This week, ZDNet’s Steven J. Vaughan-Nichols asked Linus Torvalds and Greg Kroah-Hartman about the ability to write new Linux kernel code in Rust – a powerful yet memory-safe language sponsored by the Mozilla project.
C vs rust
As of now, the Linux kernel is written in the C programming language – essentially the same language used to write kernels for Unix and Unix-like operating systems since the 1970s. The great thing about C is that it’s not an assembly language – it’s significantly easier to read and write, and it’s generally much closer to being directly transferable between hardware architectures. However, C still opens you up to almost the entire range of catastrophic errors possible in editing.
In particular, as a non-memory managed language, C opens the programmer to memory leaks and buffer overflows. When you’re done with a variable you’ve created, you need to explicitly destroy it – otherwise old orphaned variables will pile up until the system crashes. Likewise, you have to allocate memory to store data in – and if you try to put too much data in too little RAM, you’ll end up overwriting locations you shouldn’t.
High-level languages, such as PHP, Python, or Java, are intended to be both easier to read and write and more secure to write code in. Much of the added security they provide comes from implicit memory management – the language itself will reject allowing you to cram 16K of data into a 2K buffer, preventing buffer overflow. Similarly, high-level languages automatically claim “orphan” RAM via garbage collection – if a function creates a variable that can only be read by that function, then the function terminates, the language will reclaim the variable once it is no longer accessible.
Rust, like Google’s Go, is one of a new generation of languages that aims to hit somewhere in between – it offers the raw speed, flexibility, and most of the direct mapping to hardware functionality that C would have, while providing a memory-safe environment.
Linux Plumbers 2020
At the Linux Plumbers conference in 2020, kernel developers began to seriously discuss the idea of using Rust language in the kernel. To be clear, the idea isn’t a complete rewrite of the kernel in Rust – just the addition of new code, written in Rust, that fits neatly into the existing kernel infrastructure.
Torvalds didn’t seem shocked by the idea – he even requested that the Rust compiler be enabled by default in the kernel build environment. This did not mean that Rust code submissions would be randomly accepted in the kernel. Enabling automatic checks for the presence of Rust compiler simply meant making it as easy as possible to get potential submissions built (and automatically tested) correctly, like any other kernel code would.
Fast forward to 2021
Much work has been done on Rust in the kernel since the Linux Plumber’s Conference of 2020, including on a Rust language port from GNU Coreutils. The port’s author, Sylvestre Ledru — a Mozilla director and Debian developer — describes it as in working condition, but not yet ready for production. Ultimately, the Rust port could replace the original GNU Coreutils in some environments, with built-in thread protection and immunity to memory management errors such as buffer overflows.
Torvalds says he’s in the “wait and see” camp on all of this:
I’m interested in the project, but I think it’s driven by people who are really excited about Rust, and I want to see how it works in practice.
Torvalds describes device drivers as obvious low-hanging fruit for potential new work in Rust. He says that because there are tons of them, and they are relatively small and independent of other code.
Kernel manager Greg Kroah-Hartman agrees:
… drivers are probably the first place for an attempt like this, as they are the “end leaves” of the tree of dependencies in the kernel source. They depend on the core functionality of the kernel, but nothing depends on them.
Kroah-Hartman goes on to describe the difficulties to be overcome for a successful production integration of Rust code into a mainly C language kernel:
It will all come down to how well the interaction between the kernel core structures and lifetime rules written in C can be mapped to Rust structures and lifetime rules… That will take a lot of careful work from the developers who want to hook this all up, and I wish them every success.
An important first step
While we don’t expect a full implementation of the Linux kernel in Rust anytime soon, this early work on integrating Rust code into the kernel’s C infrastructure is likely to be very important.
Both Microsoft and the Linux community agree that two-thirds or more of security vulnerabilities result from memory security issues. As the complexity of software continues to increase, it becomes increasingly important to make it safer to write.