|Rust Bringing Greater Safety To Linux|
|Written by Harry Fairhead|
|Wednesday, 23 June 2021|
Google is providing financial support to the Rust for Linux project which aims to increase Linux security by writing parts of the Linux kernel in Rust. This seems to be a worthwhile attempt to bolster the security of the internet and every device that uses it.
Rust is certainly attracting a lot of attention at the moment. Last month we reported Facebook Open Source Joins Rust Foundation and the month before came news that both Google and Microsoft were jumping on the bandwagon with Rust For Android OS Development and Rust for Windows. All this good news and more, such as Amazon AWS Invests In Rust came in the wake of the layoffs at Mozilla where the language originated. Now we have news from from the Internet Security Research Group (ISRG), which is also the organization behind Let's Encrypt, that Rust is being added as a second language for the Linux kernel in order to improve its memory safety.
While the Rust for Linux project might seem to be the latest Rust story to emerge it in fact has been ongoing for several months and was first publicized at the Linux Plumbers Conference in August 2020 in a talk by John Baublitz, Nick Desaulniers, Alex Gaynor, Miguel Ojeda, Geoffrey Thomas, Josh Triplett.
The project has now come under the auspices of the ISRG's Prossimo project which aims to coordinate efforts to move the Internet’s critical software infrastructure to memory safe code. While this is an open source project with several contributors, funding from Google has meant that since April 2021 Miguel Ojeda, who had been working on Rust for Linux as a side-project, has a contract to work on it full time for a year. As a developer at CERN, Ojeda has previously written software used by the Large Hadron Collider particle accelerator as well as working on programming language security.
In April Ojeda posted an RFC about Rust support in the Linux kernel. In it he was careful to acknowledge that introducing Rust as a second language was likely to be controversial and stated at the outset:
We know there are huge costs and risks in introducing a new main language in the kernel. We risk dividing efforts and we increase the knowledge required to contribute to some parts of the kernel....Nevertheless, we believe that, even today, the advantages of using Rust outweighs the cost.
The initial post also pointed out that the project was limited in its aims with:
Please note that the Rust support is intended to enable writing drivers and similar "leaf" modules in Rust, at least for the foreseeable future. In particular, we do not intend to rewrite the kernel core nor the major kernel subsystems (e.g. `kernel/`, `mm/`, `sched/`...). Instead, the Rust support is built on top of those.
Explaining why Rust should be the language of choice, he noted the following advantages Rust offers over C in the context of the Linux kernel:
Overall, Rust is a language that has successfully leveraged decades of experience from system programming languages as well as functional ones, and added lifetimes and borrow checking on top.
He went on to look at the disadvantages, concluding the list with
Most of these disadvantages arise from the fact that Rust is a much younger and less used language. However, we believe Rust is likely to become an important part of systems programming, just as C has been during the last decades, and so most of these issues will be reduced as different industries put resources behind Rust.
The thread attracted a lot of detailed attention but a crucial reply from Linus Torvalds started with the reaction "on the whole I don't hate it", which is reassuring since in the past Torvalds was adamant that C++ should not become a second language for the Linux kernel and quashed the very idea. However he went on to outline an important reservation concerning "run-time failure panic" concluding:
With the main point of Rust being safety, there is no way I will ever accept "panic dynamically" (whether due to out-of-memory or due to anything else.
In reply to Torvald's objections, Ojeda wities:
But it is doable and there isn't any fundamental reason that prevents it (in fact, thelanguage supports no-allocation code). Worst case, we may need to request a few bits here and there to the`rustc` and standard library teams, but that should be about it.
So the Rust in Linux Project is going ahead and if you want to get involved see its GitHub repo.
or email your comment to: email@example.com
|Last Updated ( Wednesday, 23 June 2021 )|