Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp2896998pxb; Mon, 19 Apr 2021 17:26:06 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyW4QDmAWl3wFmCbIQREv2AhciBeXOLeulEiwpwvsGQSU36543+Zxuj4W6fTf1cHLvsDaOI X-Received: by 2002:a17:906:b09:: with SMTP id u9mr18757029ejg.244.1618878366204; Mon, 19 Apr 2021 17:26:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618878366; cv=none; d=google.com; s=arc-20160816; b=MXB5ajZkEU3q1IY+BccOd/J0zWNND2T4rKNVaYyZRH9Ekl9p8H3GGxfI+srRVXIkdb pJUDkr5AE2mZgZt4bWhcixHjyJqcmTlkk0dwO83AOb+WRnbByrClpnf6r+zTBF/AdHle MdcWoLZrKcfqMMIhc0BCcCioOqZaTxIitnJ5OoNtSob7HyvuJDpkxmZfl1e6TJU75a3y dUzCenkhnJXJTrRcE8EYoDFXhlZKmGDOAwF1ESvDtNipAqbsDEWzHgVXvSvdUcqOetgY FNTPkHWD1ijV6o7dx54Hf51A3bNcne9HCW3ErTEPhierj4vR/TdLNouyygTm/UR1a7Lo SMug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=FOsh3q0zxk4YO7I+1lA0GntuHcG2gh7NQXhaPukL/Mk=; b=NcKttxIj9kCSvw9RUvtFt5/DrXs+R0VEu6Zon+kq4uKKy3Qr+c9zu8eXId15Qccbr1 7RNp5KhyZFUF5Ln2HYnxeNuFTYdyqS6pXalvH/1siT0fd/1aF/9IdnaobDCT/zHseNca uZ4y/MCrCByL2mlfrMJiMOIXe8/gA3cLqrqk8ahTh4X7kazSuBRktNUvMAsBRfKL5Lh8 NwHM5o25sgaUY48Y/QOyrVk+LxbAXk9yVaJXQ5Y0tZAnLDq43AA2wNsczmGO5V3EJ7vI IxVuX+ZMZYEF99sMrsGy/3djf5ANaWWcGS/vwVEAgvm4QdGsN5qOg+kx8wKvhYpVlXvi x8PA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=CoROqzss; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g20si13136612edw.610.2021.04.19.17.25.42; Mon, 19 Apr 2021 17:26:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=CoROqzss; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229994AbhDTAZU (ORCPT + 99 others); Mon, 19 Apr 2021 20:25:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36116 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229880AbhDTAZT (ORCPT ); Mon, 19 Apr 2021 20:25:19 -0400 Received: from mail-lj1-x231.google.com (mail-lj1-x231.google.com [IPv6:2a00:1450:4864:20::231]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6E2A7C06138A for ; Mon, 19 Apr 2021 17:24:48 -0700 (PDT) Received: by mail-lj1-x231.google.com with SMTP id o16so41481215ljp.3 for ; Mon, 19 Apr 2021 17:24:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=FOsh3q0zxk4YO7I+1lA0GntuHcG2gh7NQXhaPukL/Mk=; b=CoROqzssO42bQLqB6Rp8HopASoqkxTL5Lm2RfjSKld7xisl+V2Gbk3AO6vM4JzkdRI 7/bT4Hc0FhO+oUpZBbI3ETrfoixdNF0YZ2Ot1snmGj41r+v7P4MnbmNNIvDyP4HkXQi4 0ezICMAFt//RtS6SAEmMmnHQoRQXDWCi/r0cTvi63f80u8AKKqL38tod6F11ZAUc5Yhh JVvJJkPdu2MX38h5FOqWPpU9SsWgW505gntYganD/ZpNPwZ1DLlGIpTQR2T09x5tK1qN 4mHRdzqo+xqGoNrjTwFPYvQ1oAtGPK3kY4952Y24iMMU10cQcZGbEv1upHPEYYoyxz3k T5/Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=FOsh3q0zxk4YO7I+1lA0GntuHcG2gh7NQXhaPukL/Mk=; b=gbq55C+wKNa6xf/O/6/zbrqThyhD4tiFK9Ty4JqBc5xxGjkfHo6iSQZ0h21qlbjNo4 aWzgkTbmRYsnSr2oKmmWWi7+OKcXwLavdOgWHFuTnT04aJ8t36oRhgzBL/JO7QRP2VAi v6084wdbcbsr+sCKC0BZezB0CGrjncZN5QCHrYJS4wW/JhdHrtI0OBzKzOeEHjN1y87n XKnbP0adz45HKpzYQck56JRXYcOEsGndueq/6KAVXAiYOyPOMQ1g9we0NV96fiofZ9jk nBVL18tN+uRJkiBT/JtIN7jdIRxWkhlcT12lefL8JTQ3JWhdTUNcxit8NwDSdhjqa3SD wovg== X-Gm-Message-State: AOAM531soi2SOa5FNM1JPvvBsV1VPz/31YyjdDvukKDUpkrwm+gtDxze qL68onKwF6EoNYOQN/oBO/lEykY/6cHvp3oK5DQ2LA== X-Received: by 2002:a2e:9cc1:: with SMTP id g1mr11473192ljj.0.1618878286604; Mon, 19 Apr 2021 17:24:46 -0700 (PDT) MIME-Version: 1.0 References: <20210414184604.23473-1-ojeda@kernel.org> <20210416161444.GA10484@1wt.eu> <20210416173717.GA10846@1wt.eu> In-Reply-To: <20210416173717.GA10846@1wt.eu> From: Nick Desaulniers