xref: /linux/Documentation/hid/hid-bpf.rst (revision daa121128a2d2ac6006159e2c47676e4fcd21eab)
1.. SPDX-License-Identifier: GPL-2.0
2
3=======
4HID-BPF
5=======
6
7HID is a standard protocol for input devices but some devices may require
8custom tweaks, traditionally done with a kernel driver fix. Using the eBPF
9capabilities instead speeds up development and adds new capabilities to the
10existing HID interfaces.
11
12.. contents::
13    :local:
14    :depth: 2
15
16
17When (and why) to use HID-BPF
18=============================
19
20There are several use cases when using HID-BPF is better
21than standard kernel driver fix:
22
23Dead zone of a joystick
24-----------------------
25
26Assuming you have a joystick that is getting older, it is common to see it
27wobbling around its neutral point. This is usually filtered at the application
28level by adding a *dead zone* for this specific axis.
29
30With HID-BPF, we can apply this filtering in the kernel directly so userspace
31does not get woken up when nothing else is happening on the input controller.
32
33Of course, given that this dead zone is specific to an individual device, we
34can not create a generic fix for all of the same joysticks. Adding a custom
35kernel API for this (e.g. by adding a sysfs entry) does not guarantee this new
36kernel API will be broadly adopted and maintained.
37
38HID-BPF allows the userspace program to load the program itself, ensuring we
39only load the custom API when we have a user.
40
41Simple fixup of report descriptor
42---------------------------------
43
44In the HID tree, half of the drivers only fix one key or one byte
45in the report descriptor. These fixes all require a kernel patch and the
46subsequent shepherding into a release, a long and painful process for users.
47
48We can reduce this burden by providing an eBPF program instead. Once such a
49program  has been verified by the user, we can embed the source code into the
50kernel tree and ship the eBPF program and load it directly instead of loading
51a specific kernel module for it.
52
53Note: distribution of eBPF programs and their inclusion in the kernel is not
54yet fully implemented
55
56Add a new feature that requires a new kernel API
57------------------------------------------------
58
59An example for such a feature are the Universal Stylus Interface (USI) pens.
60Basically, USI pens require a new kernel API because there are new
61channels of communication that our HID and input stack do not support.
62Instead of using hidraw or creating new sysfs entries or ioctls, we can rely
63on eBPF to have the kernel API controlled by the consumer and to not
64impact the performances by waking up userspace every time there is an
65event.
66
67Morph a device into something else and control that from userspace
68------------------------------------------------------------------
69
70The kernel has a relatively static mapping of HID items to evdev bits.
71It cannot decide to dynamically transform a given device into something else
72as it does not have the required context and any such transformation cannot be
73undone (or even discovered) by userspace.
74
75However, some devices are useless with that static way of defining devices. For
76example, the Microsoft Surface Dial is a pushbutton with haptic feedback that
77is barely usable as of today.
78
79With eBPF, userspace can morph that device into a mouse, and convert the dial
80events into wheel events. Also, the userspace program can set/unset the haptic
81feedback depending on the context. For example, if a menu is visible on the
82screen we likely need to have a haptic click every 15 degrees. But when
83scrolling in a web page the user experience is better when the device emits
84events at the highest resolution.
85
86Firewall
87--------
88
89What if we want to prevent other users to access a specific feature of a
90device? (think a possibly broken firmware update entry point)
91
92With eBPF, we can intercept any HID command emitted to the device and
93validate it or not.
94
95This also allows to sync the state between the userspace and the
96kernel/bpf program because we can intercept any incoming command.
97
98Tracing
99-------
100
101The last usage is tracing events and all the fun we can do we BPF to summarize
102and analyze events.
103
104Right now, tracing relies on hidraw. It works well except for a couple
105of issues:
106
1071. if the driver doesn't export a hidraw node, we can't trace anything
108   (eBPF will be a "god-mode" there, so this may raise some eyebrows)
1092. hidraw doesn't catch other processes' requests to the device, which
110   means that we have cases where we need to add printks to the kernel
111   to understand what is happening.
