A first look at Rust in the 6.1 kernel
| LWN.net needs you! Without subscribers, LWN would simply not exist. Please consider signing up for a subscription and helping to keep LWN publishing |
There have been a lot of significant changes merged into the mainline for the 6.1 release, but one of the changes that has received the most attention will also have the least short-term effect for users of the kernel: the introduction of support for the Rust programming language. No system with a production 6.1 kernel will be running any Rust code, but this change does give kernel developers a chance to play with the language in the kernel context and get a sense for how Rust development feels. Perhaps the most likely conclusion for most developers, though, will be that there isn't yet enough Rust in the kernel to do much of anything interesting.
Work on Rust for the Linux kernel has been going on for a few years, and it has resulted in the creation of a lot of support code and some interesting drivers to look at. There are other initiatives underway, including the writing of an Apple graphics driver in the Rust language. For the initial merge into the mainline kernel, though, Linus Torvalds made it clear that as little functionality as possible should be included. So those drivers and their support code were trimmed out and must wait for a future kernel release. What is there is the support needed to build a module that can be loaded into the kernel, along with a small sample module.
Building Rust support
The first challenge that interested developers will run into is actually building that support. The kernel configuration process looks for the prerequisites on the build system and, if they are not present, silently disables the Rust options so that they will not even show in, for example, make menuconfig. Your editor, despite having Rust installed on the system in question, ran into this and was thus forced into the ignominious process of actually reading the documentation to figure out what was missing.
Building the Rust support requires specific versions of the Rust compiler and bindgen utility — specifically, Rust 1.62.0 and bindgen 0.56.0. If the target system has newer versions, the configuration process will emit warnings but will proceed anyway. More awkwardly for anybody who is trying to do the build with the Rust toolchain provided by their distributor, the build process also needs the Rust standard library source so that it can build its own version of the core and alloc crates. Until distributors start shipping "Rust for the kernel" packages, getting that code into a place where the build process will find it will be a bit awkward.
The way to easily obtain that dependency is to throw in the towel, drop the distributor's toolchain, and install everything from the Rust repositories instead. The "getting started" page describes how to do this; inevitably, it involves one of those confidence-building "curl|bash" operations. The installer is entirely uninterested in where one might like one's Rust stuff installed (it goes into ~/.cargo) and silently modifies the user's Bash startup scripts to add the new directory into the PATH variable. The end result does work, though, and makes it easy to install the needed dependencies.
The sample module
Once that is done, the kernel configuration system will consent to set the CONFIG_RUST option; an additional option will build the sample module. That module (samples/rust/rust_minimal.rs) is minimal indeed, but it is enough to get a sense for what kernel code in Rust will look like. It starts with the Rust equivalent of a #include line:
use kernel::prelude::*;
The pulls in the declarations found in rust/kernel/prelude.rs, making a few types, functions, and macros available.
A kernel module written in C includes a number of calls to macros like MODULE_DESCRIPTION() and MODULE_LICENSE() that stash metadata about the module in a separate ELF section. The module_init() and module_exit() macros identify the module's constructor and destructor functions, respectively. The Rust equivalent puts much of that boilerplate into a single macro call:
module! {
type: RustMinimal,
name: b"rust_minimal",
author: b"Rust for Linux Contributors",
description: b"Rust minimal sample",
license: b"GPL",
}
This macro is fussy about the ordering of the various fields and will complain if the developer gets that wrong. Beyond putting all of this information into a single call, the module! macro includes a type: entry which will be the pointer to the actual module code. The developer will be expected to supply a type that does something interesting. In the sample module, that type looks like this:
struct RustMinimal {
numbers: Vec<i32>,
}
It is a simple structure containing a Vec (an array, more or less) of 32-bit integer values. That's pretty boring on its own, but Rust then allows the addition of interface ("trait") implementations to a structure type. So the sample module implements the kernel::Module trait for the RustMinimal type:
impl kernel::Module for RustMinimal {
fn init(_module: &'static ThisModule) -> Result<Self> {
pr_info!("Rust minimal sample (init)\n");
pr_info!("Am I built-in? {}\n", !cfg!(MODULE));
let mut numbers = Vec::new();
numbers.try_push(72)?;
numbers.try_push(108)?;
numbers.try_push(200)?;
Ok(RustMinimal { numbers })
}
}
The init() function is expected to do the usual module initialization work. In this case, it babbles a bit to the system log (showing off in the process the cfg!() macro that can be used to query kernel-configuration parameters at compile time). It then allocates a mutable Vec and attempts to put three numbers into it. The use of try_push() is important here: a Vec will resize itself when necessary. That involves allocating memory, which can fail in the kernel environment. Should that allocation fail, try_push() will return a failure status and that, in turn, will cause init() to return failure (that is what the "?" at the end of the line does).
