This week, ZDNet’s Steven J. Vaughan-Nichols asked Linus Torvalds and Greg Kroah-Hartman about the possibility of a new Linux kernel code being written in Rust ̵
C versus Rust
At present, the Linux kernel is written in the C programming language – essentially the same language used to write kernels for Unix and Unix-like operating systems since the 1970s. The good thing about C is that it is not a mounting language – it is significantly easier to read and write, and it is generally much closer to direct portability between hardware architectures. However, C still opens you up to almost the full range of catastrophic faults possible during assembly.
In particular, as a non-memory-controlled language, C opens the programmer for memory leaks and buffer overflows. When you are done with a variable you have created, you must explicitly destroy it – otherwise old orphaned variables will accumulate until the system crashes. Similarly, you need to allocate memory to store data in – and if you try to put too much data in too little RAM space, you will end up overwriting places you should not.
High-level languages - such as PHP, Python or Java – aim to be both easier to read and write and more secure to write code in. A large part of the extra security they offer comes from implicit memory management – the language itself will refuse so you can fill 16K data in a 2K buffer, thus avoiding buffer overflow. Similarly, high-level language automatically recovers “orphaned” RAM via garbage collection – if a function creates a variable that can only be read by that function, the function is terminated. The language will regain the variable when it is no longer available.
Rust, like Google’s Go, is one of a new generation of languages that aims to hit somewhere in between – it provides raw speed, flexibility and most of the direct mapping to hardware functionality that C would have while offering a memory-safe environment.
Linux Plumbers 2020
At the Linux Plumbers conference in 2020, core developers began to discuss the idea of using Rust language inside the kernel. To be clear, the idea is not a complete, basic rewriting of the core of Rust – just the addition of new code, written in Rust, as an interface purely with existing core infrastructure.
Torvalds did not seem appalled by the idea – in fact, he requested that Rust compiler availability be enabled by default in the kernel-build environment. This did not mean that submissions of rust code would be accepted in the core. Activating automatic checks for the presence of Rust compiler simply meant that it should be as easy as possible to get potential submissions built (and automatically tested) correctly like all other core codes.
Fast forward to 2021
A significant amount of work has been done on Rust at the core since Linux Plumber’s Conference 2020, including on a rust-language port of GNU Coreutils. The port’s author, Sylvestre Ledru – a Mozilla director and Debian developer – describes it as in good condition, but not yet ready for production. Finally, the Rust port can replace the original GNU Coreutils in some environments – and offers built-in thread security and immunity to memory management errors such as buffer overflows.
Torvalds says that he is in the “wait and see” camp about all this:
I’m interested in the project, but I think it’s run by people who are very enthusiastic about Rust, and I want to see how it actually ends up working in practice.
Torvalds further describes unit drivers as obvious low-hanging fruit for potentially new work to be done in Rust. He says that because there are many of them, and they are relatively small and independent of other code.
Core maintainer Greg Kroah-Hartman agrees:
… drivers are probably the first place for an attempt like this, as they are the “end leafs” of the tree of addictions in the core source. They depend on core functionality, but nothing depends on them.
Kroah-Hartman further describes difficulties that must be overcome for successful production integration of Rust code in a primarily C-language core:
It will all come down to how well the interaction between the core structures and lifetime rules written in C can be mapped in rust structures and lifetime rules … It will take a lot of careful work by the developers who want to connect to all this, and I wish them luck .
An important first step
Although we do not expect to see a full implementation of the Linux kernel in Rust anytime soon, this early work on integrating Rust code into the kernel’s C infrastructure is probably very important.
Both Microsoft and the Linux community agree that two-thirds or more of security vulnerabilities stem from memory security issues. As software complexity continues to increase, it becomes safer to write in principle more and more important.