112
113High-level view of HID-BPF
114==========================
115
116The main idea behind HID-BPF is that it works at an array of bytes level.
117Thus, all of the parsing of the HID report and the HID report descriptor
118must be implemented in the userspace component that loads the eBPF
119program.
120
121For example, in the dead zone joystick from above, knowing which fields
122in the data stream needs to be set to ``0`` needs to be computed by userspace.
123
124A corollary of this is that HID-BPF doesn't know about the other subsystems
125available in the kernel. *You can not directly emit input event through the
126input API from eBPF*.
127
128When a BPF program needs to emit input events, it needs to talk with the HID
129protocol, and rely on the HID kernel processing to translate the HID data into
130input events.
131
132Available types of programs
133===========================
134
135HID-BPF is built "on top" of BPF, meaning that we use tracing method to
136declare our programs.
137
138HID-BPF has the following attachment types available:
139
1401. event processing/filtering with ``SEC("fmod_ret/hid_bpf_device_event")`` in libbpf
1412. actions coming from userspace with ``SEC("syscall")`` in libbpf
1423. change of the report descriptor with ``SEC("fmod_ret/hid_bpf_rdesc_fixup")`` in libbpf
143
144A ``hid_bpf_device_event`` is calling a BPF program when an event is received from
145the device. Thus we are in IRQ context and can act on the data or notify userspace.
146And given that we are in IRQ context, we can not talk back to the device.
147
148A ``syscall`` means that userspace called the syscall ``BPF_PROG_RUN`` facility.
149This time, we can do any operations allowed by HID-BPF, and talking to the device is
150allowed.
151
152Last, ``hid_bpf_rdesc_fixup`` is different from the others as there can be only one
153BPF program of this type. This is called on ``probe`` from the driver and allows to
154change the report descriptor from the BPF program. Once a ``hid_bpf_rdesc_fixup``
155program has been loaded, it is not possible to overwrite it unless the program which
156inserted it allows us by pinning the program and closing all of its fds pointing to it.
157
158Developer API:
159==============
160
161User API data structures available in programs:
162-----------------------------------------------
163
164.. kernel-doc:: include/linux/hid_bpf.h
165
166Available tracing functions to attach a HID-BPF program:
167--------------------------------------------------------
168
169.. kernel-doc:: drivers/hid/bpf/hid_bpf_dispatch.c
170   :functions: hid_bpf_device_event hid_bpf_rdesc_fixup
171
172Available API that can be used in all HID-BPF programs:
173-------------------------------------------------------
174
175.. kernel-doc:: drivers/hid/bpf/hid_bpf_dispatch.c
176   :functions: hid_bpf_get_data
177
178Available API that can be used in syscall HID-BPF programs:
179-----------------------------------------------------------
180
181.. kernel-doc:: drivers/hid/bpf/hid_bpf_dispatch.c
182   :functions: hid_bpf_attach_prog hid_bpf_hw_request hid_bpf_hw_output_report hid_bpf_input_report hid_bpf_allocate_context hid_bpf_release_context
183
184General overview of a HID-BPF program
185=====================================
186
187Accessing the data attached to the context
188------------------------------------------
189
190The ``struct hid_bpf_ctx`` doesn't export the ``data`` fields directly and to access
191it, a bpf program needs to first call :c:func:`hid_bpf_get_data`.
192
193``offset`` can be any integer, but ``size`` needs to be constant, known at compile
194time.
195
196This allows the following:
197
1981. for a given device, if we know that the report length will always be of a certain value,
199   we can request the ``data`` pointer to point at the full report length.