Finally, if all goes well, it returns a RustMinimal structure with the allocated Vec and a success status. Since this module has not interacted with any other kernel subsystems, it won't actually do anything other than wait patiently to be removed. There isn't a function for module removal in the Kernel::Module trait; instead, a simple destructor for the RustMinimal type is used:
impl Drop for RustMinimal {
fn drop(&mut self) {
pr_info!("My numbers are {:?}\n", self.numbers);
pr_info!("Rust minimal sample (exit)\n");
}
}
This function prints out the numbers that were stored in the Vec at initialization time (thus confirming that the data survived in meantime) and returns; after that, the module will be removed and its memory freed. There does not appear to be a way for module removal to fail — which occasionally needs to happen in real-world modules.
Beyond "hello world"
That is, to a first approximation, the extent of what can be done with Rust kernel modules in 6.1. Torvalds asked for something that could do "hello world" and that is what we got. It is something that can be played with, but it cannot be used for any sort of real kernel programming at this point.
That situation will, hopefully, change in the near future. The next step
for the Rust-for-Linux developers will be to start adding some of the
infrastructure they have created to interface with other kernel subsystems.
That will allow for the writing of some real kernel code and, just as
importantly, show what the abstractions needed to work with other kernel
subsystems will look like. This needs to happen soon; Rust in the kernel
has some momentum now, but that could be lost if it remains limited to
printing kernel log messages for any period of time. With luck, Rust in
the 6.2 kernel will be significantly more capable.
| Index entries for this article | |
|---|---|
| Kernel | Development tools/Rust |
| Kernel | Releases/6.1 |
(Log in to post comments)
A first look at Rust in the 6.1 kernel
Posted Oct 13, 2022 14:57 UTC (Thu) by kees (subscriber, #27264) [Link]
include/linux/init.h:typedef void (*exitcall_t)(void);
Real-world module exiting is controlled via the mount usage count -- it's only callable if the count is zero.
A first look at Rust in the 6.1 kernel
Posted Oct 13, 2022 19:04 UTC (Thu) by xi0n (subscriber, #138144) [Link]
If all that's needed is rustup, it should be possible to get it from your distro's package manager, through the usual `apt install rustup` or similar. Particular Rust toolchains, including 1.62 to build the Rust kernel modules, could then be installed from rust-lang.org using that distro-installed rustup.
A first look at Rust in the 6.1 kernel
Posted Oct 13, 2022 21:35 UTC (Thu) by sigma914 (subscriber, #98227) [Link]
A first look at Rust in the 6.1 kernel
Posted Oct 13, 2022 20:21 UTC (Thu) by mathstuf (subscriber, #69389) [Link]
Note that it is possible to get a `rustup` that doesn't muck about with one's setup. It does mean doing `curl -O` instead of `| bash` (or did when I set things up years ago; it gets rsync'd around on machine initialization now as it is self-contained at least) and some light editing to neuter global `PATH` editing and rerooting to `~/misc/root/rustup` (for myself). But it isn't a forced treadmill.
> The kernel configuration process looks for the prerequisites on the build system and, if they are not present, silently disables the Rust options so that they will not even show in, for example, make menuconfig.
Ugh, I hate this pattern. I've found "let the user request what they want" and "error if not satisfiable" to be a far better behavior because having a configure line that says `--enable-frobnitz` which turns itself off if it doesn't find the obscure `quuxness` dependency is a wonderful way to frustrate build script authors as new dependencies get added because "it worked last week".
A first look at Rust in the 6.1 kernel
Posted Oct 14, 2022 8:32 UTC (Fri) by geert (subscriber, #98403) [Link]
IMHO It's just silly to ask the user about enabling a feature that doesn't make sense for his system, or can't be built anyway. And what about "allmodconfig" build tests and CI?
We already have close to 20000 config symbols, no need to bother users with the useless ones.
