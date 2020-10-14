Shall we now rewrite the entire Linux kernel using the Rust language? That discussion isn’t from today and has become more pronounced since the first stable version of Rust came out in 2015. Given the options Rust offers, some suggest doing it. This year, the speakers at the Linux Plumbers conference in August again had time to discuss it. They seem unanimously in agreement not to rewrite existing code in Rust, but to keep Rusting kernel development. That is, they envision a world in which new pieces of code could be written in Rust.

The Rust programming language has long aimed to replace C in Linux kernel development. As Rust matures, several developers have shown increasing interest in using it in the Linux kernel. At the Linux Plumbers 2020 virtual conference, the LLVM Microconference Stream hosted a session on open questions and barriers to upstream adoption of Rust in the Linux kernel. The interest in this topic is visible as this session was the most attended of the 2020 event.

This session drew on previous work from many developers, including a talk Alex Gaynor and Geoffrey Thomas gave at the Linux Security Summit last year. At the conference, they presented their work on prototyping the Rust kernel modules and advocated incorporating Rust into the kernel. They cited work showing that about two-thirds of the kernel vulnerabilities assigned to CVEs in Android and Ubuntu are all related to memory security issues.

Finally, it was explained that Rust can completely bypass this class of errors thanks to more secure APIs activated by the system type and the checkout checker. This study succeeded in convincing several maintainers and Linus Torvalds, who was in favor of introducing Rust into the kernel. Thomas and Gaynor, Josh Triplett, co-heads of the Rust language team and longtime Linux kernel developer, and a number of other interested developers took part in the discussion on the subject.

They briefly touched on their previous work and some of their first thoughts and questions before they discussed most of the time. They gave a quick example of what Rust code might look like in kernel mode. Participants indicated that they are not proposing to rewrite the entire Linux kernel in Rust. You’re just focused on getting into a world where new code can be written in Rust. The discussion that followed focused on three areas that are potentially important to Rust’s support.

It is about the use of the existing APIs in the kernel, the support of the architecture and a question about ABI compatibility between Rust and C. In fact, they first appreciate that the introduction of Rust into the tree must respect the API C existing. For Rust to be useful in kernel development, it is not enough to generate code that can be linked to the kernel. Rust also needs access to the large number of APIs used in the Linux kernel, all of which are currently defined in C header files.

Rust has good support for interoperability with C code, including calling functions with the C ABI and defining functions with C compatible ABIs that can be called from C. The bindgen tool can use C header files parse to generate the appropriate Rust statements. Hence, Rust doesn’t have to duplicate C definitions so you can check the type of language as well. On the face of it, these features make Rust well equipped to integrate with existing C APIs.

However, everyone felt that the devil was in the details and both the work done so far and the conversation during the session revealed some unanswered challenges. For example, Linux often uses preprocessor macros and inline functions that are not so easily supported by the Rust bindgen tool and foreign function interface. The speakers also pointed out other details that deserve special attention. In a second step, Rust has to adopt the existing architecture.

Accordingly, the only mature Rust implementation currently is the rustc compiler, which sends code via LLVM. The Linux kernel supports a variety of architectures, many of which do not have an LLVM backend. For some others there is an LLVM backend, which rustc does not yet support. The speakers wanted to understand whether full architecture support would be an obstacle to enabling Rust in the Linux kernel. If so, how can Rust fix the problem?

Many have suggested implementing drivers in Rust that would never be used on darker architectures. For his part, Triplett suggested that adding Rust to the kernel would help increase architectural support for Rust, referring to his experience with the Debian project. He mentioned that the introduction of Rust software in Debian helped motivate enthusiasts and niche architecture users to improve Rust support, and he expects adding kernel support will have a similar effect.

In particular, he was convinced that any architecture with an LLVM backend would be quickly supported by Rust. The discussion also turned to alternative Rust implementations as a way to broader architecture support. For example, the mrustc project is an experimental Rust compiler that enters C code. Using it, Rust can potentially be compiled from the same C compiler as the one that compiles the rest of the kernel. Additionally, Triplett shared his interest and worked on a Rust front end for GCC.

This allows Rust to target all architectures supported by GCC. This project is still in its infancy, but it represents an opportunity to fill the void in the architecture of the future. The conclusion of this section is somewhat uncertain, but there does not seem to be strong opposition to support for Rust device drivers without waiting for broader architectural support. The last aspect Rust has to answer in order to be used in Linux code is ABI’s kernel compatibility.

Since Rust is compiled through LLVM (currently) and the kernel is most often built using GCC, linking Rust’s code to the kernel can mean mixing up the code entered by GCC and LLVM. While LLVM aims to be ABI compatible with GCC, there have been some setbacks due to concerns that it carries the risk of subtle ABI incompatibility. Panellists wondered if the kernel community might prefer to limit Rust support to kernels built with Clang to ensure compatibility.

Another participant in the discussion, Greg Kroah-Hartman, said the current kernel rule is that compatibility is only guaranteed if all kernel object files are created with the same compiler using identical flags. However, it was also supported to link Rust objects created by LLVM to a kernel created by GCC, provided that the objects are created at the same time with the appropriate options and the resulting configurations are fully tested.

Florian Weimer, another participant in a video conference, pointed out that questions about ABI are usually in the dark corners of the language and, for example, return a structure that contains one binary field per value. Even so, Triplett pointed out that calls between GCC and Rust are routine and in the user area, and therefore there are no compatibility issues on Rust’s side. It seems that this concern should not ultimately be an obstacle to getting Rust into the kernel.

The session ended with no other specific steps, but overall it seems that there is enthusiasm for Rust module support and a growing consensus on the general requirements for that support. The next big step is likely to be when someone develops a real Rust driver for the kernel. A concrete use case and a concrete implementation always help to create clarity about remaining controversial issues and design decisions.

Source: LWN.net