200
201   The kernel will ensure we are using a correct size and offset and eBPF will ensure
202   the code will not attempt to read or write outside of the boundaries::
203
204     __u8 *data = hid_bpf_get_data(ctx, 0 /* offset */, 256 /* size */);
205
206     if (!data)
207         return 0; /* ensure data is correct, now the verifier knows we
208                    * have 256 bytes available */
209
210     bpf_printk("hello world: %02x %02x %02x", data[0], data[128], data[255]);
211
2122. if the report length is variable, but we know the value of ``X`` is always a 16-bit
213   integer, we can then have a pointer to that value only::
214
215      __u16 *x = hid_bpf_get_data(ctx, offset, sizeof(*x));
216
217      if (!x)
218          return 0; /* something went wrong */
219
220      *x += 1; /* increment X by one */
221
222Effect of a HID-BPF program
223---------------------------
224
225For all HID-BPF attachment types except for :c:func:`hid_bpf_rdesc_fixup`, several eBPF
226programs can be attached to the same device.
227
228Unless ``HID_BPF_FLAG_INSERT_HEAD`` is added to the flags while attaching the
229program, the new program is appended at the end of the list.
230``HID_BPF_FLAG_INSERT_HEAD`` will insert the new program at the beginning of the
231list which is useful for e.g. tracing where we need to get the unprocessed events
232from the device.
233
234Note that if there are multiple programs using the ``HID_BPF_FLAG_INSERT_HEAD`` flag,
235only the most recently loaded one is actually the first in the list.
236
237``SEC("fmod_ret/hid_bpf_device_event")``
238~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
239
240Whenever a matching event is raised, the eBPF programs are called one after the other
241and are working on the same data buffer.
242
243If a program changes the data associated with the context, the next one will see
244the modified data but it will have *no* idea of what the original data was.
245
246Once all the programs are run and return ``0`` or a positive value, the rest of the
247HID stack will work on the modified data, with the ``size`` field of the last hid_bpf_ctx
248being the new size of the input stream of data.
249
250A BPF program returning a negative error discards the event, i.e. this event will not be
251processed by the HID stack. Clients (hidraw, input, LEDs) will **not** see this event.
252
253``SEC("syscall")``
254~~~~~~~~~~~~~~~~~~
255
256``syscall`` are not attached to a given device. To tell which device we are working
257with, userspace needs to refer to the device by its unique system id (the last 4 numbers
258in the sysfs path: ``/sys/bus/hid/devices/xxxx:yyyy:zzzz:0000``).
259
260To retrieve a context associated with the device, the program must call
261:c:func:`hid_bpf_allocate_context` and must release it with :c:func:`hid_bpf_release_context`
262before returning.
263Once the context is retrieved, one can also request a pointer to kernel memory with
264:c:func:`hid_bpf_get_data`. This memory is big enough to support all input/output/feature
265reports of the given device.
266
267``SEC("fmod_ret/hid_bpf_rdesc_fixup")``
268~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
269
270The ``hid_bpf_rdesc_fixup`` program works in a similar manner to
271``.report_fixup`` of ``struct hid_driver``.
272
273When the device is probed, the kernel sets the data buffer of the context with the
274content of the report descriptor. The memory associated with that buffer is
275``HID_MAX_DESCRIPTOR_SIZE`` (currently 4kB).
276
277The eBPF program can modify the data buffer at-will and the kernel uses the
278modified content and size as the report descriptor.
279
280Whenever a ``SEC("fmod_ret/hid_bpf_rdesc_fixup")`` program is attached (if no
281program was attached before), the kernel immediately disconnects the HID device
282and does a reprobe.
283
284In the same way, when the ``SEC("fmod_ret/hid_bpf_rdesc_fixup")`` program is
285detached, the kernel issues a disconnect on the device.
286
287There is no ``detach`` facility in HID-BPF. Detaching a program happens when
288all the user space file descriptors pointing at a program are closed.
289Thus, if we need to replace a report descriptor fixup, some cooperation is
290required from the owner of the original report descriptor fixup.
291The previous owner will likely pin the program in the bpffs, and we can then
292replace it through normal bpf operations.
293
294Attaching a bpf program to a device
295===================================
296
297``libbpf`` does not export any helper to attach a HID-BPF program.
298Users need to use a dedicated ``syscall`` program which will call
299``hid_bpf_attach_prog(hid_id, program_fd, flags)``.