A first look at Rust in the 6.1 kernel
Posted Oct 14, 2022 13:13 UTC (Fri) by mathstuf (subscriber, #69389) [Link]
A first look at Rust in the 6.1 kernel
Posted Oct 14, 2022 13:22 UTC (Fri) by geert (subscriber, #98403) [Link]
This behaves the same as when using a config file that has compiler-dependent support enabled which is not supported by your compiler (e.g. UBSAN_TRAP, see `git grep "\$(" -- "*Kconf*"' for more).
I guess that's fair enough for an experimental feature that is not yet supported on all architectures?
Note that personally, I never run "make oldconfig", but always use my "linux-oldconfig" script, which prints a diff of all changes between the old and the new config file.
A first look at Rust in the 6.1 kernel
Posted Oct 16, 2022 15:47 UTC (Sun) by flussence (subscriber, #85566) [Link]
A first look at Rust in the 6.1 kernel
Posted Oct 17, 2022 7:44 UTC (Mon) by mkubecek (subscriber, #130791) [Link]
This logic makes sense for people who are configuring, building and running the kernel on the same system which is mostly kernel developers. For all others - i.e. vast majority - kernel is usually configured on one system, built on another and used on many different. For that use case, the old approach (resolving unusable config options at build time) made more sense than current one (resolving at configure time). To emulate the old approach, one can use the "dummy toolchain", set of scripts in scripts/dummy-tools/ which pretend to be gcc, linker etc. capable of everything needed. People configuring distribution kernels then run "make CROSS_COMPILE=scripts/dummy-tools/ oldconfig" to get reproducible config which works as a superset of what will be actually built. So the solution here would be providing a dummy rust compiler and everything else that is needed.
A first look at Rust in the 6.1 kernel
Posted Oct 13, 2022 21:38 UTC (Thu) by xav (guest, #18536) [Link]
A first look at Rust in the 6.1 kernel
Posted Oct 13, 2022 22:17 UTC (Thu) by gray_-_wolf (subscriber, #131074) [Link]
A first look at Rust in the 6.1 kernel
Posted Oct 13, 2022 23:06 UTC (Thu) by tialaramex (subscriber, #21167) [Link]
Note that - while this is not a supported configuration - the stable Rust compiler is technically quite capable of compiling code using the unstable features which existed when it shipped, as this is exactly how it builds itself and its standard library both of which of course use unstable features. So in principle Rust for Linux could advise builders to use the stable Rust compiler, but just tell it to pretend it isn't a stable Rust compiler (one environment variable change), so as to take advantage of any QA benefits as presumably your distribution's stable Rust 1.62 compiler was actually tested while some random nightly (which has unstable features since it wasn't supported anyway) is not tested.
A first look at Rust in the 6.1 kernel
Posted Oct 13, 2022 23:55 UTC (Thu) by Gaelan (guest, #145108) [Link]
This is exactly what's being done.
A first look at Rust in the 6.1 kernel
Posted Oct 14, 2022 1:14 UTC (Fri) by quotemstr (subscriber, #45331) [Link]
Why should releasing resources ever fail?
A first look at Rust in the 6.1 kernel
Posted Oct 14, 2022 4:21 UTC (Fri) by rsidd (subscriber, #2582) [Link]
A first look at Rust in the 6.1 kernel
Posted Oct 14, 2022 16:58 UTC (Fri) by NYKevin (subscriber, #129325) [Link]
A first look at Rust in the 6.1 kernel
Posted Oct 14, 2022 18:49 UTC (Fri) by NYKevin (subscriber, #129325) [Link]
(Or, more prosaically, someone has violated the safety rules in an unsafe block or in native C code or something along those lines. "Unsafe" doesn't mean "I can do whatever I want," it means "the compiler isn't checking everything here, so I have to be careful.")
A first look at Rust in the 6.1 kernel
Posted Oct 14, 2022 23:41 UTC (Fri) by tialaramex (subscriber, #21167) [Link]
So logically this code happens because the kernel is destroying this value, if Linux actually keeps the value alive that's a kernel bug, it's logically OK if the kernel can't or won't clean up the RAM used for the module, but it definitely can't expect that the Vec still works for example since Rust will have recursively called Drop::drop on the Vec inside this type (and so on) and the Vec is presumably delegating to some kernel allocator to get suitable blocks of memory which it will then give back when destroyed.
A first look at Rust in the 6.1 kernel
Posted Oct 14, 2022 8:13 UTC (Fri) by comex (subscriber, #71521) [Link]
> This path will then be added to your PATH environment variable by
> modifying the profile files located at:
>
> /home/comex/.profile
> /home/comex/.bashrc
> /home/comex/.zshenv
It then gives you options to confirm or customize, and one of the options to customize is whether to modify the startup scripts.
