Generating tailored BTF with vmlinux

[havefuncoding1]

If I have a kernel with BTF enabled, can I use vmlinux on the system to create tailored BTF for my eBPF programs with below command? I tried this and didn't see any issues when executing my eBPF program, so I think it's ok but I would like to get a quick confirmation from experts. Thanks a lot in advance for your help.

bpftool gen min_core_btf ~/vmlinux ./vmlinux.tailored.btf ./ebpfprogram.o

[rafaeldtinoco]

Yes, you would be okay.

• The vmlinux.h will have the types from the kernel where you generated the file (considering you used /sys/kernel/btf/vmlinux to generate it, for example).
• libbpf will be smart to do the relocations and some simple type relocations if types have changed.
• problem rises if your eBPF program uses types that aren't available in the kernel where you're running your eBPF object. then you have to have "multiple" types declared.
• a good approach is to have a vmlinux.h file (like) with ONLY the types your eBPF use. then, to have "flavored types" for the kernels it supports.

Example of a vmlinux.h containing only the types used by tracee:

https://github.com/aquasecurity/tracee/blob/main/pkg/ebpf/c/vmlinux.h

Example of a vmlinux with flavored types (for specific kernel versions):

https://github.com/aquasecurity/tracee/blob/main/pkg/ebpf/c/vmlinux_flavors.h

With multiple flavors for the same type, libbpf is capable of choosing which flavor to use during runtime (for the relocations to work).

And then you can have another header for the missing definitions:

https://github.com/aquasecurity/tracee/blob/main/pkg/ebpf/c/vmlinux_missing.h

Make sure to read https://nakryiko.com/posts/bpf-core-reference-guide/ also, to understand better this concept if you can't right now.

[havefuncoding1]

Thank you so much @rafaeldtinoco for the detailed explanation.