Why is eBPF said to be safer than LKM?

Question

when talking about ebpf advantage, it always mentions safe than lkm. I read some documentation, ebpf ensures safe by verifying code before it loaded. these are checklists that verify to do:

• loops
• out of range jumps
• unreachable instructions
• invalid instructions
• uninitialized register access
• uninitialized stack access
• misaligned stack access
• out of range stack access
• invalid calling convention

most of these checks I can understand, but it's all reason that lkm cause kernel panic? if do these can ensure safe? I have 120000 servers in production, this question is the only reason to prevent me to migrate from traditional hids to ebpf hids. but if it can cause a kernel panic on a large scale, only one time, our business will be over.

Answer 1

Yes, as far as I know, the BPF verifier is meant to prevent any sort of kernel crash. That however doesn't mean you can't break things unintentionally in production. You could for example freeze your system by attaching BPF programs to all kernel functions or lose all connectivity by dropping all received packets. In those cases, the verifier has no way to know that you didn't mean to perform those actions; it won't stop you.

That being said, any sort of verification is better than no verification as in traditional kernel modules. With kernel modules, not only can you shoot yourself in the foot as I've described above, but you could also crash the whole system because of a subtle bug somewhere in the code.

Regardless of what you're using, you should obviously test it extensively before deploying to production.