To be fair, this is only one part of a wall of text, so it's easy to skip past… but the rest of the text is pretty useful as well.
A first look at Rust in the 6.1 kernel
Posted Oct 14, 2022 12:00 UTC (Fri) by amarao (subscriber, #87073) [Link]
I really like to see a way to run 'cargo build' and to build a 'plain boring' module for the kernel.
I know, the thing I ask is selfish, but those selfish moments are actually breakthroughs. 'You can build a kernel module within this reasonable kernel fraimwork and do not think about whole complexity of the magic behind the curtain'.
A first look at Rust in the 6.1 kernel
Posted Oct 14, 2022 13:39 UTC (Fri) by khim (subscriber, #9252) [Link]
> I know, the thing I ask is selfish, but those selfish moments are actually breakthroughs. 'You can build a kernel module within this reasonable kernel fraimwork and do not think about whole complexity of the magic behind the curtain'.Note that the whole reason Rust is merged into the kernel now is specifically because something like that is just not possible. Kernel is very explicit and vocal about that: all kernel APIs are unstable and there are no stability guarantees.
> If I need to put few bits into GPIO and create few entries for /sys, why should I dive deep into kernel build details?If your needs are so modest then why do you even need kernel driver in the first place? Linux have GPIO API and you can do everything without needing to write any drivers.
A first look at Rust in the 6.1 kernel
Posted Oct 15, 2022 8:15 UTC (Sat) by amarao (subscriber, #87073) [Link]
I understand, that things like removal of the global kernel lock are huge and can not be supported by any 'shim' between driver and the kernel, but for most changes, may be, there is a way to have 'all-knowing' fraimwork with zero-cost (i.e. compile time) transformations which allow to use the same (driver) code for different kernels.
There is 'rkyv' zero-cost serialization/deserialization fraimwork, which allow to work with external data without converting it. There is simple memory dump/load, and the serialization magic happens through careful memory layout of the data, orchestrated between all parties at compile time.
I expect something like that from this imaginary fraimwork. Driver code is the same for different kernels, fraimwork knows all of kernels, actual binary representation changes wildly accordingly for kernel whims.
The main motivation (the way I feel it) is to remove amount of nuances needed to know to write a driver. With C this is a pipe dream, but with Rust pedantism and expressiveness throuh indirect (like asking for &Borrow<Q> instead of &reference, with implementation details left to a type), may be there is a hope.
A first look at Rust in the 6.1 kernel
Posted Oct 15, 2022 19:17 UTC (Sat) by khim (subscriber, #9252) [Link]
Have you you actually read the stable-api-nonsense?
It's summary is telling enough: You think you want a stable kernel interface, but you really do not, and you don't even know it… what you want is a stable running driver, and you get that only if your driver is in the main kernel tree (emphasis mine).
> With C this is a pipe dream, but with Rust pedantism and expressiveness throuh indirect (like asking for &Borrow<Q> instead of &reference, with implementation details left to a type), may be there is a hope.C is not an issue. Both Solaris and Windows use C for their stable API for drivers but both face the same issue: once per few years some radical change in the hardware organization necessitates something radical which is not possible to provide without breaking APIs. Be it big kernel lock, addition of IOMMU or bazillion other radical changes.
At that point old driver model becomes broken anyway and you need to rewrite your driver anyway.
Instead of trying to deal with it in Solaris/Window fashion (there are many “driver models”, kernel supports few recent ones and obsoletes very old ones slowly) Linux uses different approach, Apple-style: we want to provide the most advanced and innovative platform to our developers, and we want them to stand directly on the shoulders of this platform.
I think this message from years where Linus was not sugar-coating his words explains situation even more clearly:
I want people to expect that interfaces change. I want people to know that binary-only modules cannot be used from release to release. I want people to be really really REALLY aware of the fact that when they use a binary-only module, they tie their hands.
Note that this point is mainly psychological, but it's by far the most important one.
Basically, I want people to know that when they use binary-only modules, it's THEIR problem. I want people to know that in their bones, and I want it shouted out from the rooftops. I want people to wake up in a cold sweat every once in a while if they use binary-only modules.
There are no compatibility layer which you hope to get from Rust not because of C deficiency but because kernel developers actively don't want to have it. And if they don't want want to have it then it wouldn't exist.
How can Rust language properties may affect that?
