This week, Steven J. Vaughan-Nichols of ZDNet asked Linus Torvalds and Greg Kroah-Hartman about the possibility of new Linux kernel code being written in Rust – a high-performance but secure memory language sponsored by the Mozilla project .
C versus Rust
As of now, the Linux kernel is written in the C programming language – essentially the same language used to write Unix kernels and Unix-like operating systems since the 1970s. The best thing about C is that it is not assembly language. – it is considerably easier to read and write and is generally much closer to being directly portable between hardware architectures. However, C still opens up to almost the full range of possible catastrophic errors in assembly.
In particular, as an unmanaged memory language, C opens the programmer for memory leaks and buffer overflows. When you are finished with a variable you have created, you must explicitly destroy it – otherwise, the old orphan variables accumulate until the system crashes. Likewise, you should allocate memory to store data – and if you try to place a lot of data in a very small area of RAM, you will end up overwriting locations that you shouldn’t have.
High-level languages - such as PHP, Python or Java – aim to be easier to read and write and more secure to write code. A large part of the additional security they offer comes from implicit memory management – the language itself will refuse to allow you to place 16K of data in a 2K buffer, thus avoiding buffer overflows. Likewise, high-level languages automatically recover “orphaned” RAM through garbage collection – if a function creates a variable that can only be read by that function, the function will be closed and the language will retrieve the variable as soon as it is no longer accessible.
Rust, like Google’s Go, is part of a new generation of languages that aims to reach a midpoint – it provides the raw speed, flexibility and most of the direct mapping to the hardware functionality that C would do at the same time that offers a secure memory environment.
Linux Plumbers 2020
At the Linux Plumbers conference in 2020, the kernel developers began to seriously discuss the idea of using the Rust language within the kernel. To be clear, the idea is not a complete rewrite of the kernel in Rust – just the addition of new code, written in Rust, that makes a clean interface to the existing kernel infrastructure.
Torvalds didn’t seem horrified by the idea – in fact, he requested that the availability of the Rust compiler be enabled by default in the kernel-building environment. This does not mean that Rust code submissions would be accepted into the kernel for nothing. Enabling automatic presence checks for the Rust compiler simply meant that it should be as easy as possible to make any potential submissions built (and automatically tested) properly as any other kernel code would.
Fast forward to 2021
A significant amount of work has been done on Rust on the kernel since the Linux Plumbers Conference 2020, including on a Rust language version of GNU Coreutils. The author of the port, Sylvestre Ledru – a Mozilla director and Debian developer – describes it as working, although it is not yet ready for production. Eventually, the Rust port may replace the original GNU Coreutils in some environments – offering built-in thread security and immunity to memory management errors, such as buffer overflow.
Torvalds says he is in the “wait and see” field about all of this:
I’m interested in the project, but I think it’s driven by people who are very enthusiastic about Rust, and I want to see how it really ends up working in practice.
Torvalds goes on to describe device drivers as obvious fruits of a potential new job to be done in Rust. He says this because there are tons of them, and they are relatively small and independent of other code.
Kernel maintainer Greg Kroah-Hartman agrees:
… drivers are probably the first place for such an attempt, as they are the “end sheets” of the dependency tree in the kernel source code. They depend on the core functionality of the kernel, but nothing depends on them.
Kroah-Hartman continues to describe the difficulties that must be overcome for a successful production integration of Rust code in a kernel mainly in C language:
It will all boil down to how well the interaction between the kernel’s core structures and the rules of life that are written in C can be mapped into Rust structures and rules of life … This will require a lot of careful work on the part of developers who want to plug it all in and I wish you the best of luck.
An important first step
Although we do not expect to see a full implementation of the Linux kernel on Rust anytime soon, this initial work of integrating Rust code into the C kernel infrastructure is likely to be very important.
Both Microsoft and the Linux community agree that two-thirds or more of security vulnerabilities stem from memory security issues. As the complexity of the software continues to increase, making it more secure to write will become increasingly important.