v1.0.0-rc1

Highlights

This is the release-candidate for v1.0 of eBPF for Windows. The important changes include:

• Proof of Verification: This feature enforces that only those native eBPF programs are loaded, that are packaged in kernel drivers that are signed by a Microsoft issued certificate with the "eBPF verification" EKU. This certificate proves that the native program was generated from an input BPF program that passed verification and was converted using the bpf2c toolchain.
• Breaking changes in libbpf implementations: Changes in behavior in various libbpf functions including bpf_prog_attach, ring_buffer__new, perf_buffer__new and lifetime management functions for nested map types, to align closely with the Linux behavior.

What's Changed

• Perf Event Array map user-mode API implementation with tests by @kumarvin123 in #4302
• [main] Update spd file for ebpfcore by @saxena-anurag in #4345
• Cleanup map subscription on failure by @Alan-Jowett in #4347
• run ring buffer stress on multiple cores. by @shankarseal in #4348
• Extend timeout of api_tests in the CICD task to 10 minutes by @shankarseal in #4350
• Add CI/CD workflow to validate YAML files by @dthaler in #4362
• fixing configuration for driver_native_only_tests. by @shankarseal in #4367
• Fix a few NuGet packaging issues by @abeltrano in #4328
• update version to 0.22.0 by @shankarseal in #4336
• Update OneBranch PostBuildEvent to use platform-scoped destination directory by @abeltrano in #4372
• Capture native image name during attach by @Alan-Jowett in #4374
• Pickup latest ebpf-verifier by @Alan-Jowett in #4368
• Update WDK from 10.0.26100.2454 to 10.0.26100.3323 by @Alan-Jowett in #4369
• Fix redist nuspec by @saxena-anurag in #4382
• Update regression tests by @saxena-anurag in #4383
• bpf: support log_true_size for BPF_PROG_LOAD by @lmb in #4360
• Don't detach link if link doesn't exist by @Alan-Jowett in #4399
• Pick latest verifier by @Alan-Jowett in #4400
• Design proposal for new ring buffer API by @mikeagun in #3848
• Canonicalize pin paths by @dthaler in #4274
• JIT and bpf2c use different verifier options by @Alan-Jowett in #4324
• [StepSecurity] ci: Harden GitHub Actions by @step-security-bot in #4415
• Build arm64 binaries on arm64 runners by @Alan-Jowett in #4416
• Arm64 test by @Alan-Jowett in #4417
• Workflow to check PRs. by @shankarseal in #4430
• Add guidance to eBPF extension writers about pointers in contexts by @dthaler in #4408
• change to pull_request_target. by @shankarseal in #4435
• Proposal to introduce "Proof of Verification" feature for eBPF programs. by @Alan-Jowett in #4420
• Remove ASAN workaround by @saxena-anurag in #4438
• Update PR template to request references to issues and other miscellaneous changes. by @shankarseal in #4332
• Naming of fields in ebpf_core_object_t is inconstent by @Alan-Jowett in #4437
• Implement hashing of native modules on load and add authorization calls by @Alan-Jowett in #4440
• Always install ebpfsvc by @Alan-Jowett in #4442
• Enable HVCI for native only tests by @Alan-Jowett in #4448
• Move authorization to ebpfsvc by @Alan-Jowett in #4447
• Added -g option to clang compile commands by @JustinHahn8902 in #4461
• Address YAML validation warnings by @dthaler in #4456
• Fix procdump security issue by specifying version in choco install commands by @Copilot in #4462
• Switch to static C++ runtime and dynamic C runtime by @Alan-Jowett in #4460
• Copy signed binaries and headers to the output directory by @Alan-Jowett in #4458
• Strip white space from end of lines by @Alan-Jowett in #4473
• Fix failures caused by VS 2022 v17.14.7 by @Alan-Jowett in #4477
• Add negative lookup tests for inner map in hash_of_map test case by @nigriMSFT in #4463
• Add support for driver test execution on host; Add ARM64 driver tests by @matthewige in #4449
• Fix CI/CD failures by installing LLVM 18.1.8 explicitly by @Copilot in #4505
• Cleanup perf array test async calls on failure. by @mikeagun in #4482
• support both local and fork repos. by @shankarseal in #4490
• update extension document and minor changes. by @shankarseal in #4496
• Switch bpf2c to pull its own nuget dependencies by @Alan-Jowett in #4502
• Remove module hashes after verification. by @Alan-Jowett in #4450
• Require Microsoft Corporation eBPF Verification issuer and EKU by @Alan-Jowett in #4478
• Add JIT versions of KM stress tests to ensure complete test coverage by @Copilot in #4525
• Remote vm cicd by @LakshK98 in #4489
• Fix capitalization inconsistency of "execution context" in documentation by @Copilot in #4501
• Improve dump compression retry logic and add fallback for uncompressed uploads by @Copilot in #4529
• Fix _update_array_map_entry_with_handle to correctly handle array indices > 255 by @Copilot in #4466
• Mitigate code scanner alerts by @shankarseal in #4541