Date: Mon, 19 Apr 2021 17:24:33 -0700 Message-ID: Subject: Re: [PATCH 00/13] [RFC] Rust support To: Willy Tarreau Cc: Wedson Almeida Filho , Peter Zijlstra , Miguel Ojeda , Linus Torvalds , Greg Kroah-Hartman , rust-for-linux , Linux Kbuild mailing list , Linux Doc Mailing List , linux-kernel , Dmitry Vyukov , Miguel Ojeda Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Apr 16, 2021 at 10:39 AM Willy Tarreau wrote: > > resources usage, I'm really not convinced at all it's suited for > low-level development. I understand the interest of the experiment > to help the language evolve into that direction, but I fear that > the kernel will soon be as bloated and insecure as a browser, and > that's really not to please me. Dunno, I don't think the introduction of Rust made Firefox _more_ insecure. https://wiki.mozilla.org/Oxidation#Within_Firefox I pray no executives ever see Dmitry Vyukov's 2019 Linux Plumbers Conf talk "Reflections on kernel quality, development process and testing." https://www.youtube.com/watch?v=3DiAfrrNdl2f4 or his 2018 Linux Security Summit talk "Syzbot and the Tale of Thousand Kernel Bugs" https://www.youtube.com/watch?v=3DqrBVXxZDVQY (and they're just fuzzing the syscall interface and USB devices. Imagine once folks can more easily craft malformed bluetooth and wifi packets.) I'd imagine the first term that comes to mind for them might be "liability." They are quite sensitive to these vulnerabilities with silly names, logos, and websites. There are many of us that believe an incremental approach of introducing a memory safe language to our existing infrastructure at the very least to attempt to improve the quality of drivers for those that choose to use such tools is a better approach. I think a lot of the current discussion picking nits in syntax, format of docs, ease of installation, or theoretical memory models for which no language (not even the one the kernel is implemented in) provides all rightly should still be added to a revised RFC under "Why not [Rust]?" but perhaps are severely overlooking the benefits. A tradeoff for sure though. Really, a key point is that a lot of common mistakes in C are compile time errors in Rust. I know no "true" kernel dev would make such mistakes in C, but is there nothing we can do to help our peers writing drivers? The point is to transfer cost from runtime to compile time to avoid costs at runtime; like all of the memory safety bugs which are costing our industry. Curiously recurring statistics: https://www.zdnet.com/article/microsoft-70-percent-of-all-security-bugs-are= -memory-safety-issues/ "Microsoft security engineer Matt Miller said that over the last 12 years, around 70 percent of all Microsoft patches were fixes for memory safety bugs." https://www.chromium.org/Home/chromium-security/memory-safety "The Chromium project finds that around 70% of our serious security bugs are memory safety problems." https://security.googleblog.com/2021/01/data-driven-security-hardening-in.h= tml (59% of Critical and High severity vulnerabilities fixed in Android Security Bulletins in 2019 are classified as "Memory," FWIW) https://hacks.mozilla.org/2019/02/rewriting-a-browser-component-in-rust/ "If we=E2=80=99d had a time machine and could have written this component i= n Rust from the start, 51 (73.9%) of these bugs would not have been possible." -- Thanks, ~Nick Desaulniers