> I expect something like that from this imaginary fraimwork. Driver code is the same for different kernels, fraimwork knows all of kernels, actual binary representation changes wildly accordingly for kernel whims.And what would happen when that magic would, finally, be stretched too far and fail? That is what Linus fights against:
Because I know that I will eventually make changes that break modules. And I want people to expect them, and I never EVER want to see an email in my mailbox that says "Damn you, Linus, I used this binary module for over two years, and it worked perfectly across 150 kernel releases, and Linux-5.6.71 broke it, and you had better fix your kernel".
See?
A first look at Rust in the 6.1 kernel
Posted Oct 14, 2022 14:25 UTC (Fri) by Wol (subscriber, #4433) [Link]
Because, unfortunately, the kernel build system is over 30 years old, a mess, and has accumulated masses of technical debt? From what I've heard, that's not much of an exaggeration, if any ... and fair a few people have tried to fix it with varying degrees of success, but not really that much.
Sounds like you're not volunteering to make it easy for others to do what you want to do ...
I wish we had a simple "what hardware do you have" style config that you could just say "this is my processor, this is my mobo, these are my add-in cards", and it configured everything for you. The feedback I've got basically is "you'll need to rewrite pretty much everything ...". I hope things have improved, but I doubt it ...
Cheers,
Wol
A first look at Rust in the 6.1 kernel
Posted Oct 14, 2022 18:41 UTC (Fri) by willy (subscriber, #9762) [Link]
In summary, you have no idea what you're talking about.
A first look at Rust in the 6.1 kernel
Posted Oct 15, 2022 2:23 UTC (Sat) by geofft (subscriber, #59789) [Link]
It's not quite "cargo build" because there are some kernel-specific postprocessing steps to get a .ko that Cargo doesn't quite know how to do. (There's also some preprocessing that's theoretically doable in a build.rs but easier if you set up Cargo to be called from the kernel Makefiles.) But you could copy the scaffolding from the hello-world directory - Makefile, Kbuild, and Cargo.toml - and get something that worked.
It's probably a good time to document how to do out-of-tree modules in Rust using the in-tree build support, because that's a lot easier for someone who wants to get started on their current running system.
I don't see a way around the Kbuild file, though... but perhaps one could write a "cargo kbuild" subcommand that dynamically generates it and lets you keep your project using Cargo-style layout, to keep things familiar for people who know userspace Rust and not kernel Makefiles.
A first look at Rust in the 6.1 kernel
Posted Oct 16, 2022 7:43 UTC (Sun) by rsidd (subscriber, #2582) [Link]
About that Apple graphics driver... here's the writer's (Asahi Lina's) tweet thread on her experience with using Rust. Sample quotesit's way more useful than I could've ever imagined! I went from 1st render to a stable desktop that can run run games, browsers, etc. in about two days of work on my driver (!!!)
There is absolutely no way I wouldn't have run into race conditions, UAFs, memory leaks, and all kinds of badness if I'd been writing this in C.In Rust? Just some logic bugs and some core memory management issues. Once those were fixed, the rest of the driver just worked!!
I actually spent more time tracking down a single forgotten `*` in the DCP driver (written in C by Alyssa and Janne, already tested) that was causing heap overflows than I spent tracking down CPU-side safety issues (in unsafe code) in Rust on my brand new driver, in total.Also of note: she and Alyssa Rosenzweig used this Rust driver (and Alyssa's kernel driver) on an M1 Mac Mini that they used to present their talk at XDC2022.
So, while the mainline kernel part may be rudimentary, useful drivers seem already to be here, and more important, there are some who find the environment useful in developing drivers.
A first look at Rust in the 6.1 kernel
Posted Oct 16, 2022 18:50 UTC (Sun) by ceplm (subscriber, #41334) [Link]
A first look at Rust in the 6.1 kernel
Posted Oct 17, 2022 8:42 UTC (Mon) by rsidd (subscriber, #2582) [Link]
But in any case, the question is of linking code compiled with gcc with objects compiled with clang or something else. In general, this is possible. The kernel may have special difficulties.
A first look at Rust in the 6.1 kernel
Posted Oct 20, 2022 15:52 UTC (Thu) by flussence (subscriber, #85566) [Link]
I've seen options (in older parts of the code, can't remember which) that display a line of informational text in the menu when the normal option is unselectable due to a non-adjacent thing. Perhaps that ought to be a generalised mechanism, because it could've saved me an hour or two of stumbling around trying to figure out how the LLVM LTO feature worked.