This week, Steven J. Vaughan-Nichols of ZDNet asked Linus Torvalds and Greg Kroah-Hartman about the possibility of writing new Linux kernel code rust– a powerful but memory-safe language Sponsored from the Mozilla project.
C versus Rust
The Linux kernel is now written in the C. Programming language – essentially the same language that has been used for Unix and Unix-like operating systems since kernels were written 1970s. The great thing about C is that it doesn’t Assembly language– It’s much easier to read and write, and it’s generally much closer to porting directly between hardware architectures. However, C still opens up almost the full range of catastrophic errors that can be made during assembly.
Specifically, as an unmemory managed language, C opens the programmer to memory leaks and buffer overflows. When you’re done with a variable you’ve created, you need to explicitly destroy it. Otherwise, old orphaned variables will accumulate until the system crashes. Similarly, you need to allocate memory to store data. Trying to move too much data into too small a RAM area will overwrite the locations that you shouldn’t.
High-level languages– like PHP, Python or Java – should be both easier to read and write and safer to write. Much of the extra security they provide comes from implicit memory management – the language itself will not allow you to allow you to put 16 KB of data into a 2 KB buffer to avoid buffer overflows. Similarly, high level languages automatically reclaim “orphan” RAM Garbage collection– If a function creates a variable that can only be read by this function, the function is terminated. The language requests the variable back as soon as it is no longer available.
Rust, like on google Walk, is one of a new generation of languages that aim to land somewhere in between – it offers the speed, flexibility, and most of the direct mapping to hardware functionality that C would offer, while also providing a memory-safe environment.
Linux plumber 2020
At the Linux Plumbers conference in 2020, kernel developers started in earnest to discuss the idea of using the Rust language in the kernel. To be clear, the idea is not a complete, fundamental rewrite of the kernel in Rust – just adding new code written in Rust that provides a clean interface to the existing kernel infrastructure.
Torvalds didn’t seem appalled by the idea – in fact, he requested the availability of the Rust compiler activated By default in the kernel build environment. This did not mean that Rust code submissions were going to be included in the kernel for better or worse. Enabling automatic checking for the Rust compiler’s presence just meant that it should be as easy as possible to properly build (and automatically test) potential submissions, as it would with any other kernel code.
Fast forward to 2021
A significant amount of work has been done on Rust in the kernel since the 2020 Linux Plumber’s Conference, including on a Rust-speaking port of GNU Coreutils. The port’s writer, Sylvestre Ledru – a Mozilla director and Debian developer – describes it as functional even though it is not yet ready for production. In some environments, the Rust port may replace the original GNU core utils. It offers built-in thread safety and immunity to memory management errors such as buffer overflows.
Torvalds says he is “wait and see” because of all this in the camp:
I’m interested in the project, but I think it’s driven by people who are very passionate about Rust and then I want to see how it actually works in practice.
Torvalds describes device drivers as the obvious low hanging fruit for potential new work in Rust. He says this because there are tons of them and they are relatively small and independent of other code.
Kernel maintainer Greg Kroah-Hartman agrees:
… Drivers are probably the first place to try this, as they are the “end leaves” of the dependency tree in the kernel source. They depend on the core functionality of the kernel, but nothing depends on them.
Kroah-Hartman further describes the difficulties that must be overcome for a successful production integration of Rust code into a mainly C-language kernel:
It will all depend on how well the interaction between the kernel core structures and the lifetime rules written in C can be mapped into Rust structures and lifetime rules … This requires a lot of careful work from the developers who want to include all of this on and I wish you good luck.
An important first step
While we don’t expect the Linux kernel to be fully implemented in Rust anytime soon, this early work on integrating Rust code into the kernel’s C infrastructure is likely to be very important.
Both Microsoft and the Linux community agree that two-thirds or more of the vulnerabilities are due to storage security issues. This is where the software complexity continues increaseIt is becoming more and more important to make it safer to write in the first place.