• Connect redirect test enhancements: add implicit bind and UDP redirect_context tests by @matthewige in #4543
• Add Concurrency tests for sock ops by @LakshK98 in #4555
• ringbuffer: direct mmap consumers by @lmb in #4493
• Fix inconsistency between verifier declaration and implementation of helpers by @Alan-Jowett in #4518
• Cleanup: Remove duplicate EBPF_NANO_SECONDS_PER_FILETIME_TICK define by @Copilot in #4476
• Fix codeql task. by @shankarseal in #4568
• Fix certificate verification to check subject instead of issuer by @Copilot in #4576
• Implement granular ETW tracing for per-test trace collection; Add collection of networking traces to driver tests by @Copilot in #4540
• Fix scorecard workflow by @dthaler in #4592
• Update to latest WDK by @Alan-Jowett in #4546
• User mode synch by @Alan-Jowett in #4524
• use allocate with tags for hash table. by @shankarseal in #4599
• Fix indentation of "pinned" parameter help text in netsh ebpf add program by @ramlah7 in #4600
• Fix scorecard workflow by @dthaler in #4596
• Fix sock_ops code flow and test by @LakshK98 in #4587
• Fixes inconsistent behavior in sample_ext prog_test_run by @houha2 in #4562
• stream-layer flow classify hook proposal by @mikeagun in #4545
• Prevent NULL filename in verify_and_authorize_native_image by @Alan-Jowett in #4631
• Prevent compiler from reording loads/stores by @Alan-Jowett in #4598
• Make ebpf_ring_buffer_t struct opaque by @Copilot in #4622
• Remove XDP tests by @matthewige in #4635
• Update dump collection logic for driver tests by @matthewige in #4579
• Fix flow deletion by @LakshK98 in #4636
• Skip address sanitizer tests that depend on stdio redirection in ADO pipeline by @Alan-Jowett in #4625
• consolidate cicd. by @shankarseal in #4638
• Add missing generated test program files. by @shankarseal in #4637
• Permit rekor.sigstore.dev from scorecards workflow by @dthaler in #4633
• Update GettingStarted.md by @H0mTanks in #4643
• add bpf_get_current_thread_create_time and bpf_get_current_process_start_key global helper functions by @houha2 in #4627
• Moved JIT specific #ifdef into separate files by @nmlud21 in #4597
• Serialize "check and create" map logic in ebpf_native to fix race condition by @saxena-anurag in #4594
• Replace ring_buffer and perf_buffer new with windows-specific versions by @mikeagun in #4640
• Apply asan mitigations to the asan test pass (not the regular one) by @Alan-Jowett in #4649
• Test cleanup - Ignore failure to create directory for dump collection by @matthewige in #4650
• Adding netsh installation details and pin-by-name information on maps by @keith-horton in #4665
• Remove UBPF_STACK_SIZE definition by @mingxr in #4669
• Disable regression tests for breaking changes. by @mikeagun in #4663
• Fixed pinned_path_count is always 0 by @nmlud21 in #4666
• Modify link behavior to hold reference on program by @Alan-Jowett in #4653
• Add support for hard permit in connect() hook by @andrwli in #4558
• Disable scheduled regression tests by @mikeagun in #4685
• Fix iteration of loop objects by @Alan-Jowett in #4688
• Remove deprecated internal API ebpf_allocate() by @cnaples79 in #4681
• Revert "Serialize "check and create" map logic in ebpf_native to fix ΓǪ by @saxena-anurag in #4694
• Remove ebpf_link_mark_as_legacy_mode by @Alan-Jowett in #4690
• Expanded certain unit tests to run for native programs by @nmlud21 in #4660
• Add user reference for nested maps. by @saxena-anurag in #4661
• Detach all BPF programs prior to running stress by @Alan-Jowett in #4686
• Reject malformed ELF files by @Alan-Jowett in #4698
• fix incorrect file name. by @shankarseal in #4696
• Miscellaneous changes to kernel driver test CICD jobs. by @shankarseal in #4641
• Remove XDP_TEST hook and program type in ebpf-for-windows by @kumarvin123 in #4662
• Change BPF_SOCK_ADDR_VERDICT_PROCEED to BPF_SOCK_ADDR_VERDICT_PROCEED_SOFT by @andrwli in #4701
• Remove deprecated ebpf_* APIs by @dthaler in #4712
• Fix km_mt_stress_tests_restart_extension failures due to WPR tracing by @matthewige in #4716
• Add a version modifier. by @shankarseal in #4720
• update version to 1.0.0-rc1 by @shankarseal in #4722
• update redist nuget (#4724) by @saxena-anurag in #4727
• Update spd file for v1.0 by @saxena-anurag in #4734

New Contributors

• @kumarvin123 made their first contribution in #4302
• @JustinHahn8902 made their first contribution in #4461
• @nigriMSFT made their first contribution in #4463
• @ramlah7 made their first contribution in #4600
• @houha2 made their first contribution in #4562
• @nmlud21 made their first contribution in #4597
• @keith-horton made their first contribution in #4665
• @mingxr made their first contribution in #4669
• @andrwli made their first contribution in #4558
• @cnaples79 made their first contribution in #4681

Full Changelog: Release-v0.21.1...Release-v1.0.0-rc1