Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp7672137yba; Thu, 2 May 2019 14:09:17 -0700 (PDT) X-Google-Smtp-Source: APXvYqxeE8dmeg3GdcWhbWKg9+UO3U1+IfMaY0btRvKVLSnLfATHf8D0qr0NElb7HVe4uSjV8HDX X-Received: by 2002:a62:b411:: with SMTP id h17mr6432784pfn.61.1556831357014; Thu, 02 May 2019 14:09:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556831357; cv=none; d=google.com; s=arc-20160816; b=xpSs+530L+hNbDt8D9Wzh/r07dlaMQj2/qI+driT6Z7NeNULiLdYpzFVrIpZH/i/x2 5zhU6fWFfpkPsYBD1NJcZAcHVA8jnecJrIv6xz/5v2wze3Y9Rq7ZRx7pwHILcgAp0ylD vf2GnNcyre16tyScEonwh0uIhzyXLUcrXVpzmZNyKeRQY5QAO1CJtc7n3vg7CppGoKdz zxXwDQlQZXxDhAwhvqhz8k4sWcMMxxyExWi/nn3687KrdnStzevkE8y+YXJF0zKX+naF yZAXQcrRxJOEKpvWORpBFJMFhn0LPOxcQlSgMQwjpXzBgZUrrVOeABzLeERCVi+9ck3q I96Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :reply-to:in-reply-to:references:mime-version:dkim-signature; bh=McWTtx7Tp7tMDcpgUWURvLH3xAZpqNdcMywhax+H9u8=; b=sTBLQNfUp2jjgVqQpmgthg3h8zMED/bfWzbn5rV72iCG/6/9wBZt/zzl9HHyp56eQK 4QgdT54w1Xvt0AtWHGhTatvaDqHkJcIiGOPZR9EzcMiXJ5Wbdn1es++/9dxBfVSpyrLd hyW6JMx4nESLb1CsvJrE/iJjInFxSE7Y8g0K6Z2vudk7Rkz3zqFHv0k//7nBixQUc0Ss mez91r8oI8BUoqtxed2F4oKmzdxpY7L35SZ+mkcR6I7SbyJ8Rvpxk0ItMOnZsrQ759kf TDtbs3R9HNTYzeACL6Hfr9uGPvEOEKjfRJE5maCnQMgAEhGgeL/W2XQdUSgio8X5xVpr OPkA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ocallahan-org.20150623.gappssmtp.com header.s=20150623 header.b=itZm4mid; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r8si126450pgg.345.2019.05.02.14.09.01; Thu, 02 May 2019 14:09:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@ocallahan-org.20150623.gappssmtp.com header.s=20150623 header.b=itZm4mid; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726405AbfEBVHw (ORCPT + 99 others); Thu, 2 May 2019 17:07:52 -0400 Received: from mail-lj1-f194.google.com ([209.85.208.194]:38580 "EHLO mail-lj1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725962AbfEBVHw (ORCPT ); Thu, 2 May 2019 17:07:52 -0400 Received: by mail-lj1-f194.google.com with SMTP id e18so3519613lja.5; Thu, 02 May 2019 14:07:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ocallahan-org.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:reply-to:from:date:message-id :subject:to:cc; bh=McWTtx7Tp7tMDcpgUWURvLH3xAZpqNdcMywhax+H9u8=; b=itZm4midVgkaAhNA0r5PfpUHd/gPvPcK3n8NB1YcbOEZ483aEikD/V8xjhyy+P9+G3 O7NWH6/7GmLn6LJLpEDCkVpkGs9kJ/xe/mv7xm8wikmwI4fYP7sz53GAq6W6EHAYb1HD GqBFjxVO0csXNMBnth+6rtohGNFewYALcIuzyvwgO3fM9P1Cf/LDHEdEHRym28VQKEfU HS1nlAec0MXtaXmT+tTwRyVPDIO7VWRcNB1+erwL//zEH8yVqp5XR08kdi5xnGhUODif ltBMyBk20L0/nvjVz/Sz0sBx+AUjiAvNW4mSXVxcvNqlGkxwD2PFsXFgAP7gq01Jbfdy UVbg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:reply-to :from:date:message-id:subject:to:cc; bh=McWTtx7Tp7tMDcpgUWURvLH3xAZpqNdcMywhax+H9u8=; b=eue556EcU4s35RA9GKOS3kSnIOvCKo5MxzeQcNq73qRz0KcKgri5oorwyUZf/ON/AM KDUIzp5YvgpImBrodYc3WoaFtFHtl3ibLtRCeHFH2jWeEKhQsMMg6l3CDfJW4eYKALoP gdMbDPtUoD2YTX7LAtAxaInAe1ymylbbdZg3SVkS3CBLVbxBLCZsnmAgxJAysUnm0m9z +lh+gAD3bysCkVS/ZmuGNfKnK374Ttr6w1u/tn/YQvVPPQonb8sp3K2m4GfLrh51Zb1j V87RnOVz4vbszjWVPnw0rXp/GcfGM17zMGf0Aycld6Av/dQcol9SigHPmRUpAF1GOxVg NmVg== X-Gm-Message-State: APjAAAV5ebiD9NsGUD/LnJTqdzdYS6c1u1douWGZ24RuOoFxOXfn2iCN KPgFuzB8SuOvBDovCRNuTOeIIq423tR6zqqqpBM= X-Received: by 2002:a2e:4a1a:: with SMTP id x26mr2765684lja.49.1556831268788; Thu, 02 May 2019 14:07:48 -0700 (PDT) MIME-Version: 1.0 References: <1556228754-12996-1-git-send-email-rppt@linux.ibm.com> <1556228754-12996-3-git-send-email-rppt@linux.ibm.com> <20190426083144.GA126896@gmail.com> <20190426095802.GA35515@gmail.com> <20190427084752.GA99668@gmail.com> <20190427104615.GA55518@gmail.com> <20190502152016.GA51567@gmail.com> In-Reply-To: <20190502152016.GA51567@gmail.com> Reply-To: robert@ocallahan.org From: "Robert O'Callahan" Date: Fri, 3 May 2019 09:07:37 +1200 Message-ID: Subject: Re: [RFC PATCH 2/7] x86/sci: add core implementation for system call isolation To: Ingo Molnar Cc: Andy Lutomirski , Mike Rapoport , LKML , Alexandre Chartre , Borislav Petkov , Dave Hansen , "H. Peter Anvin" , Ingo Molnar , James Bottomley , Jonathan Adams , Kees Cook , Paul Turner , Peter Zijlstra , Thomas Gleixner , Linux-MM , LSM List , X86 ML , Linus Torvalds , Peter Zijlstra , Andrew Morton Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, May 3, 2019 at 3:20 AM Ingo Molnar wrote: > So what might work better is if we defined a Rust dialect that used C > syntax. I.e. the end result would be something like the 'c2rust' or > 'citrus' projects, where code like this would be directly translatable to > Rust: > > void gz_compress(FILE * in, gzFile out) > { > char buf[BUFLEN]; > int len; > int err; > > for (;;) { > len = fread(buf, 1, sizeof(buf), in); > if (ferror(in)) { > perror("fread"); > exit(1); > } > if (len == 0) > break; > if (gzwrite(out, buf, (unsigned)len) != len) > error(gzerror(out, &err)); > } > fclose(in); > > if (gzclose(out) != Z_OK) > error("failed gzclose"); > } > > > #[no_mangle] > pub unsafe extern "C" fn gz_compress(mut in_: *mut FILE, mut out: gzFile) { > let mut buf: [i8; 16384]; > let mut len; > let mut err; > loop { > len = fread(buf, 1, std::mem::size_of_val(&buf), in_); > if ferror(in_) != 0 { perror("fread"); exit(1); } > if len == 0 { break ; } > if gzwrite(out, buf, len as c_uint) != len { > error(gzerror(out, &mut err)); > }; > } > fclose(in_); > if gzclose(out) != Z_OK { error("failed gzclose"); }; > } > > Example taken from: > > https://gitlab.com/citrus-rs/citrus > > Does this make sense? Are you saying you want a tool like c2rust/citrus that translates some new "looks like C, but really Rust" language into actual Rust at build time? I guess that might work, but I suspect your "looks like C" language isn't going to end up being much like C (e.g. it's going to need Rust-style enums-with-fields, Rust polymorphism, Rust traits, and Rust lifetimes), so it may not be beneficial, because you've just created a new language no-one knows, and that has some real downsides. If you're inspired by the dream of transitioning to safer languages, then I think the first practical step would be to identify some part of the kernel where the payoff of converting code would be highest. This is probably something small, relatively isolated, that's not well tested, generally suspicious, but still in use. Then do an experiment, converting it to Rust (or something else) using off-the-shelf tools and manual labor, and see where the pain points are and what benefits accrue, if any. (Work like https://github.com/tsgates/rust.ko might be a helpful starting point.) Then you'd have some data to start thinking about how to reduce the costs, increase the benefits, and sell it to the kernel community. If you reached out to the Rust community you might find some volunteers to help with this. Rob -- Su ot deraeppa sah dna Rehtaf eht htiw saw hcihw, efil lanrete eht uoy ot mialcorp ew dna, ti ot yfitset dna ti nees evah ew; deraeppa efil eht. Efil fo Drow eht gninrecnoc mialcorp ew siht - dehcuot evah sdnah ruo dna ta dekool evah ew hcihw, seye ruo htiw nees evah ew hcihw, draeh evah ew hcihw, gninnigeb eht morf saw hcihw taht.