Where Rust fits into Linux • The Registry
Opinion To become a Linux developer, you needed C as a passport. Now Rust can also allow you to be an operating system programmer.
The joke says, “C combines the power and performance of assembly language with the flexibility and ease of use of assembly language.” Having programmed in both C and IBM 360 Assembler – that was a long time ago, okay – there’s something in there. Because of its power, performance, and portability, C has become the language of choice for the operating system, including, of course, Linux.
There’s only one small problem with C. It’s really easy to mess around. Big and ugly ones. This is where Rust comes in.
You see, according to Alex Gaynor and Geoffrey Thomas at the Linux Security Summit 2019, almost two-thirds of Linux kernel security vulnerabilities [PDF] stem from memory security issues. And where do they come from? Weaknesses inherent in C and C ++. Rust, on the other hand, dodges these issues by using much more secure application programming interfaces (Apis). Specifically, Rust advocates claim that the language won’t allow you to leak memory or create potential buffer overflows.
People complaining that user-space “patching” isn’t a good sign for future kernel use, but hey, we’ll see – Linus Torvalds
Its sounds good to me. Best of all, that sounds good to kernel developers. At the Linux Plumbers 2020 conference, programmers suggested it was time to consider using the Rust language for new Linux online code [PDF] since Rust is “a better C the way the kernel wants C to be”.
Don’t think for a moment that they are proposing to rewrite 25 million lines from C to Rust. They are not that crazy! They just want to be able to use Rust for the new Linux code.
Of course, this comes with its own issues. Rust should use existing Linux kernel APIs; Address application binary interface (ABI) compatibility between Rust and C; and developers and maintainers will have to deal with two languages rather than one.
The million-line question is, “What does Linus Torvalds think?” Because if he doesn’t like it, it’s not going anywhere.
Although he has learned his skills in C, Torvalds is open to using Rust on Linux. But, as he wrote in the Linux Kernel Mailing List (LKML) in July 2020, he is cautious. “I would like it first rust driver (or whatever) to be introduced in such a simple format that failures will be obvious and simple. “
Since then, Torvalds has grown a little more welcoming. In an interview, Torvalds told me that while he does not “push” for Rust in any way, he is “open to it given the benefits promised and avoiding certain safety traps, but I also know that sometimes promises don’t keep. “
Torvalds says, “Rust’s first primary target seems to be the drivers, just because that’s where you just find a lot of different possible targets, and you have these individual parts of the kernel that are quite small and independent. It may not be very interesting. target for some people, but this is the most obvious. “
Also, since “many drivers are only relevant on a few target architectures, the whole issue with unsupported Rust code on some architectures is less of a problem.”
Senior Linux kernel developer Greg Kroah-Hartman told me he agreed that “the drivers are probably the first place for an attempt like this because they are the” end sheets “of the dependency tree in the kernel source. They depend on the functionality of the kernel kernel, but nothing depends on them. “
Just because Torvalds and Kroah-Hartman are open to Rust doesn’t mean everyone is. Torvalds adds: “People complaining about ‘Rustification’ in user space is not a good sign for future kernel use, but hey, we’ll see. Kernel is different from user space projects. – more difficult in some ways (we use a lot of very weird header files that push the boundaries of what we might call ‘C’), but easier in many other ways (mostly in the sense where the kernel is quite self-sufficient, and then does not rely on other projects for the final binary). “
Still, Kroah-Hartman says, “It will all depend on how the interaction between the kernel kernel structures and the lifetime rules written in C can be mapped into the Rust structures and the lifetime rules so that Rust pilots can use them. correctly. It’s going to take a lot of painstaking work from the developers who want to put everything in place and I wish them the best of luck. “
So the door is open, but who can ring the cat to actually do the code? The first is Sylvestre Ledru, director of Mozilla by day and Debian Linux developer by night. He wore a Rusty version of Coreutils, the basic GNU file, shell and text manipulation utilities, to Linux using the LLVM compiler infrastructure and its Front-end in Clang C language. Ledru ported it to Debian Linux. You can currently boot Linux with it and run the GNOME desktop, install most of the most popular Debian packages, and build Firefox, the Linux kernel, and LLVM / Clang on it. Be careful, this is not production ready, some commands are much slower than their C ancestors and others don’t support all options, but it’s a good start.
Google is funding the Internet Security Research Group (ISRG), better known for Let’s Encrypt, to sponsor Rust on Linux. This is not the first time that the ISRG has dedicated itself to solving memory problems. He has a whole department, Prossimo, dedicated to secure programming in memory. His other projects are a secure in-memory TLS module for the Apache web server, a secure in-memory curl data transfer utility, and secure in-memory Rustls – a more secure OpenSSL alternative.
These funds will be used to pay Miguel Ojeda, a software engineer and Linux kernel developer, to work full time on Rust on Linux. Previously, Ojeda had created a Request for Comments (RFC) on the issue. This exposes the concerns about the introduction of a “new main language in the kernel” and the rewards that could come from using Rust on Linux. These are:
- New code written in Rust has a reduced risk of memory security bugs, data racing, and logical bugs in general.
- Maintainers are more confident in refactoring and accepting fixes for modules thanks to Rust’s secure subset.
- New drivers and modules become easier to write, thanks to more reasonable abstractions, based on modern language features, as well as supported by detailed documentation.
- More people get involved in kernel development globally through the use of modern language.
- By leveraging Rust tooling, we continue to apply the documentation guidelines we have established so far in the project. For example, we require that all public APIs, security prerequisites, “unsafe” blocks, and type invariants be documented.
So how’s it going so far? At the 2021 Linux Plumbers Virtual Conference, Ojeda said Rust largely eliminates the undefined behavioral issues of C code because “Rust has no undefined behavior.” It makes it more secure.
Ojeda wanted to know that it was perfectly acceptable to create safety critical software in C or in many languages, like putting it on an airplane or in a car, safe in the sense that Rust has no faults. of undefined behavior. At the same time, if you program well with Rust, you “can generate code as good and as fast as C or C ++”.
But for all the benefits Rust can bring to Linux, it’s not without its problems. For example, “learning a second language is going to be a major burden for maintenance managers”. The answer to this will be to provide “strict online code documentation”.
Progress is underway. Even if you’re not going to be using a Rust-based Linux kernel anytime soon – or more likely ever – you will soon be using Linux with a lot of drivers and other components written in Rust. Some of you are already. For example, today you can run AWS Bottlerocket, a largely Rust-based minimal Linux distribution for containers.
Stay tuned and learn Rust – good things are going for this combination. Around the same time next year, I expect there will be a significant chunk of Linux under Rust. ®