Keep calm and learn Rust: We'll be seeing a lot more of the language in Linux very soon

It's another string to your bow

Opinion To become a Linux developer, you used to need C as your passport. Now Rust can let you be an OS programmer as well.

The joke goes: "C combines the power and performance of assembly language with the flexibility and ease-of-use of assembly language." Having programmed in both C and IBM 360 Assembler – it was a long time ago, OK – there's something to that. Because of its power, performance, and portability, C became the operating system language of choice, including, of course, Linux.

There's only one little problem with C. It's really easy to make blunders. Big, ugly ones. That's where Rust comes in.

You see, according to Alex Gaynor and Geoffrey Thomas at the 2019 Linux Security Summit, almost two-thirds of Linux kernel security holes [PDF] come from memory safety issues. And where do they originate? Inherent weaknesses in C and C++. Rust, on the other hand, dodges these issues by using far safer application programming interfaces (APIs). Specifically, Rust advocates claim the language won't let you leak memory or create potential buffer overflows.

People complaining about 'Rustification' in userspace isn't a great sign for any future kernel use, but hey, we'll see – Linus Torvalds

That sounds good to me. Better still, it sounds good to kernel developers. At the 2020 Linux Plumbers Conference, programmers suggested it was time to consider using the Rust language for new Linux inline code [PDF] since Rust is "a better C in the way the kernel wants C to be."

Don't think for a moment that they're proposing to rewrite 25 million lines of C in Rust. They're not that crazy! They just want the option of using Rust for new Linux code.

Of course, that comes with its own problems. Rust must make use of the existing Linux kernel APIs; deal with the application binary interface (ABI) compatibility between Rust and C; and developers and maintainers will have to deal with two languages rather than just one.

The million-line-code question is: "What does Linus Torvalds think?" Because if he doesn't like it, it's not going anywhere.

Even though he cut his teeth on C, Torvalds is open to using Rust in Linux. But, as he wrote in the Linux Kernel Mailing List (LKML) in July 2020, he's cautious. "I'd want the first rust driver (or whatever) to be introduced in such a simple format that failures will be obvious and simple."

Since then, Torvalds has become a trifle more welcoming. In an interview, Torvalds tells me that while he's "in no way 'pushing' for Rust," he's "open to it considering the promised advantages and avoiding some safety pitfalls, but I also know that sometimes promises don't pan out."

Torvalds says: "Rust's primary first target seems to be drivers, simply because that's where you find just a lot of different possible targets, and you have these individual parts of the kernel that are fairly small and independent. That may not be a very interesting target to some people, but it's the obvious one."

Besides, since "lots of drivers are only relevant on a couple of target architectures, the whole issue with Rust code not being supported on some architectures is less of an issue."

Senior Linux kernel developer Greg Kroah-Hartman tells me he agrees that "drivers are probably the first place for an attempt like this as they are the 'end leaves' of the tree of dependencies in the kernel source. They depend on core kernel functionality, but nothing depends on them."

Just because Torvalds and Kroah-Hartman are open to Rust doesn't mean everyone is. Torvalds adds: "People complaining about 'Rustification' in userspace isn't a great sign for any future kernel use, but hey, we'll see. The kernel is different from userspace projects – more difficult in some respects (we use a lot of very odd header files that pushes the boundary of what can be called 'C'), but easier in many other respects (mainly in the sense that the kernel is fairly self-contained, and then doesn't rely on other projects for the final binary)."

Still, Kroah-Hartman says: "It will all come down to how well the interaction between the kernel core structures and lifetime rules that are written in C can be mapped into Rust structures and lifetime rules for drivers in Rust to be able to use them properly. That's going to take a lot of careful work by the developers wanting to hook this all up and I wish them the best of luck."

So the door is open, but who gets to bell the cat of actually doing the code? First up is Sylvestre Ledru, daytime Mozilla director and night-time Debian Linux developer. He has ported a Rust version of Coreutils, the basic GNU file, shell, and text manipulation utilities, to Linux using the LLVM compiler infrastructure and its Clang C language front end. Ledru has ported it to Debian Linux. You can currently boot Linux with it and get the GNOME desktop up and running, install many of the most popular Debian packages, and to build Firefox, the Linux kernel, and LLVM/Clang on it. Mind you, it's not production-ready, some commands are much slower than their C ancestors and others don't support all the options, but it's a good start.

Google is funding the Internet Security Research Group (ISRG), best known for Let's Encrypt, to sponsor Rust in Linux. This isn't the first time ISRG has turned its hand to fixing memory problems. It has a whole department, Prossimo, devoted to memory-safe programming. Its other projects are a memory-safe TLS module for the Apache web server, a memory-safe curl data transfer utility, and memory-safe Rustls – a safer OpenSSL alternative.

These funds will be used to pay Miguel Ojeda, a software engineer and Linux kernel developer, to work full-time on Rust in Linux. Earlier, Ojeda had created a Request for Comment (RFC) on the matter. This lays out concerns over bringing "a new main language in the kernel" and the rewards that might come from using Rust in Linux. These are:

  • New code written in Rust has a reduced risk of memory safety bugs, data races, and logic bugs overall.
  • Maintainers are more confident in refactoring and accepting patches for modules thanks to the safe subset of Rust.
  • New drivers and modules become easier to write, thanks to abstractions that are easier to reason about, based on modern language features, as well as backed by detailed documentation.
  • More people get involved overall in developing the kernel thanks to the usage of a modern language.
  • By taking advantage of Rust tooling, we keep enforcing the documentation guidelines we have established so far in the project. For instance, we require having all public APIs, safety preconditions, "unsafe" blocks, and type invariants documented.

So how is it going so far? At the 2021 virtual Linux Plumbers Conference, Ojeda said Rust largely eliminates C code's undefined behaviour problems because "Rust doesn't have undefined behaviour." This makes it safer.

While it's perfectly OK to do safety-critical software (such as that used in a plane or a car) in C or in many languages, Rust is safe(r) in the sense that it doesn't have undefined behaviour lapses. At the same time, Ojeda insisted, if you program with Rust well, you "can generate code as good and fast as C or C++."

But for all the advantages Rust can bring to Linux, it's not without its problems. For example, "learning a second language is going to be a major burden to maintainers." The answer to that will be to provide "strict in-line documentation of the code."

Progress is being made. While you're not going to be running a Rust-based Linux kernel anytime soon – or more likely ever – you will be using Linux with many drivers and other components written in Rust soon. Some of you already are. For example, you can run AWS Bottlerocket, a largely Rust-based minimal Linux distribution for containers, today.

Stay tuned and learn Rust – good things are going for this combination. By this time next year, I expect there will be significant portions of Linux running Rust. ®

Similar topics

Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021