300
301``hid_id`` is the unique system ID of the HID device (the last 4 numbers in the
302sysfs path: ``/sys/bus/hid/devices/xxxx:yyyy:zzzz:0000``)
303
304``progam_fd`` is the opened file descriptor of the program to attach.
305
306``flags`` is of type ``enum hid_bpf_attach_flags``.
307
308We can not rely on hidraw to bind a BPF program to a HID device. hidraw is an
309artefact of the processing of the HID device, and is not stable. Some drivers
310even disable it, so that removes the tracing capabilities on those devices
311(where it is interesting to get the non-hidraw traces).
312
313On the other hand, the ``hid_id`` is stable for the entire life of the HID device,
314even if we change its report descriptor.
315
316Given that hidraw is not stable when the device disconnects/reconnects, we recommend
317accessing the current report descriptor of the device through the sysfs.
318This is available at ``/sys/bus/hid/devices/BUS:VID:PID.000N/report_descriptor`` as a
319binary stream.
320
321Parsing the report descriptor is the responsibility of the BPF programmer or the userspace
322component that loads the eBPF program.
323
324An (almost) complete example of a BPF enhanced HID device
325=========================================================
326
327*Foreword: for most parts, this could be implemented as a kernel driver*
328
329Let's imagine we have a new tablet device that has some haptic capabilities
330to simulate the surface the user is scratching on. This device would also have
331a specific 3 positions switch to toggle between *pencil on paper*, *cray on a wall*
332and *brush on a painting canvas*. To make things even better, we can control the
333physical position of the switch through a feature report.
334
335And of course, the switch is relying on some userspace component to control the
336haptic feature of the device itself.
337
338Filtering events
339----------------
340
341The first step consists in filtering events from the device. Given that the switch
342position is actually reported in the flow of the pen events, using hidraw to implement
343that filtering would mean that we wake up userspace for every single event.
344
345This is OK for libinput, but having an external library that is just interested in
346one byte in the report is less than ideal.
347
348For that, we can create a basic skeleton for our BPF program::
349
350  #include "vmlinux.h"
351  #include <bpf/bpf_helpers.h>
352  #include <bpf/bpf_tracing.h>
353
354  /* HID programs need to be GPL */
355  char _license[] SEC("license") = "GPL";
356
357  /* HID-BPF kfunc API definitions */
358  extern __u8 *hid_bpf_get_data(struct hid_bpf_ctx *ctx,
359			      unsigned int offset,
360			      const size_t __sz) __ksym;
361  extern int hid_bpf_attach_prog(unsigned int hid_id, int prog_fd, u32 flags) __ksym;
362
363  struct {
364	__uint(type, BPF_MAP_TYPE_RINGBUF);
365	__uint(max_entries, 4096 * 64);
366  } ringbuf SEC(".maps");
367
368  struct attach_prog_args {
369	int prog_fd;
370	unsigned int hid;
371	unsigned int flags;
372	int retval;
373  };
374
375  SEC("syscall")
376  int attach_prog(struct attach_prog_args *ctx)
377  {
378	ctx->retval = hid_bpf_attach_prog(ctx->hid,
379					  ctx->prog_fd,
380					  ctx->flags);
381	return 0;
382  }
383
384  __u8 current_value = 0;
385
386  SEC("?fmod_ret/hid_bpf_device_event")
387  int BPF_PROG(filter_switch, struct hid_bpf_ctx *hid_ctx)
388  {
389	__u8 *data = hid_bpf_get_data(hid_ctx, 0 /* offset */, 192 /* size */);
390	__u8 *buf;
391
392	if (!data)
393		return 0; /* EPERM check */
394
395	if (current_value != data[152]) {
396		buf = bpf_ringbuf_reserve(&ringbuf, 1, 0);
397		if (!buf)
398			return 0;
399
400		*buf = data[152];
401
402		bpf_ringbuf_commit(buf, 0);
403
404		current_value = data[152];
405	}
406
407	return 0;
408  }
409
410To attach ``filter_switch``, userspace needs to call the ``attach_prog`` syscall
411program first::
412
413  static int attach_filter(struct hid *hid_skel, int hid_id)
414  {
415	int err, prog_fd;
416	int ret = -1;
417	struct attach_prog_args args = {
418		.hid = hid_id,
419	};
420	DECLARE_LIBBPF_OPTS(bpf_test_run_opts, tattrs,
421		.ctx_in = &args,
422		.ctx_size_in = sizeof(args),
423	);
424
425	args.prog_fd = bpf_program__fd(hid_skel->progs.filter_switch);
426
427	prog_fd = bpf_program__fd(hid_skel->progs.attach_prog);
428
429	err = bpf_prog_test_run_opts(prog_fd, &tattrs);
430	if (err)
431		return err;
432
433	return args.retval; /* the fd of the created bpf_link */
434  }
435
436Our userspace program can now listen to notifications on the ring buffer, and
437is awaken only when the value changes.
