Can eBPF Run on Windows? Exploring Cross‑Platform Kernel Programmability

Guide: With help from the IETF and Microsoft, eBPF may soon be available for both Linux and Windows kernels, providing cross‑platform compatibility.

At the recent virtual eBPF summit, Isovalent CTO and co‑founder Thomas Graf discussed the future of the open‑source filter‑to‑kernel engine, noting that Microsoft is already working on a Windows version of eBPF that will expose a programmable interface in the Windows kernel.

Since its inclusion in the Linux kernel a decade ago, eBPF has been widely used for observability, security, and compliance tools that analyze and filter packets at high speed without cumbersome modules or risky kernel modifications.

Because Windows and Linux aim for cross‑platform compatibility, tool developers can write binaries that run on both platforms.

eBPF Will Run on Windows

Like Linux eBPF, Windows eBPF will provide a sandbox to execute small programs inside the kernel; once the code is verified, a closed‑kernel interpreter will run the eBPF bytecode.

The Microsoft project on GitHub shows 43 contributors, with most code written in C and a small amount in C++.

Graf says the package will be bytecode‑compatible with Linux eBPF and will include a similar interpreter and JIT compiler, although hook points may differ due to Windows system‑call differences.

Graf warns that over the next few years all tools developed for Linux eBPF will need to be ported to Windows, presenting new challenges for developers to ensure their products work in both environments, highlighting the need for eBPF standardization.

eBPF Standardization

Initially, eBPF evolved as a set of code without a predefined specification, so the code itself became the de‑facto standard that tool makers must follow.

The IETF eBPF Working Group is finalizing the instruction‑set architecture (ISA) documentation for the eBPF virtual machine and will define verifier expectations to guarantee safe execution of untrusted eBPF programs.

The group also plans to create an ABI specification to generate portable eBPF binaries, possibly based on existing formats.