Rust in the Linux Kernel
Not that long ago, the idea that another major language would be supported in the Linux kernel would have been laughable. Linux was C’s poster child. Sure, there have been efforts to introduce other languages into the kernel, notably C++. They failed. Badly. As Linux’s creator Linus Torvalds once said, “C++ is a horrible language.” So, why is Torvalds now welcoming Rust into the kernel? Listen, my friend, and I’ll tell you.
Rust began as a Mozilla Foundation project. This then new scratch-built language’s purpose was to incorporate the expressive syntax and flexibility of a high-level language with the fine control and performance of a low-level language. In particular, it was meant to improve performance, parallelization, and memory safety.
It’s the combination of performance and memory safety that would catch the attention of Linux developers. While there’s no question that C enables programmers to write very fast code, there’s also no doubt that C also makes it all too easy to make memory blunders.
Decades after C arrived on the scene, memory errors with C programs appear to be the most common of all coding security mistakes. In 2019, Microsoft confessed that 70% of its Common Vulnerabilities and Exposures (CVE) security problems had been caused by developers making memory corruption mistakes in their C and C++ code.
Much as I make fun of Microsoft for its security mistakes, this isn’t the company’s problem alone. It’s everyone that uses C. As Alex Gaynor and Geoffrey Thomas at the 2019 Linux Security Summit said, two-thirds of Linux kernel vulnerabilities come from memory safety issues. It’s pretty much the same everywhere. Where-ever there’s a memory problem, chances are you’ll find C or C++.
It soon became clear to Linux kernel developers who were willing to look beyond K&R C that Rust might be the answer. True, you can try to write memory-safe programs in C with language variants like SEI CERT C or use more secure guidelines such as the C++ Core Guidelines. But, at the end of the day, there’s still a heap of C memory errors in production code.
The first step to bringing Rust and Linux together, which unfortunately came too little early, was Taesoo Kim’s 2013 Linux kernel module. Companies were watching Rust develop and coming to the conclusion that in it lay the future of system programming.
Amazon, Google, and Microsoft all came to this conclusion in the late 2010s and early 2020s. By 2018, Amazon Web Services (AWS) had used Rust for Firecracker, the open-source virtualization behind AWS Lambda and its other serverless offerings. By 2020, AWS had launched Bottlerocket, a Linux-based container operating system.
At the same time, Google was working on introducing Rust into the mobile Linux distro Android. As Google engineers said in 2021, Improving Android’s code “is a top priority for the security, stability, and quality of each Android release.” Still, “Memory safety bugs in C and C++ continue to be the most difficult to address.”
Even though Google invests a “great deal of effort and resources into detecting, fixing, and mitigating this class of bugs,” … memory safety bugs continue to be a top contributor of stability issues, and consistently represent ~70% of Android’s high severity security vulnerabilities.: So, since “memory-safe languages are the most cost-effective means for preventing memory bugs, “we’re excited to announce that the Android Open Source Project (AOSP) now supports the Rust programming language for developing the OS itself.”
At the same time, Linux kernel developers, who were often Google employees, began to explore if Rust could be introduced into Linux itself. Miguel Ojeda, a Linux kernel developer, led these efforts. He created the Rust for Linux project to bring out-of-tree Rust modules to Linux in 2019.
But it really got going in 2020.
Rust for Linux
First, in April 2021, Ojeda introduced a Request for Comment (RFC) on bringing Rust into Linux on the Linux Kernel Mailing List (LKML). This was followed up in July 2020, by Nick Desaulniers, a Google software engineer at Google working on compiling the Linux Kernel with Clang and LLVM, suggesting an “in-tree Rust” session for the 2020 Linux Plumbers Conference (LPC). That resulted in the August 2020 “Barriers to in-tree Rust” talk. This, in turn, moved the idea of Rust in Linux to the front burner.
It also helped that Ojeda received financial support from the Internet Security Research Group (ISRG) and Google. The ISRG is investing in this because its chief objective is to promote memory-safe programming for critical Internet operating systems and programs such as Linux, Apache, and OpenSSL.
Then, on Sept. 20, 2021, Ojeda submitted the first pull request of the Rust for Linux project. This added the initial Rust support, including the Kbuild integration, initial built-in modules support, and the beginning of the kernel crate with Alex Gaynor’s and Geoffrey Thomas’ Safe Rust abstractions.
Sylvestre Ledru, a Debian Linux developer, ported a Rust version of Coreutils to Linux using the LLVM compiler infrastructure and its Clang C language front-end and tooling infrastructure in September 2021. Coreutils are the GNU shell core utilities. With these, Ledru booted Linux and was able to run the most popular Debian packages.
By March 2021, the idea has gotten enough steam that when I talked to Torvalds, and the Linux stable kernel maintainer Greg Kroah-Hartman, about Rust in Linux, Torvalds said, he was “in no way “pushing” for Rust, [but] I’m open to it considering the promised advantages and avoiding some safety pitfalls, but I also know that sometimes promises don’t pan out.
Kroah-Hartman was also cautiously optimistic, “It will all come down to how well the interaction between the kernel core structures and lifetime rules that are written in C can be mapped into Rust structures and lifetime rules for drivers in Rust to be able to use them properly. That’s going to take a lot of careful work by the developers wanting to hook this all up, and I wish them the best of luck.”
Others were more optimistic. Wedson Almeida Filho of Google’s Android Team said that “We feel that Rust is now ready to join C as a practical language for implementing the kernel. It can help us reduce the number of potential bugs and security vulnerabilities in privileged code while playing nicely with the core kernel and preserving its performance characteristics.”
The Rust in Linux team knew it would be a lot of work. As Ojeda said in June 2022, “The kernel is a huge project with a lot of stakeholders. Since the beginning, it was clear that adding a second ‘main’ language to the kernel would have both technical and management challenges.”
They proved up to the challenge. In September 2022, Torvalds told me, “Unless something odd happens, it [Rust] will make it into 6.1.” The Linux kernel 6.1, and Rust in it, will appear by early 2023 or, with luck and good work, in late 2022.
Now, Rust, Torvalds said, will “just have the core infrastructure (i.e. no serious use case yet).” Make no mistake, though. This is a major step forward.
The first Rust work you’ll see in the Linux Next kernels will be, Ojeda said, “Rust abstractions for subsystems and write drivers and other modules” in the LKML.
Eventually, Rust will be a fully integrated second language in the Linux kernel. Don’t think, for one moment that means all 30+ million lines of the kernel are going to be rewritten in Rust. That’s not happening this side of 2050. After that, however, don’t bet against it. Rust makes any program it’s written in inherently safer than its C counterparts.