438
439When the userspace program doesn't need to listen to events anymore, it can just
440close the returned fd from :c:func:`attach_filter`, which will tell the kernel to
441detach the program from the HID device.
442
443Of course, in other use cases, the userspace program can also pin the fd to the
444BPF filesystem through a call to :c:func:`bpf_obj_pin`, as with any bpf_link.
445
446Controlling the device
447----------------------
448
449To be able to change the haptic feedback from the tablet, the userspace program
450needs to emit a feature report on the device itself.
451
452Instead of using hidraw for that, we can create a ``SEC("syscall")`` program
453that talks to the device::
454
455  /* some more HID-BPF kfunc API definitions */
456  extern struct hid_bpf_ctx *hid_bpf_allocate_context(unsigned int hid_id) __ksym;
457  extern void hid_bpf_release_context(struct hid_bpf_ctx *ctx) __ksym;
458  extern int hid_bpf_hw_request(struct hid_bpf_ctx *ctx,
459			      __u8* data,
460			      size_t len,
461			      enum hid_report_type type,
462			      enum hid_class_request reqtype) __ksym;
463
464
465  struct hid_send_haptics_args {
466	/* data needs to come at offset 0 so we can do a memcpy into it */
467	__u8 data[10];
468	unsigned int hid;
469  };
470
471  SEC("syscall")
472  int send_haptic(struct hid_send_haptics_args *args)
473  {
474	struct hid_bpf_ctx *ctx;
475	int ret = 0;
476
477	ctx = hid_bpf_allocate_context(args->hid);
478	if (!ctx)
479		return 0; /* EPERM check */
480
481	ret = hid_bpf_hw_request(ctx,
482				 args->data,
483				 10,
484				 HID_FEATURE_REPORT,
485				 HID_REQ_SET_REPORT);
486
487	hid_bpf_release_context(ctx);
488
489	return ret;
490  }
491
492And then userspace needs to call that program directly::
493
494  static int set_haptic(struct hid *hid_skel, int hid_id, __u8 haptic_value)
495  {
496	int err, prog_fd;
497	int ret = -1;
498	struct hid_send_haptics_args args = {
499		.hid = hid_id,
500	};
501	DECLARE_LIBBPF_OPTS(bpf_test_run_opts, tattrs,
502		.ctx_in = &args,
503		.ctx_size_in = sizeof(args),
504	);
505
506	args.data[0] = 0x02; /* report ID of the feature on our device */
507	args.data[1] = haptic_value;
508
509	prog_fd = bpf_program__fd(hid_skel->progs.set_haptic);
510
511	err = bpf_prog_test_run_opts(prog_fd, &tattrs);
512	return err;
513  }
514
515Now our userspace program is aware of the haptic state and can control it. The
516program could make this state further available to other userspace programs
517(e.g. via a DBus API).
518
519The interesting bit here is that we did not created a new kernel API for this.
520Which means that if there is a bug in our implementation, we can change the
521interface with the kernel at-will, because the userspace application is
522responsible for its own usage.
523