linking phase of kernel build by ``resolve_btfids`` tool.
867
8685. Using BTF
869============
870
8715.1 bpftool map pretty print
872----------------------------
873
874With BTF, the map key/value can be printed based on fields rather than simply
875raw bytes. This is especially valuable for large structure or if your data
876structure has bitfields. For example, for the following map,::
877
878      enum A { A1, A2, A3, A4, A5 };
879      typedef enum A ___A;
880      struct tmp_t {
881           char a1:4;
882           int  a2:4;
883           int  :4;
884           __u32 a3:4;
885           int b;
886           ___A b1:4;
887           enum A b2:4;
888      };
889      struct {
890           __uint(type, BPF_MAP_TYPE_ARRAY);
891           __type(key, int);
892           __type(value, struct tmp_t);
893           __uint(max_entries, 1);
894      } tmpmap SEC(".maps");
895
896bpftool is able to pretty print like below:
897::
898
899      [{
900            "key": 0,
901            "value": {
902                "a1": 0x2,
903                "a2": 0x4,
904                "a3": 0x6,
905                "b": 7,
906                "b1": 0x8,
907                "b2": 0xa
908            }
909        }
910      ]
911
9125.2 bpftool prog dump
913---------------------
914
915The following is an example showing how func_info and line_info can help prog
916dump with better kernel symbol names, function prototypes and line
917information.::
918
919    $ bpftool prog dump jited pinned /sys/fs/bpf/test_btf_haskv
920    [...]
921    int test_long_fname_2(struct dummy_tracepoint_args * arg):
922    bpf_prog_44a040bf25481309_test_long_fname_2:
923    ; static int test_long_fname_2(struct dummy_tracepoint_args *arg)
924       0:   push   %rbp
925       1:   mov    %rsp,%rbp
926       4:   sub    $0x30,%rsp
927       b:   sub    $0x28,%rbp
928       f:   mov    %rbx,0x0(%rbp)
929      13:   mov    %r13,0x8(%rbp)
930      17:   mov    %r14,0x10(%rbp)
931      1b:   mov    %r15,0x18(%rbp)
932      1f:   xor    %eax,%eax
933      21:   mov    %rax,0x20(%rbp)
934      25:   xor    %esi,%esi
935    ; int key = 0;
936      27:   mov    %esi,-0x4(%rbp)
937    ; if (!arg->sock)
938      2a:   mov    0x8(%rdi),%rdi
939    ; if (!arg->sock)
940      2e:   cmp    $0x0,%rdi
941      32:   je     0x0000000000000070
942      34:   mov    %rbp,%rsi
943    ; counts = bpf_map_lookup_elem(&btf_map, &key);
944    [...]
945
9465.3 Verifier Log
947----------------
948
949The following is an example of how line_info can help debugging verification
950failure.::
951
952       /* The code at tools/testing/selftests/bpf/test_xdp_noinline.c
953        * is modified as below.
954        */
955       data = (void *)(long)xdp->data;
956       data_end = (void *)(long)xdp->data_end;
957       /*
958       if (data + 4 > data_end)
959               return XDP_DROP;
960       */
961       *(u32 *)data = dst->dst;
962
963    $ bpftool prog load ./test_xdp_noinline.o /sys/fs/bpf/test_xdp_noinline type xdp
964        ; data = (void *)(long)xdp->data;
965        224: (79) r2 = *(u64 *)(r10 -112)
966        225: (61) r2 = *(u32 *)(r2 +0)
967        ; *(u32 *)data = dst->dst;
968        226: (63) *(u32 *)(r2 +0) = r1
969        invalid access to packet, off=0 size=4, R2(id=0,off=0,r=0)
970        R2 offset is outside of the packet
971
9726. BTF Generation
973=================
974
975You need latest pahole
976
977  https://git.kernel.org/pub/scm/devel/pahole/pahole.git/
978
979or llvm (8.0 or later). The pahole acts as a dwarf2btf converter. It doesn't
980support .BTF.ext and btf BTF_KIND_FUNC type yet. For example,::
981
982      -bash-4.4$ cat t.c
983      struct t {
984        int a:2;
985        int b:3;
986        int c:2;
987      } g;
988      -bash-4.4$ gcc -c -O2 -g t.c
989      -bash-4.4$ pahole -JV t.o
990      File t.o:
991      [1] STRUCT t kind_flag=1 size=4 vlen=3
992              a type_id=2 bitfield_size=2 bits_offset=0
993              b type_id=2 bitfield_size=3 bits_offset=2
994              c type_id=2 bitfield_size=2 bits_offset=5
995      [2] INT int size=4 bit_offset=0 nr_bits=32 encoding=SIGNED
996
997The llvm is able to generate .BTF and .BTF.ext directly with -g for bpf target
998only. The assembly code (-S) is able to show the BTF encoding in assembly
999format.::
1000
1001    -bash-4.4$ cat t2.c
1002    typedef int __int32;
1003    struct t2 {
1004      int a2;
1005      int (*f2)(char q1, __int32 q2, ...);
1006      int (*f3)();
1007    } g2;
1008    int main() { return 0; }
1009    int test() { return 0; }
1010    -bash-4.4$ clang -c -g -O2 --target=bpf t2.c
1011    -bash-4.4$ readelf -S t2.o
1012      ......
1013      [ 8] .BTF              PROGBITS         0000000000000000  00000247
1014           000000000000016e  0000000000000000           0     0     1
1015      [ 9] .BTF.ext          PROGBITS         0000000000000000  000003b5
1016           0000000000000060  0000000000000000           0     0     1
1017      [10] .rel.BTF.ext      REL              0000000000000000  000007e0
1018           0000000000000040  0000000000000010          16     9     8
1019      ......
1020    -bash-4.4$ clang -S -g -O2 --target=bpf t2.c
1021    -bash-4.4$ cat t2.s
1022      ......
1023            .section        .BTF,"",@progbits
1024            .short  60319                   # 0xeb9f
1025            .byte   1
1026            .byte   0
1027            .long   24
1028            .long   0
1029            .long   220
1030            .long   220
1031            .long   122
1032            .long   0                       # BTF_KIND_FUNC_PROTO(id = 1)
1033            .long   218103808               # 0xd000000
1034            .long   2
1035            .long   83                      # BTF_KIND_INT(id = 2)
1036            .long   16777216                # 0x1000000
1037            .long   4
1038            .long   16777248                # 0x1000020
1039      ......
1040            .byte   0                       # string offset=0
1041            .ascii  ".text"                 # string offset=1
1042            .byte   0
1043            .ascii  "/home/yhs/tmp-pahole/t2.c" # string offset=7
1044            .byte   0
1045            .ascii  "int main() { return 0; }" # string offset=33
1046            .byte   0
1047            .ascii  "int test() { return 0; }" # string offset=58
1048            .byte   0
1049            .ascii  "int"                   # string offset=83
1050      ......
1051            .section        .BTF.ext,"",@progbits
1052            .short  60319                   # 0xeb9f
1053            .byte   1
1054            .byte   0
1055            .long   24
1056            .long   0
1057            .long   28
1058            .long   28
1059            .long   44
1060            .long   8                       # FuncInfo
1061            .long   1                       # FuncInfo section string offset=1
1062            .long   2
1063            .long   .Lfunc_begin0
1064            .long   3
1065            .long   .Lfunc_begin1
1066            .long   5
1067            .long   16                      # LineInfo
1068            .long   1                       # LineInfo section string offset=1
1069            .long   2
1070            .long   .Ltmp0
1071            .long   7
1072            .long   33
1073            .long   7182                    # Line 7 Col 14
1074            .long   .Ltmp3
1075            .long   7
1076            .long   58
1077            .long   8206                    # Line 8 Col 14
1078
10797. Testing
1080==========
1081
1082The kernel BPF selftest `tools/testing/selftests/bpf/prog_tests/btf.c`_
1083provides an extensive set of BTF-related tests.
1084
1085.. Links
1086.. _tools/testing/selftests/bpf/prog_tests/btf.c:
1087   https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/tools/testing/selftests/bpf/prog_tests/btf.c
1088